Review for security beginners
Information security systems are a set of technologies that protect information from hacking, cyber attacks, and other leakage threats. They help maintain the confidentiality of personal data, transaction details, medical information, corporate information, network infrastructure parameters, and other important data.
We have prepared an overview of the five main information security systems for specialists who plan to start a career in the security field. We will analyze the main components and their operating principles “on the fingers”.
Daniil Kozin, senior information security specialist at UBT-Uralvagonzavod, helped to compile the review.
Web Application Firewall (WAF)
WAF is a traffic filtering tool that operates at the application layer. It inspects data transmitted via HTTP and HTTPS, and analyzes XML and SOAP content to track and block potential threats.
A WAF is usually installed in front of a web application and acts as a shield between it and the Internet. While a regular proxy protects user data, a WAF can be considered a “reverse proxy”: it protects the server by checking everyone who tries to access it.
What threats does WAF protect against?
WAF is activated in response to various threats that are directed against the web server. Here are some standard triggers:
SQL Injection — an attacker inserts malicious SQL code into database queries in an attempt to gain unauthorized access or manipulate data.
Remote Code Execution (RCE) — a hacker tries to execute arbitrary code on a server or other vulnerable system. For example, launch malware, change or delete data, gain control over the system, etc.
Cross Site Scripting (XSS) — the attacker embeds malicious scripts into web pages visible to other users. These scripts can capture cookies, phishing data, or redirect the user to malicious sites.
Cross Site Request Forgery (CSRF) — a type of attack that causes a user's browser to perform unwanted actions on a website to which they are authenticated. This occurs when a user is already logged in (for example, to their bank account) and simultaneously visits another site that contains malicious code or a link.
Remote File Inclusion (RFI, access to a file on a remote server) And Local File Inclusion (LFI, local file access) — attacks in which hackers insert the path to a malicious file into scripts on the server. RFI uses external servers, and LFI uses files on the web application server.
Auth Bypass — exploiting resource vulnerabilities that can be used to bypass authentication or authorization processes.
Insecure Direct Object Reference — a threat in which an attacker can gain access to files or other system resources directly by exploiting vulnerabilities in login controls.
Bruteforce (password guessing) – multiple login attempts with different combinations of passwords and logins to gain access to an account.
IP spoofing — a hacker forges the IP address of data packets so that they appear to be sent from a trusted source, then tries to bypass filters and gain access to resources.
DOS/DDOS (Damage Control Attack) – overloading the server with excess traffic in order to make the resource unavailable to users.
What protection methods does WAF use?
One of the key tools of WAF is signatures. These are specific character sequences that the firewall looks for incoming requests. If the signature is found, the request is blocked. The more accurate and detailed these signatures are, the better the WAF copes with its task.
But there is a caveat: the signature database is not always updated immediately, and this may result in some new types of attacks not being recognized. Attackers can also slightly modify requests so that they do not match known signatures and pass through the defense.
In addition to signatures, WAF uses ruleswhich analyze the behavior of requests. They help detect attacks for which signatures do not yet exist.
Creating rules is a complex and time-consuming process, so machine learning is often used for this task. With its help, the system can learn more during the data analysis process. In addition, ML methods also help reduce the number of erroneous blockings and identify new types of attacks.
How WAF works – example
The online store website contains a form where customers enter their personal and credit card information to complete a purchase.
Let's say a hacker tries to use an order form to submit specially crafted input that could change the store's database SQL queries. For example, he inserts code into the input field that could list users or even delete database tables.
WAF detects an SQL injection attempt by comparing the input against a database of known attacks and blocks the request before it reaches the server.
Popular WAF systems
AWS WAF — protects web applications hosted on Amazon Web Services. It integrates with the AWS CloudFront content delivery network and Application Load Balancer load balancing service, offering powerful tools for creating and managing security rules. AWS WAF is used by companies such as Airbnb and Autodesk.
Akamai Kona Site Defender — Protects against DDoS attacks, SQL injections, and XSS. Easily scales to secure large websites and applications. Clients include companies like NBC Sports and NASDAQ.
Cloudflare WAF — Integrates with Cloudflare’s global network to deliver high performance and protection against network and application-level attacks. Clients include Discord and Udacity.
F5 Advanced WAF — Bot protection, API protection, and data leak prevention. Uses behavioral analysis and machine learning. Clients include LinkedIn and Comcast.
Next-Generation Firewall (NGFW)
A firewall is a device or program that controls incoming and outgoing network traffic based on specified security rules. It is the first line of defense on a network, helping to prevent unauthorized access and protect data.
NGFW or Next Generation Firewall differs from conventional firewalls in its advanced features. In addition to standard filtering, NGFW deeply analyzes traffic and can recognize and block complex attacks at the application level.
Main functions of NGFW
Deep Packet Inspection (DPI). NGFW analyzes every network packet in detail, including headers and content. This helps detect and block malicious data at all layers of the network stack.
