Mitigation controls and policies required for Exploit Protection (WAF)

  • Release version: Washingtondc
  • Updated April 24, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Mitigation Controls and Policies Required for Exploit Protection (WAF)

    The Exploit Protection for Web Application Firewall (WAF) enables monitoring and mitigation controls through the Security Posture Control (SPC) product. This functionality integrates with WAF tools like F5 BIG-IP and leverages ITOM IP-based Discovery to identify protected servers and manage Web ACL rules effectively.

    Show full answer Show less

    Key Features

    • API Integration: Works with WAF tools such as F5 BIG-IP to ascertain the security posture of virtual machines.
    • Discovery and Service Mapping: Utilizes patterns to import Web ACL rules and associated load balancers for comprehensive protection verification.
    • Role Requirements: Access requires either the SPC Admin Group or SPC Analyst Group.

    Prerequisites

    For successful implementation of Exploit Protection (WAF) with F5 BIG-IP:

    • Activate ITOM IP-based Discovery in your environment.
    • Ensure API integration for F5 BIG-IP is enabled in the Security Posture Control Workspace.

    For AWS WAF integration:

    • Install the Discovery and Service Mapping Patterns and Mitigation Controls Monitoring applications.
    • Define Web ACLs and rules within your AWS service account, utilizing AWS managed rules when possible.
    • Verify specific MID Server properties are set correctly to facilitate discovery.

    Key Outcomes

    By implementing the necessary controls and policies, customers can:

    • Effectively monitor and protect virtual machines from threats such as SQL injection and XSS attacks.
    • Utilize both custom and managed Web ACL rules within AWS WAF for tailored security measures.
    • Ensure a robust integration with existing WAF systems for ongoing compliance and security posture improvement.

    The mitigation controls and policies required for Exploit Protection Web Application Firewall (WAF) monitoring are included with the SPC product.

    Exploit Protection (WAF)

    This category of mitigation controls covers mitigations available in the form of Web Application Firewall. Security Posture Control detects servers that are running behind the web application firewall (WAF) by using the API integration with WAF tools such as F5 BIG-IP (F5) and network traffic data from ITOM IP-based Discovery, if necessary.

    Mitigation control imports the Web ACL rules and all associated load balancers to determine which rules are protecting your virtual machines with the help of Discovery and Service Mapping patterns.

    Roles required: SPC Admin Group and SPC Analyst Group.

    Prerequisites for Exploit Protection (WAF) with F5 BIG-IP

    1. Verify that you have activated ITOM IP-based Discovery in the environment where F5 BIG-IP F5 WAF and associated application servers are setup.
    2. Verify that the API integration for F5 BIG-IP F5 is activated in the Security Posture Control Workspace.

    Prerequisites for Exploit Protection (WAF) with Amazon Web Services AWS

    Data for this integration is imported by the Discovery and Service Mapping Patterns [sn_itom_pattern] and the Mitigations Controls Monitoring [sn_sec_mit_ctrl] application. Both applications are required. Follow the steps below in the order they are listed so that you can import all the Web ACLs, the Web ACL rules, and the mitigation data required to help you confirm that a virtual machine is protected. See Amazon AWS Cloud components discovery using patterns for more information about AWS discovery patterns.
    1. Define Web ACLs and rules in your AWS service account you want to use. See Using web ACLs in AWS WAF for more information.
      Note:
      You can create your own Web ACL rules, however, you might prefer to use the AWS manged rules that are designed specifically to work with their Web ACLs. If you choose to create your own custom rules for Web ACLs, note that this integration with AWS WAF supports only attack types that match Contains SQL injection attacks and Contains XSS (cross site scripting) injection attacks. Load balancers are the assets (resources) supported by this integration.
    2. Install and activate the Discovery and Service Mapping Patterns [sn_itom_pattern] application in your instance so the names and default actions of the Web ACLs you defined in step 1 can be discovered. For more information, see Install the supported applications for Security Posture Control.
    3. Verify the sn_itom_pattern.discover_aws_app_pool_members MID Server system property is set to true. To activate this property, navigate to All > MID Server > Properties.
    4. Verify you have installed and activated the Mitigation Controls Monitoring [sn_sec_mit_ctrl] application. This application includes a pattern extension, Web ACL Rules and Associated Resources. This pattern extension permits you to import the actual Web ACL rules and their associations (relationships) to your resources (assets) into your instance.

    Mitigation controls and policies in Exploit Protection (WAF)

    F5 WAF Protection:
    • Sources: F5 and ITOM
    • MITRE tactics addressed: Initial Access
    • MITRE techniques addressed: Exploit public facing application
    • Policies: No policies are required.
    AWS WAF: