Choosing the Right Website Security Solution
In establishing a security perimeter for your website, it is best to take a “defense in depth” approach—using several layers of security, which complement each other, to counter different threat vectors. Multiple security products should be used to protect a website or a web application, realizing that there is no single “silver bullet” that can provide complete protection.
The process of establishing a website security perimeter starts with mapping the threats your website is most likely to face and the impact they could have on your business.
Web Application Security Threats
When thinking about web application security threats, it is common to consider targeted attacks, aimed directly at a specific website or company. However, the majority of website threats are non-targeted attacks, carried out by bots that attack websites indiscriminately—to recruit them to a botnet, or use them as a platform for malware distribution.
Therefore, your website security solutions should contain a mix of tools, to defend against sophisticated, targeted attacks (which may happen once in a while), and also comprehensively detect and block non-targeted attacks (which occur on a daily basis).
Both targeted and non-targeted attacks can be divided into three broad, functional categories:
1. Web application attacks
These are attacks that manipulate the functionality of your web application to gain unauthorized access, extract secured data, compromise users and perform other malicious activities. Many of these attacks are carried out by bots that scan the web, seeking to abuse security misconfiguration or exploit specific vulnerabilities within popular applications.
This category also includes common attack vectors such as SQL injection (SQLi), cross-site scripting (XSS), insecure object references, and cross-site request forgery (CSRF).
Relevant security solution categories:
Web Application Firewall (WAF), bot management, threat intelligence, backdoor shell protection, SSL/TLS.
2. Denial of Service (DoS)
DoS attacks involve flooding a hosting server with traffic, with the aim of consuming all the bandwidth and computing resources, and thus denying access to legitimate users. Distributed Denial of Service (DDoS) uses large numbers of attack nodes, commonly organized as a botnet, to do the same on a bigger scale.
Some of the more advanced DDoS attacks leverage protocol vulnerabilities to amplify their output, or abuse specific application vulnerabilities to cause server crashes.
Relevant security solution categories:
DDoS protection, bot management
3. Data security
Data breaches could be carried out both by external threat actors, by compromised privileged accounts, or by outright malicious insiders within an organization.
While not technically a web application threat, many of these attacks will often target the web application to penetrate the security perimeter, attempting to exploit weak passwords or lack of authentication, weakly encrypted data, or excessive privileges given to organizational users. In some cases, web application attacks will be used to create a smokescreen for data extraction.
Relevant security solution categories:
Advanced persistent threat protection, access management, DDoS protection
Selecting Website Security Solutions
When selecting website security tools, check which basic protection capabilities they provide. Some tools focus on one capability, while others offer a suite of capabilities.
Below, you can select the capabilities most relevant for your security environment. We explain each capability or requirement, help you understand what they solve, and how they can benefit your security posture.
Web Application Firewall (WAF)
WAFs are the cornerstone of proactive website security. They are a security solution deployed on the network edge, which inspects all incoming traffic and continuously blocks malicious requests. WAFs are versatile, automatically blocking known attack types via built-in rules, and letting you deploy your own security policies for specific security needs.
A major advantage of WAFs is that they can be deployed with no changes to the underlying applications, and can block threats immediately, without requiring you to perform actions like patching vulnerabilities or modifying problematic code.
Unlike a traditional firewall, a WAF can understand application traffic, differentiate legitimate and malicious traffic, and thus detect and block complex attack patterns.
As mentioned, most attacks on websites are carried out by bots, making it essential to have a tool in your security arsenal that can identify and deal with bot traffic.
Threat intelligence tools provide convenient access to information about threat actors, including known bad IP addresses, bot behavior patterns, and attack signatures. When a security incident occurs, threat intelligence can help security teams identify which type of attack is taking place, by whom, and how best to protect against it.
Backdoor Shell Protection
Data breaches take over 100 days on average to discover, and some breaches are never discovered. If you have been breached, attackers may have installed an operating system shell or a rootkit that can sidestep any other security solutions.
When evaluating backdoor protection tools, prefer a tool that identifies and intercepts communication requests with operating system backdoors, instead of focusing on identifying the backdoor directly.
