The Platform

Enable your security and operations teams to proactively identify, prioritize, and remediate exposures to stay ahead of attackers.

Watch a Demo
GigaOm Radar for Attack Surface Management

The expansion of an organization's attack surface continues to present a critical business challenge. Download the GigaOm Radar for Attack Surface Management to get an overview of the available ASM solutions, identify leading offerings, and evaluate the best solution for you.  

Use Cases

The CyCognito platform helps you identify all of the attacker-exposed assets in your IT ecosystem for a complete view of your attack surface.

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk. 

Our Customers

External attack surface management is advancing cybersecurity into a new era. Learn how security experts across all industries benefit from using CyCognito’s platform.

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

About CyCognito

We believe all organizations should be able to protect themselves from even the most sophisticated attackers.

Contact us
Resources

The knowledge you need to manage and protect your attack surface.

What's New Blog
Products

How to Ensure WAF Coverage Using CyCognito

Aviel-Tzarfaty
By Aviel Tzarfaty
Product Manager
September 29, 2023

Web Application Firewalls (WAFs) are the most common protection for web applications. WAFs protect web applications by filtering and monitoring HTTP traffic between the application and the internet. However, WAFs need to be deployed and configured to protect web applications specifically. If they are not, this leaves open a potential route for an attacker.

Gaps in WAF protection are a substantial risk to organizations. According to research by Verizon, web application attacks are involved in 26% of all breaches, making them the second most common attack pattern. CyCognito’s semi-annual State of Exposure Management report reveals the average number of web applications in a large organization is a surprising 12,000. Given the severity of web attacks and the prevalence of web applications, CyCognito recently introduced a feature that discovers if web applications are protected by a WAF, and if so, which one. This post will explain how the feature works and how an organization can use it to prioritize and remediate exposed web applications.

How WAF Detection Works and What WAFs Are Covered

The CyCognito platform can identify over 150 WAFs, including popular ones like Akamai, AWS CloudFront, Azure Front Door, Cloudflare, Fastly, Fortinet, and Imperva. Since CyCognito understands the entire attack surface of an organization, all web applications are probed for WAF protection. Figure 1 below shows all the web applications for Acme Corporation.

Figure 1: Web applications for Acme Corporation shown in CyCognito

CyCognito detects the presence of a WAF and the type of WAF by sending several HTTP requests to each web application. By analyzing the response from the web application, the CyCognito platform identifies patterns that match known WAFs, such as specific HTTP headers, cookies or HTML content.

If the above is not enough to identify that a WAF is present, or which WAF is present, a series of potentially malicious requests will be sent to the tested target, to attempt and identify the WAF using error messages and behavior of blocked requests. For example, Cloudflare is a great example of a WAF with a very indicative error message and is easily identifiable by its “Sorry, you have been blocked” message.

Taking Advantage of WAF Detection

Users can see both the overall WAF coverage and individual application details in the CyCognito console. There are three main use cases:

  1. Understanding general WAF adoption – as shown in Figure 2 (below), users can see the total number of web applications that are protected or not protected by a WAF. These can be filtered by risk to give a more meaningful picture of the risk to an organization.

Figure 2: Dashboard report shows that 4225 web applications are not protected by a WAF

  1. Understanding specific WAF adoption – Security can ascertain which WAFs are in use in their organization. This gives security teams a better understanding of their security controls. For example, they may find one or more WAFs that are not monitored by the security team and may not be compliant with current security policies or regulatory requirements.
  2. If several different WAFs are in use, it presents an opportunity for consolidation. This may have cost benefits as well as security benefits, as consolidation may simplify the job of the security team.

Figure 3: Filtering to show assets protected by AWS Cloudfront.

The functionality is also available via the CyCognito API, allowing Integrations with SIEM, SOAR, ITSM, CMDB, and other types of IT and security products. A common action would be to open a ticket in Jira or ServiceNow and assign it to a security team member for investigation.

The feature is currently available to all CyCognito customers. Simply navigate to the Asset List section (shown above in Figure 3) and you’ll be able to filter out web applications according to which WAF was found to be protecting them. If you are not a CyCognito customer and are interested in a demo, please contact us.


Topics





Recent Posts








Top Tags



CyCognito Research Report

State of External Exposure Management

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk.

Dummies Book

External Exposure & Attack Surface Management For Dummies

External Exposure & Attack Surface Management For Dummies

As your attack surface has grown to cloud infrastructures and across subsidiaries, attackers are looking for and finding unknown and unmanaged assets to serve as their entry points.

Interactive Demo

Ready to Rule Your Risk?

Request a personalized walkthrough of the CyCognito platform to see how we can help your company identify all its internet-exposed assets, focus on which are most vulnerable to attacks, and accelerate your time to remediating critical risks.