Imperva: Protecting the Data that Drives Business Blog|Login|Japanese
ThreatRadar

Reputation-Based Security for Automated Attacks

ThreatRadar: Mitigate automated attacks from known malicious sources and provides geographical context on attackersClick to enlarge
Hackers are becoming more industrialized and well resourced. Sophisticated criminals are leveraging networks of remotely-controlled computers, or bots, to launch large-scale automated attacks. Effective attack mitigation requires identifying known malicious sources and adapting to continuously changing attack locations and techniques.

ThreatRadar is a unique add-on security service for SecureSphere Web Application Firewall (WAF) that provides an automated defense against automated attacks. By integrating credible, timely information on known attack sources into the WAF defense, ThreatRadar can quickly and accurately stop traffic from malicious sources before an attack can be launched.

Key Capabilities
Aggregates reputation data from the foremost commercial and non-commercial providers to identify:
  • Malicious IP addresses
  • Anonymous proxies
  • TOR Networks
  • Phishing URLs
 Visualizes attack location and summarizes reputation data with integrated forensics tool
Protects against automated and botnet attacks
Offers near real-time feeds of global reputation data
Instantly updates SecureSphere Web Application Firewall policies based on current attack data

To learn more, click on the Capabilities tab.

Track Attack Sources on a Global Scale

Leveraging the security community collective insight, centralized ThreatRadar servers aggregate information on attack sources from credible data providers. ThreatRadar protects against:

  • Malicious Sources: traffic sources that have repeatedly performed malicious activity on other Web applications. To date, over ten million botnets have executed attacks on behalf of remote hackers.
  • Anonymous Proxies: traffic sources that use anonymous proxies. By hiding the identity of the traffic source, anonymous proxies are often exploited by hackers to launch attacks.
  • The Onion Router (TOR) Networks: traffic source that use TOR networks to launch attacks without revealing their identity and location.
  • Phishing URLs: real-time alerting on phishing incidents against the customer domain.

By understanding attempted attacks on other websites, SecureSphere WAFs can identify botnet or distributed attacks--attacks that may be difficult to identify based only on the characteristics of the Web request.

Continuous, Automated Feed of Current Attack Sources

ThreatRadar servers deliver an integrated attack source feed, in near real time, to all ThreatRadar-powered SecureSphere WAFs. ThreatRadar is fully maintained by Imperva and eliminates the manual effort required to identify, subscribe, and maintain these security feeds. ThreatRadar continuously refreshes the feed, providing up-to-date protection against malicious traffic.

Dynamically Adapt Web Security Policies

As SecureSphere WAF receives attack source information, ThreatRadar dynamically adjusts Web security policies to alert or block traffic from newly identified attack sources. Furthermore, custom security rules can use information provided by the feeds to fine-tune the response for specific types of traffic, such as the ability to block only the traffic that comes from a malicious source exhibiting suspicious behavior.

Early Detection, Blocking of Malicious Sources

ThreatRadar increases the accuracy of SecureSphere WAF and dramatically reduces application visibility to attackers. By blocking access requests based on traffic source reputation, hackers have virtually no opportunity to explore the Web application for possible weaknesses and are less likely to launch a successful attack.

Streamlined Forensic Analysis and Attack Source Intelligence

ThreatRadar removes the guesswork out of event analysis by providing greater operational insight into attacker origins and methods. Source information such as malicious IP address and geographic location of the attack provides additional context on attackers enabling precise incident response procedures and minimizing operational workload.

ThreatRadar Specifications


Specification Description
Malicious Sources
  • Malicious IP Addresses
  • Anonymous Proxy Servers
  • The Onion Router (TOR) Networks
Malicious URLs
  • Phishing URLs
Forensics
  • Geo-location of source IP
  • Reputation of source IP
Communications to ThreatRadar servers
  • SSL encrypted communications between ThreatRadar cloud servers, MX Management server and SecureSphere gateways
Security Feed Updates
  • Continuous updates; frequency ranges from near real time to daily depending on feed type and configuration
Data Feed Sources
  • Commercial and non-commercial providers of malicious sources
  • Commercial provider of phishing URLs
  • Commercial provider of geo-location data
  • Imperva Application Defense Center (ADC) provides malicious sources, scores and validates feeds, and maintains a Global trusted IP list
SecureSphere Integration
  • Pre-defined and custom SecureSphere security policies
  • SNMP
  • Syslog
  • Email
  • Incident management ticketing integration
  • Custom followed action
  • Pre-defined and custom graphical reports
  • Real-time dashboard
Supported Products
  • SecureSphere Web Application Firewall