Reputation intelligence is information about cyber entities known for specific activity, whether malicious or benign, which can be fed to and actioned on by a web application firewall (WAF). It provides an additional application security layer by effectively identifying and blocking threats from known malicious sources. Using reputation intelligence, large amounts of traffic can be classified as malicious or benign, reducing the workload of WAFs to inspect the actual content of that traffic. You can better understand where traffic originates, who is creating it and the potential risk.
With up to date information on all known cyber entities delivered to your WAF, reputation intelligence can help block an attack or allow legitimate traffic, which in turn significantly reduces false positives.
Examples of reputation intelligence entities include:
People often ask us why they should add reputation intelligence to their WAF. One of our large global customers summed it up best, “Reputation intelligence is the low hanging fruit, we just block based on the feeds delivered to the WAF and see immediate value – I’m blocking the bad guys without creating new security rules.” This is the fundamental benefit delivered by reputation intelligence – automated blocking of threats based on specific entities, such as IPs or URLs.
There are additional benefits to adding reputation intelligence to your WAF such as gaining geo-location information to reduce false positives and establish and enforce business policies. For example, many enterprises have geo-location restrictions. Some media entertainment companies such as Netflix provide service to their customers in the US only and they could use a geo-location feature to enforce that policy.
Reputation intelligence is also used to minimize false positives generated by a WAF by providing white list resources:
A WAF can use this intelligence to exclude certain entities from strict policies. For example, if you want to block scanning attempts based on the resource polling frequency from servers you can do it while allowing legitimate search engine indexing traffic to avoid false positives.
Reputation intelligence will enable a WAF to enforce other business-oriented policies. For example, some enterprises want to allow users browsing access to their website from certain countries that use anonymized proxies. On the other hand, attackers frequently use automated tools behind anonymized proxies to attack web applications. A WAF with reputation intelligence can set a granular policy to block automated tools that hide behind anonymous proxies and TOR networks while allowing legitimate human traffic.
Apart from delivering feeds on cyber entities, reputation intelligence is also used to mitigate zero-day attacks. After the latest Apache Struts remote code execution vulnerability was released (CVE-2017-9805) Imperva used its reputation intelligence service to push the mitigation for it in a matter of hours to SecureSphere WAF customers providing them with zero-day protection.
Various vendors offer reputation intelligence services, so how do you know which one is best? Great question, difficult answer. If there are a lot of false positives that’s an obvious indicator that the reputation intelligence service feed is not high quality and you don’t want to use it. But there are several parameters to consider. Here’s what to look for:
You need to be sure that a vendor’s coverage of the web is wide enough. Vendors that see many gigabits of traffic per day across different regions around the world will have more visibility to provide more accurate coverage. This will dramatically increase the size of the feed and the true positive rate, reduce the number of false positives and provide higher diversity of resources.
Once you have reputation intelligence delivered via automated feed to your WAF you can take the following actions:
In summary, reputation intelligence improves your application security posture, reduces false positives, increases accuracy and mitigates zero day threats.
Learn more about Imperva reputation intelligence services or request a demo.