Application control. The system controls which applications are used on the network and manages their Internet traffic. This helps to avoid risks associated with unsafe or prohibited applications and improves data protection.
Integration with intrusion prevention systems (IPS). NGFW includes IPS features that inspect network traffic for suspicious or unusual activity. If the system detects a possible attack, it immediately takes action by blocking or redirecting traffic to investigate and prevent the threat.
URL and content filtering. The system blocks access to unsafe websites. This prevents malware from downloading and protects users from phishing attacks.
Sandboxing. NGFW can use sandbox technology to analyze suspicious files and programs in a safe environment. With this feature, the system blocks unknown threats before they spread across the network.
Antivirus protection. The system includes antivirus and antispam functions. This creates an additional level of protection against malware and spam.
Managing security policies. NGFW provides tools for centralized security management. Administrators can configure and control access, filtering, and protection rules for all devices on the network.
How NGFW Works – An Example
Let's imagine that an employee of a company decides to use a third-party application X to share files. He installs the application on his work computer and tries to connect to its server to download and send a large file to a client.
NGFW determines that application X is not on the list of approved programs set up by the IT department, so it blocks the connection between the employee's computer and the X server, preventing data transfer.
The employee receives a message that access to the application has been blocked for security reasons. At the same time as the connection is blocked, the NGFW sends a notification to the IT security administrator.
Popular NGFW systems
Cisco Firepower NGFW — deep packet inspection, application control, and integration with intrusion prevention systems. Cisco Firepower is used by companies such as British Airways and NASA.
Palo Alto Networks Next-Generation Firewall — provides comprehensive protection using DPI, application control and sandboxing. Customers include Salesforce and Adobe.
Fortinet FortiGate — highly effective URL filtering, content filtering and IPS integration. FortiGate is used by companies such as Deutsche Bank and IBM.
Identity and Access Management (IAM)
IAM, or identity and access management, is the logic behind organizing application security tools. IAM is a set of processes and technologies that help manage users and control their access to resources within an information system, depending on their role and rights.
What components are included in IAM and what are they responsible for?
1. Identity Management:
Create, manage and delete user accounts.
Register new users and assign them unique identifiers.
Update user information and remove obsolete accounts.
Authentication of users by checking their credentials (password, biometrics, etc.).
2. Access Management:
Granting or restricting access to resources based on established policies.
Authorization, which determines which resources and actions are available to a user depending on his role and rights.
Access control, monitoring and auditing of user actions.
3. Single Sign-On (SSO):
Single user authentication for access to all authorized systems and applications.
Ease of use and security by reducing the number of credentials.
4. Multi-Factor Authentication (MFA):
An additional level of security that requires users to provide multiple types of authentication data (e.g. password plus SMS or biometrics).
5. Privileged Access Management (PAM):
Control and monitoring of user actions with access rights to important systems and data.
Temporary granting of elevated rights and auditing of all actions of such users.
How IAM Works – An Example
Let's assume that the system administrator Ivan has privileged rights. The PAM component monitors all of Ivan's actions because his account has a high level of access.
Ivan tries to access customer information outside of business hours (e.g. late at night). PAM registers this activity as suspicious because accessing this database outside of business hours is not a common practice.
The system sends an automatic notification to the IT administrator and the head of security, informing them of suspicious activity.
PAM temporarily blocks Ivan's access to the database to prevent a possible leak.
Popular IAM systems
Okta — a cloud-based IAM platform that includes SSO, MFA, and account lifecycle management. It is used by Adobe, LinkedIn, and Teach for America to provide secure and easy access to their systems.
Microsoft Azure Active Directory (Azure AD) — is Microsoft's cloud-based identity and access management service. It provides SSO, MFA, and access control for cloud and on-premises applications. Azure AD is used by companies such as British Airways, Honeywell, and Land O'Lakes.
Ping Identity — provides identity and access management solutions, including SSO, MFA, and API management. Used by Boeing, Cisco, and Walgreens.
Security Information and Event Management (SIEM)
SIEM is a system that is designed to collect, analyze and log, that is, record, incidents from various sources in real time.
Unlike firewalls and WAFs, which focus on filtering traffic and protecting against attacks based on rules and signatures, SIEM does not block attacks directly. The system integrates data from multiple sources and uses analytics to detect different types of threats, send alerts, and help conduct investigations.
SIEM is also used as a primary tool SOC (Situation Operations Center). This is a special unit that constantly monitors, analyzes and responds to information security incidents.
Basic SIEM functions
Data collection. SIEM systems collect logs and events from various sources, such as network devices, servers, databases, applications, and security systems. This information includes user actions, system changes, network traffic, and other significant events.
Data normalization. The system brings data to a unified format. Data normalization facilitates comparison of events from different sources and improves the accuracy of analysis.
Monitoring and Alerts. SIEM continuously monitors the infrastructure in real time and sends alerts about every incident.
