What Kind of Data Does Imperva Use to Generate Attack Signatures?

By Leo Noman posted 16 days ago


Discover how Imperva leads the way when it comes to identifying and classifying threats.

Attack signatures are a critical part of what makes Imperva’s cloud WAF and DDoS protection services so valuable. 

The ability to accurately identify suspicious users and behaviors across a very large surface area is essential to protecting vital data and assets. Attack signatures give Imperva systems the ability to “learn” patterns in traffic and usage leading up to an attack.

Security professionals regularly ask Imperva team members to define attack signatures and explain what they consist of. These questions are a common fixture on community blog posts and webinars.

It makes sense. No enterprise stakeholder would agree to entrust its most valuable digital assets to a system they don’t understand. People want to know what makes an Imperva-generated attack signature so informative and valuable.

To learn more about Imperva's DDoS and how to mitigate the threat and avoid downtime, watch this video. 

Building a Network of Correlations

Imperva captures user traffic and behavioral data from all of its protected assets and uses this data to identify correlations between user behaviors and outcomes.

For instance, if a large number of suspicious user agents appear to be connecting from a specific source, it makes sense that future traffic should be subject to increased scrutiny. Similarly, if cyberattacks have been carried out from specific IP addresses in the past, strong examination in those IP addresses is a wise move.

Associating these data points with known attack patterns allows Imperva Cloud WAF and DDoS Protection systems to immediately recognize suspicious behavior. These correlations form the basis of what our attack analytics engine uses to create threat signatures.

Imperva’s Reputation Intelligence

Imperva leverages data from throughout its customer base and a selection of third party data providers to build correlations between specific IP addresses and their user’s behaviors. This data is available as a report for Cloud WAF users.

For any given IP address, Imperva Cloud WAF customers can view:

  • A risk assessment score calculated to represent the degree of the specific IP’s malicious capability.
  • The types of attacks that have historically originated from that IP, and the tools it has used to attack protected systems.
  • The geographical data correlated to that particular IP and the specific industries it has attacked in the past.

These data points, when compared with one another over multiple attack sequences and correlated with specific outcomes, form patterns that Imperva identifies as attack signatures. Once the signature of an attack is known, it can be identified throughout the entire customer base.

This specific IP information is also available through Imperva’s Reputation API. This allows customers to leverage Imperva reputation intelligence for in-house dashboards and workflows, and generate reports on user traffic behaviors and threats.

From Reputation Intelligence to Attack Analytics

One of the biggest problems that today’s cybersecurity professionals face is “alert fatigue”. The average security operations professional is regularly overwhelmed with the ever-increasing volume and sophistication of new threats and potential risks.

In a security environment where every suspicious event is flagged using the same all-purpose alert procedure, it’s practically impossible to effectively prioritize the most important breaches. 

This would be analogous to a hospital where every patient is categorized as either “sick” or “well”, without any further information or context. How would the doctors know where their attention is needed most?

Imperva’s Attack Analytics system uses machine learning to correlate and distill each distinct security event. This relieves an enormous burden from the security team, allowing IT organizations to respond to security threats according to their severity and scope.

Four Benefits of Imperva Attack Analytics Capabilities

  1. Reduced Risk

Categorizing individual security events into coherent narratives allows security professionals to focus on the most important incidents first. Imperva’s machine learning algorithm reduces the risk of missing data related to important security events that might influence the appropriate response to an alert.

  1. Greater Visibility

Without a unified solution for security event visibility and user tracking through cloud-enabled applications, it can be incredibly challenging to identify attack patterns happening concurrently throughout the enterprise. The larger an organization’s attack surface is, the greater the need for user data to automatically generate threat signatures that can be compared with and correlated to one another.

  1. Collective Intelligence

Both new and common cyberattack campaigns follow predictable patterns of behavior. Global data – like user tracking, reputation intelligence, and advanced attack analytics – allow security professionals to quickly identify and respond to suspicious activities using data drawn from a wide variety of sources.

  1. Cloud-Ready Performance

Imperva’s cloud-based security infrastructure allows for on-demand scalability. Growing businesses enjoy a steady consumption-based model for allocating security resources, and never end up paying for resources they don’t need. 

Learn More with Imperva Community 

The Imperva Community is a great place to learn more about how to use Imperva cybersecurity technologies like On-Prem WAF, Cloud WAF, DDoS, Advanced Bot Protection and more to establish efficient, secure processes for enterprise networks. Rely on the expertise of Imperva partners, customers and technical experts. 

Other Relevant Content
DDoS Attacks: How Imperva Mitigates Increasingly Powerful and Sophisticated Attacks