Have you ever wondered how organizations successfully determine if they are susceptible to malware or ransomware attacks, and are able to remediate quickly? The answer is their people. There is always a team of security experts working behind the scenes to ensure their infrastructure is protected and up to date. Although every company may name the role differently, all organizations have similar responsibilities assigned to their “Security Operations Center”, also commonly known as a SOC team.
SOC teams face countless challenges and are usually understaffed to deal with and investigate into the most important threats, often leading to alert fatigue. It takes numerous hours to sift through these alerts, determine suspicious activities, and to find a possible fix. SOC teams employ SOC analysts/security analysts – the frontliners to fight against threats. Here are few of their responsibilities:
- Detecting and hunting threats
- Operating and maintaining various monitoring and threat intelligence tools
- Auditing and compliance reporting
- Managing alerts and delegating responsibilities
Fortinet’s FortiWeb Cloud WAF-as-a-Service can help these analysts bring efficiencies to these responsibilities for their web app and API security.
Threat Hunting:
Threat intelligence and analytics platforms assist SOC analysts by centralizing information generated by various tools and aggregating them based on a common attack source. However, with FortiWeb Cloud you can leverage the Threat Analytics feature to help you identify and focus on the most significant threats.
Threat Analytics uses a powerful AI engine to combine and identify the most important threats across an entire application. It then alerts the analysts based on common attack vectors. For example, attacks based on Geo IP, same-source IP, and OWASP, are aggregated and then displayed on the Threat Analytics dashboard.
In-depth Detail of Suspicious Activity:
You can get more in-depth information about each of these attacks by application name, attack type, attacker IP geo location, CVE ID’s, URLs, OWASP Top 10, and more. You can also view the number of targeted threats on your web browsers and the number of threats blocked by FortiWeb vs. the multitude of attacks displayed. This information can help SOC analysts to filter and review WAF policies to make sure there are no misconfigurations and to protect web servers as intended.
The Insights view on the FortiWeb Threat Analytics dashboard adds an additional layer of configuration analysis that can help you understand if your web servers are directly exposed. Exposing the web app directly can allow a bad actor to bypass a WAF and target your web app’s IP address to perform an undetected attack. It is a best practice to only limit access to FortiWeb’s management and scrubbing center traffic on your firewall, while restricting the rest of the traffic directly to your origin servers.
Managing Alerts and Delegation:
Alert fatigue is a constant struggle for security teams. Processing the alerts and acting in a timely manner can enable an organization to quickly detect and minimize the damage by halting the attack or preventing similar attacks in the future. SOC teams use incident tracking tools to find, assess, and delegate the plethora of alerts that come in each day. Even with these tools, alert fatigue can happen, which is why analysts need solutions that can also help them know which alerts to focus on first. Threat Analytics can help.
You can integrate FortiWeb Cloud’s Threat Analytics into workflows that then alert SOC teams of high-priority alerts through email, or by opening incidents on tracking tools like Jira.
To leverage these options, start by creating a notification template and choosing between an email or Jira alert. Next, customize the log to show your notifications, and then choose the preferred risk level (low or medium or high).
For a Jira integration, all you would need is a Jira account URL from your organization and an API token generated on your Jira account for FortiWeb to create an incident notification in your workspace.
Whenever an alert is generated because of aggregated security incidents by the Threat Analytics algorithm, Fortiweb creates a notification in the Jira work page. Similarly, if an email notification template is created you would be notified with an email as well. Below is the image of a Jira workspace and open incidents notification generated by FortiWeb.
Based on the log format you have customized earlier; you can see more details by clicking on one of those events. You can also delegate by assigning this ticket to the responsible stakeholder for immediate action.
FortiWeb Cloud Threat Analytics is now available as a core part of the solution and does not require any configuration changes. To take a free trial of FortiWeb Cloud or learn more, please go to: fortiweb-cloud.com
If you would like these actionable insights for web applications protected by FortiWeb VM or on-prem appliances, you can purchase a Threat Analytics license separately.