File and vulnerability scanners can help find backdoors, but with new backdoor variants cropping up daily and advanced obfuscation methods, they have limited effectiveness. Tools deployed at the network edge can more easily identify new types of backdoors, and pick up backdoor communications, even if the backdoor itself is encrypted or obfuscated.
The Transport Layer Security (TLS) protocol, which succeeded the SSL protocol, provides private, encrypted communication for website traffic. Websites secured by TLS are served using the Secure Hypertext Protocol (HTTP/S).
TSL provides privacy, ensuring third parties cannot listen into communications between websites and their visitors. It also authenticates communications using public key cryptography, and ensures the integrity of messages, preventing man in the middle attacks.
It has long been understood that websites providing private or sensitive content, login or payment capabilities need to be secured by TLS. Today, there is a broad consensus that all websites should be served over HTTP/S. The Google search engine demotes search rankings for websites that do not use TLS, and popular browsers, including Chrome and Firefox, display warnings saying such websites are insecure.
When selecting your website hosting and content management platform, ensure it supports TLS. If you are currently serving your website without TLS, strongly consider switching to TLS and redirecting existing content to HTTP/S web addresses.
Ensure security solutions you use for your website support TLS, and help you implement it at a good level. Use evaluation tools such as the SSL Labs security test to see if your hosting or security tools implement TLS and HTTP/S using the latest security best practices.
Modern DDoS protection services can protect against large-scale DDoS attacks, by scaling up a network of cloud-based computers to match the magnitude of the attack. DDoS protection services can perform deep packet inspection of incoming traffic and “scrub” or remove bad requests at large scale, while allowing legitimate requests to go through.
The following are key features you should look for in a DDoS protection service:
Comprehensiveness—able to protect against network layer attacks, application layer attacks, can parse HTTP/S traffic, and protect secondary assets such as databases, file servers, and CRM systems.
Network capacity—check how many Gbps or Tbps of traffic are supported by the service; this will roughly equal the scale of DDoS attack it can stop. Also, see if the service has a proven historical track record of stopping large-scale attacks.
SLA—services should guarantee an uptime of between three nines (99.9%) and five nines (99.999%), the best case. In addition, Service Level Agreement (SLA) should cover the type, size and duration of attacks it can protect, and specify a guaranteed response time. A faster response will give you a higher level of resilience.
Advanced Persistent Threat (APT) Protection
An APT is an attack campaign in which a threat actor or a team of malicious actors establish a presence on a network to obtain highly sensitive data or assets. APT is a multi-vector attack that involves a combination of techniques carried out over a long period of time, continuing for a long time after attackers have managed to penetrate the corporate network.
APTs typically target large enterprises, governments or institutions, and are aimed at stealing intellectual property, obtaining sensitive data, or sabotaging organizational systems.
There is no one tool that can protect against APTs. When selecting a solution for APT protection, consider a combination of tools that can protect against multi-faceted attacks. A key aspect is gaining visibility into attacks that may involve multiple organizational systems or multiple users, possibly with lateral movement and gradual privilege escalation.
Technologies commonly used to protect again APTs include: two-factor authentication, to prevent illicit access to organizational systems; web application firewalls (WAF), to block suspicious requests to a web application; protection against backdoor shells and other vulnerabilities; and DDoS protection. DDoS may be used as part of an APT to distract security teams, while attackers use other methods to penetrate the network.
A common entry point for attackers is via access control systems. Weak authentication mechanisms, weak or seldomly updated passwords, excessive privileges, and failure to block suspicious sources, can lead to a breach, business disruption, or defacement of a website. Access management is also critical to mitigating threats from malicious insiders.
There are several approaches and tools to achieve secure access management. Identity and Access Management (IAM) is an enterprise system which helps enforce password policies and manage user roles and privileges. Consider a full-blown IAM system if you manage thousands of users in a large organization.
Whether you use IAM or not, ensure your access control solution supports multi-factor authentication and reputation management, which can filter out traffic based on detection of sources like anonymous proxies, TOR network or suspicious geographies.
