Waf Charm

Blog

Use Case

How to eliminate False Positives with WafCharm

First off, I think it’s important to define the differences between the positives and negatives.

  • True Positive: A legitimate attack that triggers an alarm. You have a brute force alert, and it starts. You investigate the alert and discover that somebody was trying to break into one of your systems via brute force methods.

  • False Positive: An event signalling to produce an alarm when no attack occurs. You investigate another of these brute force alerts and discover that some users mistyped their passwords many times, not an actual attack.

  • False Negative: No alarm is raised when an attack has occurred. Someone was trying to break into your system, but they did so below your brute force attack logic threshold. For example, you set your rule to look for ten failed logins in a minute, and the attacker did only 9. The attack occurred, but your control was unable to detect it.

  • True Negative: An event when no attack has occurred and no detection is made. No attack occurred, and your rule didn’t make fire.?

Typically, once you have identified the issue/rule causing these false positives, the best approach is to change the application code that is generating requests that look similar to attacks, but that may take some time and effort. Typically, a quick fix is to create an exception to the rule, but this exposes you to potential attacks and is a manual effort that takes time away from more important tasks.

WafCharm was created to deal with False Positives, based on the history of CSC’s Managed Rule product. If you are using managed rules, and you see a rule showing a false positive, all you can do is turn that rule off, which then opens you up to potential vulnerabilities, and then will cost you to fix if you are using an external firewall. However, WafCharm brings in transparency and customization to deal with False positives effectively and efficiently. When WafCharm is installed in your environment, you can easily customize and build in all your allowed vs. not allowed traffic, and it will give you confidence in effectively managing false positives inside your AWS WAF environment. One of the earliest adopters of WafCharm was a managed rule customer, and they were spending roughly 30 hours a month dealing with false positives. Once WafCharm was installed in their production environment, that time was cut to nearly zero.

And just a quick summary, WafCharm is an enterprise-class solution complete with an industry-leading OWASP top 10 ruleset, and full emphasis on Layer 7 protection and fortification. WafCharm curates and updates AWS WAF rules to respond quickly and effectively to new vulnerabilities, plus the rules are fully customizable, continuously monitored, and automatically updated to keep your environment secure and compliant. WafCharm lives inside the end user’s AWS environment and provides resource-based protection; compared to other vendors in the base that provide domain-based, or proxy security. If you are leveraging AWS WAF, they WafCharm can automate, simplify, and fortify your environment.

As Cyber attacks are growing by the day, and managing the threat landscape becomes evermore challenging, why not let WafCharm handle the simple tasks for you? If you are interested in learning more or would like to set up some time to connect, reach out to Tyler Wendland to find out more.