With the threat landscape constantly evolving and volatile as ever, businesses need a solution that can keep up with known threats.
Threat intelligence feeds can consist of data from open source collectors, from commercial threat feed companies, and from security providers’ own anonymized customer networks. Threat feed data is potentially very important because it is cross-sectionally collected data from multiple companies and markets, which provides a relatively current and comprehensive snapshot of current threats, which can improve security postures.
Oracle Cloud Infrastructure exposes threat feed data to all Oracle Dyn Web Application Security customers as part of our base offering. It offers customers a unique solution that is easy to use, has both blocking and alerting capabilities, and is chock full of freshly categorized threat IP data.
Defining, identifying and monitoring threats is no easy task. It can take loads of a security team’s time, often require a level of expertise that is in high demand and short supply, and many times be inefficiently managed because teams don’t provide the ample attention or resources. We make it easier by supplying customers on-demand access to a diverse catalog of managed threat data, instead of customers having to store, maintain and manage their own archives of intelligence.
Feeds are managed and easily accessible through the Access Control console of the platform and can also be accessed via API. The feeds can be easily toggled into on/off mode and can either be set to block or log/alert threat data. Customers can navigate to the console’s Logs tab to drill down into the details of the associated threat. This information can be used to investigate incidents, gain insights that help characterize malicious behavior, help guide web application firewall rule configuration, assist in growing access control lists (blacklist and whitelist) and ultimately strengthen security postures.
Freshly Categorized Threat Data
Oracle provides customers with a variety of threat intelligence feeds that protect web applications against known malicious actors. With feeds broken out into different threat categories, customers gain granular controls to manage and visualize the threats targeting their online businesses. These threat feeds are categorized, managed, and derived from both open source and commercial feeds, such as blocklist.de, abuse.ch, BruteForceBlocker Project, Webroot, and more. In order to maintain the highest quality intel, these feeds are updated in real-time, with some feeds receiving upward of 500,000 updates per day.
All Oracle Dyn Web Application Security customers gain full access to over 20 different categorized feeds. The feeds are segmented out by varying abuse techniques of known malicious IPs associated with:
- command and control servers
- tor nodes
- brute force
- SSL abuse
- unauthorized scanning
- malicious mobile IPs
- and more.
The level of granularity in these feeds provides customers with an added level of control and visualization into how threats are targeting business operations and putting customer and company data at risk.
Insight from Alerting
For customers that are not prepared to set feeds in block mode, but want to better understand a threat’s techniques and the IPs targeting their web app, Oracle provides the ability to set feeds in logging mode. By enabling log only mode, customers will be alerted when a malicious request matches a threat intelligence feed. This allows for customers to drill into the malicious threat data, gain valuable insights, and then after proper evaluation, shift only select feeds into block mode.
The levels of segmentations and ability to drill into logs develop tighter security postures for customers that are unique and fitting for varying business web applications. So, the Oracle Dyn Web Application Security platform is uniquely suited to learn about threats by turning on alert mode and analyzing unusually detailed logs to understand known threats and capture previously unknown anomalous traffic.
How Are We Different?
Although other web security vendors offer a variety of threat feeds, there is often little to no customizability. Most web application security solutions have very elementary threat feed capabilities that promote an all-or-nothing action, meaning that the vendor will supply you with one massive feed that you can either turn on to block all IPs supplied in the feed or off to provide no blocking.
Unlike with Oracle, the ability to alert on threats does not come standard with all cloud web application security vendors, and feeds are not segmented out into varying malicious threat categories. In combination, this can lead to issues with usability and increased false positives, and organizations may have to expend more resources and money to filter and manage outsourced threat data.
Another implementation of threat intelligence feeds for web applications is via a web hook. A web hook, although helpful, only provides a passageway to ingest feeds. It does not provide any of the data and analytics on the data itself. A threat feed via web hook still requires the user to configure, maintain, and manage the feed, and if the customer is looking to ingest commercial feeds, this will come at an additional cost.
Managed open source and commercial feeds come included with the Oracle Dyn Web Application Security product. The threat feed is broken out and categorized by different malicious attack techniques, and the product provides customers the ability to easily toggle selected threat feeds into alert/log or block mode. Providing this flexibility, granularity, and robust threat intelligence data allows customers to control, visualize, and act on threats without ever having to manage or maintain the threat IP data itself.
Oracle’s portfolio of managed services can take advantage of this threat intelligence feed data and categorization as well as blocking and alert modes to help tune customers to exacting specifications during onboarding and ongoing operations.