WAF for Midmarket/Enterprise Organizations
Date aired: June 27, 2018
In today’s complex security landscape, web applications pose a significant risk to Mid-Market and Enterprise organizations. This webinar will introduce the concept of the WAF, and the benefits of web application security in the cloud.
Enterprise Account Manager
I work with enterprise clients to provide an effective web security strategy and have a passion for security and technology. I am a black belt in Brazilian Jiu-Jitsu and an avid guitar player.
Questions & Answers
Question #1: How much does such a solution cost?
Answer: The Sucuri Enterprise plans offers various price ranges based on Support SLA, Integrations required, Size and complexity of the application, traffic volume, and risk.
Question #2: How long does it take to implement the WAF?
Answer: The actual activation of the WAF is very straight forward, simply requiring a DNS A record change.
However, a proper onboarding plan including goals, timelines, and testing is the preferable approach.
These timelines can be accelerated when our new clients are facing urgent situations.
Question #3: Is such a solution applicable as a replacement for part of the entire security teams in our organization?
Answer: Security is combination of people, process, and technology.
Organizations who outsource security tools, such as the Sucuri WAF, will still need security professionals in various capacities.
Question #4: What about the SIEM/SOC Integration?
Answer: Yes, certainly.
Sucuri has customers integrating with many of the major SIEM providers.
Our standard log format is ossec and can be transmitted to our clients in various ways.
Question #5: Can you help clarify my understanding – as I understand the WAF such as provided by Sucuri is preferred as it can “catch” problems BEFORE they hit the website, as opposed to the “web application firewall” that some WordPress security plugins offer, for example.
Answer: Sucuri is both and Intrusion Detection System and Web Application Firewall (WAF).
The difference between a plugin WAF and a Cloud-based WAF, like Sucuri, is that we can mitigate attacks at the ‘edge’ before it hits your application and server. This means that we can reduce risk and the strain that attacks can put on your application.
See all Questions & AnswersExpand
Dana Dickeson – Enterprise Account Manager
Thank you very much, Val. I appreciate the introduction and welcome everyone who was able to attend today, and those who might be watching this recording down the road. Like Val mentioned, my name is Dana Dickeson. I work here at Sucuri currently as an enterprise account executive, and been a big part of heading up the push into the mid-market and enterprise for Sucuri over the last few years.
I’ve always been really passionate about protecting people and things and security in general. I’m a former police officer for about 10 years here in Canada where I reside, and I’ve been with Sucuri for the past three years now, and I’m really pumped up and passionate about what we’re doing here at Sucuri and the way we’re trying to make the internet a better place.
In my free time, I’m involved heavily in martial arts. So I’m a Brazilian jiu jitsu black belt, it’s a style of grappling martial arts. I’ve been involved in that for a long time, really enjoy that a lot. And also an avid guitar player. And I know, I’m broadcasting here from my home office in Fredericton, New Brunswick, Canada, and I’m sure you can see some guitars in the background. So that’s been my newest obsession over the last few years.
So in this webinar, full disclosure, this is going to be pretty high level. Not a technical deep dive into what a cloud-based web application firewall is. But what I want to try to do is give you an overview today, just talk about why security is important and the implications of security and security breaches, why there’s an advantage to choosing a cloud-based web application firewall, and then what or how do we define what an enterprise grade solution really is
So to get things started, why is security important? So in this slide, it really just talks about the two different types of impacts that a cybersecurity breach can have on an organization. First is the business side of things, so the impact of the brand, the damage to the reputation. There’s the economic impact, and that’s lost business, whether that’s current business or future business. There’s the cost of remediation, the cost of engaging forensics, fines that might be associated due to compliance issues.
There’s also the emotional distress, and I really feel like in my experience, I’ve dealt with a lot of clients, both enterprise clients and small businesses that have an infected website or web serve and they’re dealing with these issues, and I really do think that they look like that little icon while I’m speaking with them for the first time. The good thing is there’s people like us out there who can help you get back on track, but it is very taxing to an organization and the team working around the clock trying to fix these issues.
Some technical impacts. Things like the blocklisting of a domain, which can take time and at the mercy of, say, Google, to de-list. The impacts of SEO, and I’m sure that a lot of marketing teams who work so hard on SEO really feel that damage that’s done through a compromise.
