You have probably already noticed that new blocks have appeared in the WAF node card in the Wallarm Console with information about the versions of the LOM file and proton.db used.

Starting from version 2.16 of the WAF node, these sections will display information about the versions of installed components and indicators of available updates.

The latest versions of the Wallarm WAF node uses new technologies and capabilities to protect applications and APIs from hacker attacks. We recommend that you always keep WAF nodes up to date.

We remind you that we only support the last two versions of the Wallarm WAF node. You can find more information on versioning in the versioning policy documentation.

We are pleased to announce the general availability of the Wallarm Node 2.16. This is a major update that is recommended to install.

Highlights

• New WAF node component — Libdetection, a second-generation attack detection library
• Expanded options for custom block pages and response code
• Added display of WAF node component versions in the Wallarm Console
• Added new statistical parameters for the WAF node
• A few improvements have been made to the monitoring and other system components
• Support for CentOS 8 operating system has been added

How to upgrade

The installation and update packages for all supported platforms are already available in the repositories. AWS AMI and GCP VM Image have been updated. The migration guide is available in the docs portal.

A frequently asked question from customers is, "Why didn't FAST find a vulnerability when it definitely exists in the application?" We began to explore the logs and look for the reasons for this behavior. In most cases, the answer is simple: FAST failed to path authentication.

And we took the first steps in solving this problem.

The first move was to highlight the problems of authentication themselves. Now, the Wallarm Console displays the new "Auth failed" status if FAST was unable to test due to an authentication error.

The second move was to add a simple authentication method. What does that mean? Now, you can provide the FAST node with the test client credentials and specify the query parameters they need to substitute. These credentials will be used when executing test queries. Such a mechanism will avoid the use of an expired token, QA credentials, etc.

Read more about the FAST authentication process on our docs portal

Additional information about the IP address from which malicious requests were sent always helps when investigating attacks and incidents.

Previously, we independently determined whether the IP address belonged to the Tor exit nodes, or AWS, GCP, or Azure data centers. We also independently determined whether the IP address belongs to a specific country.

Now, we use the IP2Location databases, and on the Wallarm Console display additional information about whether the IP address is included in:

• The database of addresses of public web proxies
• The database of addresses of public VPN services

Our next steps are filtering by attack source on the Wallarm Console pages and blocking requests by country or by attack source.

You may have already noticed the new Triggers section in the Wallarm Console and may have already configured several triggers. Let's take a deeper look into what triggers are and how you can use them.

Triggers allow you to set up an automatic reaction of the system to an event. Each trigger consists of a trigger condition and an action to be executed.

In the first version, we taught Triggers to analyze attacks, incidents, and user creations and programmed them to send you notifications. For example:

• If more than 100 attacks have been performed on your application in the last minute, then Sumo Logic will instantly receive a notification about the attack that has begun
• If someone created a new user as the Administrator Role within the Wallarm Console, then a message about the new user would be sent to the Slack channel.

But that's not all - we have big plans for the development of triggers. The set of conditions and reactions will continuously expand. You can already configure automatic sending of IP addresses to the blacklist when the threshold of attack vectors is exceeded. In the coming month, triggers will be able to configure protection against brute-force attacks.

You can find detailed instructions on working with Triggers in our documentation.

Do you have any questions or ideas for product development? Tell us!

The first integration with the SOAR system is now available in the Wallarm Console. It’s the native integration with Rapid7 InsightConnect! SOAR systems are tools for complete automation of information security management, from prioritizing tasks to reacting to incidents.

The modern approach in information security is the use of specialized tools that are closely integrated with one another. Therefore, one of Wallarm’s priority areas is the support of modern security tools.

Now, you can send Wallarm WAF events to InsightConnect or configure conditions and filters for the Trigger to send a particular message to InsightConnect when conditions are met.

For setting up InsightConnect integration, only the API URL and X-Api-Key are required. You can find more details in our documentation.

In July and August, our detection team redesigned the detection of Path Traversal attacks. Hackers can use the following approaches for such attacks:

• PHP wrappers

  For example, php://filter/read=convert.base64-encode/resource=/etc/group

• Universal naming conventions for paths (UNC paths)

  For example, \\::1\c$\users\default\ntuser.dat

• File URI scheme

  For example, file://localhost/c|\windows\win.ini

We have updated the mechanism for dealing with such attacks and extended it to make it more difficult for attackers to execute such attacks.

We have also added new Scanner extensions to scan for the following vulnerabilities:

• Detecting debug panels laravel-debugbar, telescope, php-debugbar
• Zend framework configuration information disclosure detection
• LFI & RCE in Citrix ADC / Netscaler (CVE-2019-19781)
• 0 Day RCE at vBulletin (CVE-2020-17496)
• F5-BIG-IP RCE (CVE-2020-5902)

The changes are already available for all Wallarm clients. No additional update steps are required.

Integration with SIEMs is one of the most common things customers set up when deploying WAFs to protect their apps and APIs. We’ve just added native Splunk support, so you can connect it in a matter of minutes.

You can pull all the security events right into Splunk:

• Hits (attack requests)
• Discovered vulnerabilities
• Changes in the network perimeter
• System messages

Having the integration in place allows you to triage threats faster and to aggregate data from a variety of security tools your organization is using.

It has always been possible to push data into SIEMs using Wallarm APIs. With the native support of Splunk, you don’t need to deal with API anymore. For the Splunk integration, only HEC Token and API URL are required to have it running.

Try it out now in your Wallarm settings.

We have added a new authentication method in the Wallarm Console. We are glad to announce SAML SSO support!

A centralized authentication mechanism through SAML / SSO is important when implementing products in medium and large organizations. Using centrally managed accounts for all products allows IT departments to be effective, and companies to meet the most important security standards and compliance.

The Wallarm Console previously supported two-factor authentication. Now, we have added SAML authentication. This standard is supported by all popular IdP providers such as Okta, Azure AD, OneLogin, Auth0, gSuite, and others.

When using SAML, the company has a separate URL to access the Wallarm Console. Our technical support team will help you connect the domain and configure SAML authentication for your users.

A new integration is now available in the Wallarm Console - Sumo Logic native integration. Sumo Logic is a secure, cloud-based service for logs & metrics management for modern apps that provides real-time analytics and insights.

You can pull all the security events right into Sumo Logic:

• Hits (attack requests)
• Discovered vulnerabilities
• Changes in the network perimeter
• System messages

Check our new video Integrating Wallarm WAF into existing DevOps Toolchain to see how easy it is to set up a new integration and the result of its work.