Incident Analysis and Investigation. Provides tools for detailed study and investigation of security incidents.
Reporting and Compliance. SIEM generates reports that help administrators manually study information about identified threats, incidents and take measures to prevent them.
Automation and orchestration. Systems can automate certain incident response processes, such as blocking malicious traffic, notifying responsible parties, and running scripts to eliminate threats. This helps speed up response times and reduce the workload on the security team.
How SIEM Works – An Example
Let's imagine that a company is being subjected to a phishing attack – criminals send emails posing as trusted senders in order to steal confidential data.
SIEM identifies unusual email activity, such as mass email sending from a single account or access to the mail server from unusual geographic locations.
The SIEM then automatically notifies the security team and can take steps to mitigate risks, such as blocking IP addresses or temporarily restricting access to accounts.
After responding to an incident, SIEM helps analyze how the attack was carried out and provides reports to improve future protection.
Popular SIEM systems
Splunk — a powerful big data platform that offers SIEM features. Splunk is used by companies such as Coca-Cola, Comcast, and McLaren to monitor and analyze security events.
IBM QRadar— is a popular solution that includes threat detection and analysis tools. QRadar is used by Cisco, ExxonMobil, and Fidelity Investments.
ArcSight (Micro Focus) — a SIEM system that helps organizations collect, analyze, and correlate security data. Customers include Verizon, Capital One, and Oracle.
LogRhythm — is a SIEM solution that supports monitoring, analysis, and response to security incidents. Used by organizations such as NASA, Baylor University, and Cargill.
Data Loss Prevention (DLP)
Data Loss Prevention (DLP) is a system that prevents leakage and theft of confidential information. With DLP, companies can monitor and control data to prevent it from being misused or transferred.
In addition, the system also helps organizations comply with regulatory requirements and security standards such as GDPR, HIPAA, PCI-DSS and others.
Main DLP functions
Data discovery. DLP scans and analyzes all data in a company to determine which of them are sensitive. For example, this could be financial information, medical records, intellectual property data, or personal data of customers and employees.
Data Monitoring. The system constantly monitors how data moves within the company network and in cloud storage, how it is used on computers and other devices. This helps to notice any suspicious activity, for example, when someone tries to copy information to an external drive or send it through unprotected channels.
Access control. DLP controls access to sensitive data based on security policies. For example, it restricts access for certain users or groups.
Preventing leaksIf the system detects an attempt to misuse data, such as sending it by email or copying it to a USB drive, it can automatically block or restrict these actions.
Analysis and reporting. DLP supports tools for detailed analysis of all security incidents and creates reports that help understand why a data leak occurred and how to avoid it in the future.
Notifications and alerts. When suspicious actions or attempts at unauthorized access to data are detected, the DLP system sends alerts to responsible persons in real time.
Popular DLP systems
Symantec Data Loss Prevention — a comprehensive solution for protecting sensitive data, including monitoring, access control, and leak prevention. Symantec DLP is used by companies such as Coca-Cola, General Electric, and T-Mobile.
Forcepoint Data Loss Prevention — tools for protecting data on endpoints, in the network, and in the cloud. Forcepoint DLP is used by organizations such as Sony, HSBC, and Deutsche Bank.
McAfee Total Protection for Data Loss Prevention — ensures the protection of sensitive data through monitoring, access control and leak prevention. McAfee DLP is used by companies such as Pfizer, Dell and Bank of America.
Digital Guardian Data Loss Prevention: Digital Guardian DLP provides comprehensive solutions for protecting data on endpoints and in the cloud. Digital Guardian DLP is used by organizations such as Boeing, Aetna, and Goldman Sachs.
Summary – comparison of information security systems
System | WAF | NGFW | IAM | SIEM | DLP |
The main task | Protecting Web Applications from Attacks | Traffic filtering, including by applications | Access control and user identification | Monitor and analyze security events in real time | Preventing data leaks |
Key Features | Filtering requests to web applications, preventing XSS and SQL injections, blocking malicious requests | Advanced filtering by protocols and applications, IDS/IPS implementation | Authentication, authorization, rights and account management, Single Sign-On | Log collection and analysis, event correlation, incident alerts | Detection and blocking of sensitive data transmission through various channels (email, web, etc.) |
Application | Web servers and applications | Network infrastructure – to protect traffic | All types of enterprises – for managing access to resources | Companies – to comply with security standards and respond quickly to incidents | Organizations that process sensitive data |
Main differences | Web Application Layer Security | Wider range of network-level protection | Focuses on managing users and their access | Used to analyze and respond to security events. | Specializes in preventing data leaks inside and outside the organization |
You can learn how to work with information security systems in the joint online master's program of NRNU MEPhI and Skillfactory “Information Security”. Students of the program learn from experts from VK, Sber and Kaspersky Lab, complete real work projects, and after graduation can start a career as a pen tester, information security engineer or forensics specialist.