And really, I think the hot topic nowadays, and rightfully so, is the protection of visitor, customer data. We’re seeing things like GDPR that are focused on data protection. We’re seeing other countries and regions starting to follow suit. So protecting your customers’ data is so critical right now.
Some interesting statistics and some facts. It’s estimated that cyber crime damage costs will hit $6 trillion annually by 2021. So we’re seeing an increase year after year in the cost of the damages to organizations around the world.
However, cybersecurity spending is going to exceed $1 trillion between 2017 and 2021. So we’re seeing that even though the spending is going up year after year, so are the damages. So something’s not quite right. It makes me wonder if we’re spending our dollars in the right place. So those are some pretty staggering numbers when you think about it.
To break this down a little bit further, we all hear about the big breaches. But the average cost per stolen record, according to the Ponemon study in 2017 sponsored by IBM, is $225 per record. That’s closer to $300-325 if those are, for instance, medical records. And the average number of records stolen is 28,500. So that’s a substantial amount of records, and when you start multiplying those two numbers, you can see the impacts it has on any size organization.
There are those fringe cases that we hear about all the time, like Equifax, who in 2017 lost 143 or 145 million records. Included in that were 140 million Social Security numbers, 100 million addresses, even close to 300,000 credit card numbers exposed. So those are really serious numbers with big implications.
Even using the numbers that we first looked at, the $225 per record and the 28,000 records, that works out in the range of $6 million for the cost of a data breach for an enterprise or for a mid-market company, or really any size company that loses that amount of records. So we can’t ignore security, unfortunately. The costs are real and the risks are real.
So why is web security so important? Well, I know from my experience visiting This year really stood out to me, that the focus is still on the network. But web applications are really low-hanging fruit. They’re open doors to the internet, and often lead very deep into an organization’s network. So it’s important to address web security specifically.
When we’re talking about web security, and I know today is about the WAF, which is just an element of this, but I really love this idea of creating a security framework, which I think is a really fluid way to have this continuum to help you understand the important aspects that you need to address. So when we look at this, it starts with the identification, and that can be identifying the web apps, the assets, the applications, the domains, the hosting environments.
I’ve spoken to many large organizations who just have no idea where their websites are, how many web properties they have, how many domains they have, how they’re hosted. Who are those asset owners within the organization? So being able to inventory those assets and really have a grasp on where those things live, that’s very valuable to an organization. The larger the organization, the more web properties, the bigger issue this becomes. Identification can also be about things like pen testing, looking to identify vulnerabilities on a regular basis and investigating your weaknesses so you can address those.
When we’re talking about protection, certainly patching, hardening, those are helpful, but can be hard to manage. Especially a lot of organizations are using third-party developers, and that becomes even more challenging to get those patches and updates rolled out in a timely fashion. This protection aspect is where a tool such as a cloud-based web application firewall fits. That’s what we’re going to focus on today.
But just continuing on to sum up the rest of this diagram, when we’re talking about detection, we’re looking at monitoring for malware, for instance. Monitoring file changes. Having visibility into blocklisting of domains and other indicators of compromise. So if there is something wrong, there’s something up, there’s malware on the network, files are being changed that shouldn’t be, things are being changed that shouldn’t be, do you have a way to detect those issues and those items?
And then the last piece, response and recover, that’s really the aftermath of an infection. The response could be the cleaning, the blocklist removal, the customer management. The recovery could be the things like the forensics, the rebuilding of trust. And it’s not ideal to get that far. That’s a long way down the rabbit whole, and really, an ounce of protection is worth a pound of cure. So we want that protection in place so we can mitigate these types of incidents.
So how can we manage the security risk for web applications? And a few high- level ways to do that are through access control. Just like you would in the network, using sensible user access, applying the rule of least privilege, so people only need to be able to what they absolutely need to be able to do for their role. The hosting and host servers, make sure the OS is updated, separating the databases from the applications, setting up DMZs and capsulizing sites so we can avoid cross-contamination if they are an issue. So those are some hosting considerations.
But our specialty is about website attacks, and this is where you can use a WAF to mitigate attacks on the web application itself. Things like brute force, a DDOS attack, and the exploitation of software vulnerabilities.