In addition, ensure your solution includes IP blacklisting, which identifies known bad traffic sources and uses them to block bad requests, and reputation management,
To protect against insider threats, select a tool with advanced behavioral analysis capabilities, deception devices such as decoys and honeypots, and real time monitoring and auditing of data usage.
Many security standards and regulations, such as the European Union’s General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA), define the need for specific types of security tools, or specific security policies which can be enforced using security solutions.
When selecting a security tool, consider your industry’s compliance standards, ensure your tools support the standard, and see which provisions of each standard or regulation you can address using the tools. In most cases, you will have to combine multiple tools to fully meet compliance requirements.
Some website security tools are “one size fits all”, and do not allow you to customize security policies or rules to your organization’s specific requirements. The more advanced security products, however, will allow you to expand on the basic security logic they provide—either by adding exceptions to the default security rules, or by allowing you to create completely new security policies.
Such customization could be important, as it can help minimize the amount of business disruption caused by false positive security events. Moreover, it can also be vital for businesses that find a need to enforce their own security policies or to modify the security rules for regulatory compliance.
If your team uses Security Information and Event Management (SIEM), ensure you select security tools must integrate with it. This will enable you to use data and alerts from your security solutions to raise SIEM alerts, and conduct security analysis and investigations.
Website Security Deployment Options
Website security tools can have one of three deployment options. Choose the deployment option that matches the application or applications you need to protect:
On-premises—deployed within an organization’s data center or at the security perimeter
Public cloud—deployed in a public cloud such as AWS or Azure
Hybrid—can be used both on-premises and in the public cloud with the same security features and policies
Imperva Website Security Solutions
Imperva provides a holistic suite of solutions which provide complete security for web applications, whether deployed on-premises, in the cloud or in hybrid environments.
Deployed at the network edge, our solutions block attacks across the threat spectrum, and provide full visibility into how websites are being accessed and used. In addition, we provide comprehensive protection for data at rest and in transit, including Data Loss Prevention (DLP), a database firewall, data masking and encryption, and data classification.
Imperva provides the following website security solutions:
Web Application Firewall (WAF)—analyzes and inspects incoming requests to web applications and stops them before they enter the security perimeter. Secures both cloud and on-premise web applications, is fully customizable and integrated with SIEM.
Threat Intelligence—comprehensive threat information that helps block bad bots and automated attacks, accurately distinguish human and bot traffic, prevent account takeover attacks, and block new and emerging threats via continual signature updates.
Backdoor Shell Protection—intercepts and blocks communication with backdoors at the network edge, making backdoors useless to the attacker and letting you remove them at your convenience. Instantly updates to protect against the latest backdoors.
SSL/TLS—our WAF protects your website with SSL at the highest level, providing SSL management on a single pane of glass. You can immediately achieve an A+ grade in the SSL Labs security test, with no changes to your servers and no configuration complexity.
DDoS Protection—guarantees mitigating any DDoS attack in under 10 seconds, at any scale, using a global network with over 6 Terabits per second. Supports all network layer or application layer DDoS attacks, and protects secondary systems like DBs and CRMs.
Advanced Persistent Threat (APT) Protection—we provide multiple security mechanisms to prevent APT, including web application firewall (WAF), backdoor shell protection, DDoS protection, and two factor authentication.
Access Management—we help prevent unauthorized access and insider threats by monitoring data access and privileged user activities; identifying and blocking anomalous user behavior via User and Event Behavioral Analytics (UEBA), and inspecting data in motion, at rest, in the cloud or on endpoints using data loss prevention (DLP).
Regulatory Compliance—we provide application security and data security capabilities built to address key portions of the GDPR, PCI DSS, and SOX standards; FISMA and NIST standards required by federal agencies; and many other regulations including FERMA and GLBA.
Security Customization—our WAF and other security solutions help provide extensive customization, letting you minimize false positives, and enforce your organization’s unique security policies and compliance requirements.
SIEM integration—all our security solutions are integrated with popular SIEM platforms including HP ArcSight, Splunk, and McAfee Enterprise Security Manager.
Learn more about Imperva Application Security