Implementing Defense in Depth with RASP and WAF

By Rajaram Srinivasan posted 23 days ago


The principle of “defense in depth” is borrowed from the military and deals with the fact that no security solution is perfect.  While effective security products can detect and block a high percentage of attacks against a system, no single security product can provide protection for all threat vectors. A comprehensive IT security strategy includes risk-appropriate controls implemented where they can provide maximum efficacy, with integrated analytics throughout.

With multiple lines of defense, an organization can decrease the probability that these attacks will actually be able to reach and compromise internal systems.  Attacks that are overlooked by one line of defense may be detected and blocked by the next.

Web application firewalls (WAFs) and runtime application self-protection (RASP) are both solutions designed to improve the security of an organization’s web applications.  However, the decision of what to deploy should not be an “either or” but a “both and”.

Introduction to WAF and RASP

WAFs and RASP are both solutions designed to identify and block attempted exploitation of an organization’s web applications. However, they accomplish this goal in very different ways.

The WAF sits in front of applications, inspecting incoming HTTP request traffic for known attack payloads and abnormal usage patterns. When a suspicious payload or usage pattern is detected the request can be reported or reported and blocked. It allows for blocking of IP addresses and offers customization of rule-sets, in addition to providing real-time alerts and reporting.

The Imperva WAF separates known, bad traffic from good traffic and ensures that your application is not processing information or requests which do not pertain to the application’s intended functionality. An additional benefit of the solution is lowering application infrastructure costs.

RASP, on the other hand, has visibility into an application’s runtime to identify and block attacks.  RASP is integrated into an application’s code, using instrumentation to track its current state at runtime. If an application is challenged with malicious input, RASP has complete visibility into the application’s current state and is able to predict how the application will be affected by the attack. This enables it to detect and block even zero-day attacks with no learning or signature update, just based on first principles.

Watch the full webinar here: Protecting Applications from Within Using Runtime Application Self Protection (RASP)

Using WAFs and RASP for Defense in Depth

Security in front of the application, such as with a WAF, is excellent protection against known attacks, with WAF signatures great for addressing previously known exploit payloads. But frequent application code changes and 3rd party libraries mean the environment is under constant change and edge protections must be reactive or risk false negatives or unwanted false positives.

RASP provides more granular protection to an application and doesn't rely on a single point of entry at the network layer to the application.  They are capable of identifying vulnerabilities not just based on the “who”, but also on “what” the request is trying to do. It doesn’t matter if it comes from a compromised insider, or from a high risk attack source, RASP will flag a request if it is attempting something malicious with the application.

For the right security architecture, different controls need to be implemented at different points in a defense in depth strategy. If the attack gets through the control at layer 1, using the same kind of control at layer 2 would be pointless.

With the traditional network borders essentially erased as organizations transition to cloud infrastructure, it’s increasingly difficult to determine friend from foe based upon the origin of the connection. In most WAF deployments inspection is focused on “north-south” or outside-in traffic. Whereas, RASP is often oriented toward “east-west” or inside-to-inside traffic.

Implementing Defense in Depth with Imperva

Impera is committed to protecting data and all the paths to it. This is achieved by not one, but multiple technologies operating at different levels to catch threats at appropriate levels. A multi-layered approach, such as Imperva Application Security that provides protection and multi-sensor analytics across your Web Application Firewall (WAF), DDoS Protection, Advanced Bot Management, and RASP, for a full solution stack to secure and monitor application access.

What’s more, with Attack Analytics, customers are able to perform multi-sensor analytics, including WAF and RASP to inspect an event from two different lenses and also correlate and cluster events to identify complex attacks saving your team's time trying to find the needle from the haystack.

Learn More with the Imperva Community

The Imperva Community is a great place to learn more about how to use Imperva cyber security technologies like API SecurityCloud WAF,  Advanced Bot ProtectionDDoS Protection, and more to establish efficient, secure processes for enterprise networks. Rely on the expertise of Imperva partners, customers and technical experts.