To define a cloud-based WAF … So a cloud-based WAF is a web application firewall, WAF stands for web application firewall, that’s housed or lives in a cloud network. So for Sucuri, for instance, our web application firewall, it sits in the cloud on our network of data centers, and the application is pointed to the firewall through an A record. So instead of the traffic going directly from the browser to the host server, first it has to pass through the web application firewall on our network. So that’s, in a high level, the idea is that we can block malicious requests, and allow the good requests through to the host server.
The firewall consists of really two elements, or two platforms that are running there. First is the intrusion detection system, or the IDS. And the IDS actually inspects the packets. It analyzes the behavior of the request. Now, that analysis is based on the log data that’s captured by the WAF. The IDS is looking at behaviors. So it’s analyzing behaviors such as repetition, the number of requests in a period of time, and response types, like 404s or 403s. So it’s a behavior-based tool.
The web application firewall, that uses signatures and heuristics. So it actually analyzes the request itself, and it blocks known malicious requests. But it also blocks requests that look like known malicious requests, and that’s part of the learning of the system. Sucuri’s really a leading researcher in web application vulnerabilities, and we’re constantly updating our rules to address those zero- day threats, or those emerging threats.
So the obvious benefit of a cloud-based WAF or a firewall is that we can mitigate the attacks before they reach your network. And things like mitigation of all types of DDOS attacks or denial of service attacks. Prevention of vulnerability exploits like SQL injection or cross-site scripting or request forgeries. Protection against the top 10, and more for Sucuri. Sucuri blocks all known threats, and nearly all unknown attacks.
Another benefit that some people don’t realize is that Sucuri is actually built on a CDN. So we’re built on an anycast network of globally distributed data centers, and each of those data centers is a caching server as well. So we can send the static content from our servers, as opposed to calling back to the host. So this is great when it comes to optimizing the server and reducing the server load. The caching can be customized to various levels. Caching’s also great to help mitigate DDOS. So for instance, if there’s a distributed attack hitting a single page, then we can keep serving the cache to them, and they’re never getting back to the host server. Although the idea is to block that behavior. But that’s just an example of the benefit of caching.
Most of our customers see an improvement in speed, and in some cases it can be quite dramatic. And a neat feature of the Sucuri dashboard is that it actually analyzes the performance increase and shows you that in a visual. So, great when it comes to the reporting aspect of things.
So that’s just a really quick overview of how the firewall works and some of the benefits, but what separates an enterprise grade service from a direct to consumer service? And really, we’ve identified what we feel is important, what our customers have told us is important to them, and we’ve included those things in our service so we can serve that need.
And first and foremost, and I think one of the most important services that we offer as part of our enterprise grade platforms, and I can see it as a downfall, not doing this, is the onboarding. So the risk of an issue is the highest during setup. So we need to be able to deliver a service where we can work closely with our customers to come up with a deployment plan, so things like testing, go live planning, and then being able to offer real-time, real live support during those initial days to ensure that everything is working perfectly, especially when the application’s live behind the firewall.
Custom role creation is another item. Really, it goes hand in hand with the onboarding, the ability to create custom rules to make sure … And this is a simplification of things, but really, the custom rules, we want to make sure that requests that should be blocked are blocked, and most implement, that requests that shouldn’t be blocked are not blocked. So complex applications, they need complex solutions, and offering that as part of our service has been really helpful to our clients.
You need a software that accounts for enterprise grade infrastructure. So things like multiple hosting IPs, DMZ, failover IPs, using a load balancer, using your own CDN or your favorite CDN. The solution needs to be able to fit your environment. Whether that needs to be customized or whether that’s an inherent feature, it’s important that those things are addressed.
As far as UI capabilities go, having multi-tenancy in the dashboard is super important. Being able to designate roles so that you can limit permissions and use that rule of least privileged in the Sucuri UI as well.
Another thing we’re asked for a lot and that Sucuri provides really well are API functions. So essential anything that can be done through the Sucuri dashboard can be done through an API. So in theory, you can build out all the management of the firewall without ever entering the dashboard. Things like adding, removing domains, adjusting caching, allowlisting, blocklisting, et cetera. So all of those things can be done through the UI.
