Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Flag Users When Session Exceeds Length

    Posted 11-04-2019 15:52

    Hi Everyone,

    Q: can I use SecureSphere WAF to flag when a user session exceeds the time allowed by the issued CyberArk ID?

    Or asked differently,

    Given:
    - use of CyberArk for user credentials an session window (length of time)
    - On-prem WAF, aka SecureSphere WAF
     
    Q: How can we flag when a user session exceeds a length?

    Regards
    Chris


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Chris Hauser
    Chris.hauser@imperva.com
    ------------------------------


  • 2.  RE: Flag Users When Session Exceeds Length

    Posted 11-05-2019 12:30
    There are a couple of ways.  Let's assume that an external system (such as CyberArk) provisions an account for 3 hours.  A database session that was started prior to the account time limit will not be stopped by the database.

    We can't flag a user (whatever that means) for extending beyond an externally posed time frame as SeS has no way to keep track of a users login period.  If, however, we create a lookup set that is maintained externally, we can then access this information in a custom Database Service security policy.  There are two possible ways to do this:  1) create a lookup set that is maintained directly on the MX (or via API) and add (and remove) appropriate userid's as they "expire". 2) Illustrated below is creating lookup data from an external database:

    Here is a screenshot of me building a lookup set that queries an external database:


    Now create a new lookup data set:


    and configure


    This goes against a mysql database with a users table and all it contains is a list of users.  This database needs to be maintained by an external system such as CyberArk.

    Next, create the security policy that accesses this lookup data:


    In this example all this policy does is present an alert.  You can have it block whatever activity is occuring (good or bad) and/or you can set up a "terminate session" followed action.





    ------------------------------
    Richard Johnson
    ------------------------------