Get a Single View of WAF Events with the Imperva AppSecurity View App for Splunk Enterprise

Enterprises are adopting a hybrid infrastructure model to take advantage of rapid deployment of cloud-based services and higher computing power. A compilation of analyst predictions by SecureWorks, shows that the cloud continues to gain momentum as organizations embrace and benefit from new ways of doing business.

In addition, organizational tactics are shifting to a more proactive, as opposed to reactive, approach for attack mitigation. According to Gartner, by 2020, more than 70% of public web applications will use a cloud Web Application Firewall (WAF) or an Internet-hosted virtual appliance.

This change in IT paradigm creates a need for CISO’s and their security teams to have solutions that protect applications wherever they reside as they move between on-premises and the cloud. The security that protects those applications needs to be hybrid too.

That’s where Imperva AppSecurity View comes in.

While traditional native capabilities of security information and event management (SIEM) systems address the need for data collection, the next step towards proactive security management is to be able to analyze application security flaws with unified, correlated visibility into all applications wherever they are—on-premises or in the cloud—and prevent false positives. Gartner, Inc.’s November 2016 report titled, “Predicts 2017: Cloud Security”, explains the benefit of this visibility, stating that, “By 2018, the 60% of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures.”

The Imperva AppSecurity View App integrates data received from the on-premises Imperva SecureSphere Web Application Firewall (WAF), cloud-based Imperva Incapsula WAF, and related cloud-based Imperva ThreatRadar events and displays it in Splunk® Enterprise, providing Splunk Enterprise users with a unified view of security events related to all their Imperva WAF-protected applications whether on-premises or in the cloud. This unique approach simplifies visibility into all application security events as enterprises transition to the cloud, allowing them to be well-positioned to institute a hybrid WAF strategy.

How it Works

Imperva AppSecurity View leverages dashboards to present users with the entire spectrum of their Imperva deployment, for both on-premises and cloud WAF deployments. Events are organized to show multiple categories of data: bot classification, ThreatRadar effectiveness, and OWASP top 10 threats. User-friendly graphics and high-level reporting with drill-down capabilities speed up investigation, providing easy-to-digest information that give Imperva customers a unique, unified view of threats related to their applications wherever they may reside.

Getting Started

Imperva AppSecurity View can be downloaded from Splunkbase. To install the App, follow the directions below:

  1. Log into Splunk Enterprise.
  2. On the Apps menu, click Manage Apps.
  3. Click Install app from file.
  4. In the Upload an App window, click Choose File.
  5. Locate the .tar.gz file you just downloaded, and then click Open or Choose.
  6. Click Upload.
  7. Click Restart Splunk, then confirm you want to restart.

To install apps and add-ons directly into Splunk Enterprise:

  1. Put the downloaded file in the $SPLUNK_HOME/etc/apps directory.
  2. Untar and ungzip your App or Add-on, using a tool like tar-xvf (on *nix) or WinZip (on Windows).
  3. Restart Splunk

Once configured users can begin taking advantage of unified visibility and management of their WAF-protected applications right away.

Inside the App

When opened, the App displays a dashboard summary view of all SecureSphere, Incapsula and ThreatRadar events. Users can change the time range and filter by product to customize the view (see Figure 1).

Figure 1: Summary view of SecureSphere, Incapsula and ThreatRadar events

In the dashboard summary view the App also displays the top 10 security events identified (see Figure 2).

Figure 2: Top 10 Security Event Types

For additional detail, the App provides several drill-down views from the dashboard (see Figure 3).

Figure 3: Drill-down Views

Unified Visibility for Hybrid Cloud

Start now. Get a unified view of Imperva SecureSphere WAF, Incapsula WAF, and related ThreatRadar events in Splunk Enterprise. Download the Imperva AppSecurity View App from Splunkbase.

Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light, and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries.

This article was sourced from Imperva.