Another important aspect is taking … I think it’s about the meaning of the solution, and it means something different to each person, but you need to be able to get the information that’s meaningful to you in an easy way, and that’s something that we strive to do. So in the dashboard itself, or available through the API, are some great reports. And we really break things down into three types of reports.
The first is real time reports, which are really a snapshot of what’s going on now, both allowed and blocked requests. The second are historic audit logs. So what Sucuri does is from the moment a site is live on our network, we store the audit logs for our clients. And so those historic logs of the block requests are there for your analysis. It’s also a part of our service, especially in the enterprise space, to help understand those logs or parse logs or go through logs to help you guys find the information that you need.
The last piece is what I like to call, and that’s why I use the quotes, it’s not what Sucuri calls them, it’s what I call them … But they’re “management” style reports. So this is the, what are we spending our money on question that we all need to answer. So these are great graphs that break down how many requests are being blocked, how many are allowed, what type of attacks are being blocked, where are they coming from, really the meat and potato type of information. And these reports can be generated automatically and sent out daily, weekly, monthly, and they’re great for the higher ups.
A lot of the enterprise organizations that we work with, they use a SIEM solution, something like Qradar or Splunk or LogRhythm, an event management system. So it’s important that we are able to integrate with those systems and provide our logs. So we can do that in various different ways. Most simply is through a sys log, but a lot of times, we need encrypted options to send those logs, so things like setting up a VPN or using our API or the API of the SIEM solution can help, and in the SIEM solution, then you can set parameters that will alert your security operations if you’re seeing a certain number of attacks or attacks on certain domains, or you can also create internal reports. So really useful information.
I think the biggest factor between success and failure in the enterprise space is how you provide support, and we’ve learned that through our experience, that the demands of a large organization … The support has to be there. So we need to be able to provide dedicated support channels with a response SLA that really fits to the business needs. If you need to have a response in 30 minutes to a support issue, then that’s what we need to be able to provide. So we have the ability to customize those support SLAs based on the needs of the business and of our clients.
Also, creating clear escalation paths to address issues. So for one, we have dedicated support channels for our enterprise team, which I think is so important that you go to an analyst who has the skills and ability to deal with complex problems. However, there’s always a need for escalation. There are always circumstances that will need escalation. So having those clearly defined paths is part of the scope of work for us. So teaching you and providing to you those paths is very valuable. Also, providing dedicated account management. Someone that you know you can call when you need help. And supporting the enterprise is a challenge but it’s also very rewarding.
So I’ll finish off with a quote from Jeff Bezos, and I really love this quote. I have this written up on my blackboard. “We see our customers as invited guests to a party, and we are the hosts. It’s our job every day to make every important aspect of the customer experience a little bit better.” And that’s really what we’re trying to do here on our enterprise team, and I guess with that, I’m going to turn it over to some questions. That was short and sweet, but I’m open to any questions that you might have.
See Full TranscriptExpand
Similar Past Webinars
In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.
Webinar – Logs: Understanding Them to Better Manage Your WordPress Site
In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.
Webinar – Personal Online Privacy
In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.
Webinar – Why Do Hackers Hack?
Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.
Webinar – WAF (Firewall) and CDN Feature Benefit Guide
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..
Webinar – Preventing Cross-Site Contamination for Beginners
Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..
Webinar – Getting Started with Sucuri!
If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..
Webinar – How to Account for Security with Customer Projects
Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..
Webinar – Is SSL Enough to Secure Your Website?
It's a move we've seen coming since early 2017. Chrome HTTP sites are now officially being marked as 'not secure'. With Chrome dominating 62.85% of the browser market space as of last month means that even small changes can have a big impact on website owners if ignored…..
Webinar – FireChat: Reactive and Proactive Protection for Web Agencies
In this fire chat, we're looking to find answers to some of the questions web agencies have been asking us for years, in hopes of shedding more light into how you, as an agency, need to respond to security threats your customers face…..
Webinar – Security for Web Agencies
Website security is challenging, especially with a large network of sites. We want to help you understand how you can create a security plan and reduce the risk of a hack or security incident. In this session Dana covers the implications of a security breach and why security should be important to your agency. Dana shows you a tiered approach to we….