Advanced Bot Protection
Earlier this year, Imperva was named a Leader in The Forrester Wave™: Bot Management, Q2 2022. Advanced Bot Protection (ABP) ranked at the top in the current offering category, based on criteria including the range of supported use cases, bot detection, configuration and management, reporting and more. Our latest feature release focuses on our commitment to continuous innovation in both detecting and mitigating bots, as well as improving ease-of-use and time-to-value for our customers.
Improved bot detection: The latest release of Imperva’s market leading bot detection makes the solution better than ever, as we have added new synchronous and asynchronous detection capabilities. These will enable you to detect and deter the most sophisticated bots and ensure you stay ahead of bad actors. We gather data through this improved detection process and feed it into our machine learning algorithms, enabling us to better understand bot behavior in real-time and provide improved efficacy for our customers. This addition also enables better classification of bots by use case, allowing customers to make informed decisions about how they want to manage automated traffic to their online assets.
Enhanced reporting: We understand that bot management is not just a security concern, but a cross-functional challenge that affects multiple stakeholders across the organization. This is why we have added new reports that support a wider range of use cases and stakeholders. We are also updating existing reports to provide an overall better user experience. Customers can expect faster loading times and better guidance on which configurations are right for their needs. These reporting enhancements will offer customers better insights into their data, helping them make more informed decisions. Our goal here is to provide our customers with more actionable reports that will in turn decrease overall investigation times. The enhancements include a new rate limiting report, improvements to the executive report, CAPTCHA report and more.
Onboarding experience enhancements: As part of our effort to improve ease-of-use and enabling a better self-service experience, we have made changes to the onboarding flow of Advanced Bot Protection. In this release, we have added more guidance and recommendations on important steps that customers should take throughout onboarding and initial tool and policy configuration. We believe these changes will enable customers to better serve themselves during the onboarding process, resulting in quicker time to value.
Account Takeover Protection
For this release, we are focusing on additional mitigation options for malicious login attempts, as well as onboarding enhancements and overall quality of life improvements.
New Tarpit mitigation action: For customers who cannot, or prefer not to use block or CAPTCHA as mitigation options, we are adding Tarpit as an additional mitigation action. If a customer chooses Tarpit as a mitigation action, the connection between the proxy and the client is dropped, which means a response to the login request is never sent. This mitigation action confounds attacks by leaving the bot waiting for as long as possible, thus draining its resources and lowering the number of requests that it is able to make.
Login endpoint separation: Until now, statistics aggregation and mitigation configuration could only be done on a per-site basis. If a customer had more than one login endpoint per website, they had to configure them as one and apply the same mitigation strategy to both. With this release, we are introducing login endpoint separation. This will provide customers with full governance over each individual login endpoint. This brings visibility to per-endpoint statistics into the main Account Takeover (ATO) dashboard and provides the ability to set different mitigation strategies for each endpoint. This will allow customers to configure their mitigation strategy in a more granular way, ensuring that it fits the needs and requirements of each of their specific endpoints. Another benefit to this is the ability to onboard a new endpoint in monitor mode, allowing customers to analyze the traffic first and then make an informed decision about what would be the best mitigation strategy.
Onboarding flow changes – crucial steps added: We take protecting the privacy of your users very seriously. This is why username fields containing Personally Identifiable Information (PII) are encrypted by default and displayed as an encoded string in the Account Takeover Protection management console. Customers do have the option to configure Account Takeover Protection to display username data in cleartext, but they must first set a PII password. This ensures that usernames can only be accessed by people with the proper privileges. It is important to note that any data generated by Account Takeover before a PII password is set cannot be decrypted, making it unusable for investigations or resetting user passwords. We felt that going through the current onboarding flow, customers could miss this critical step. To reduce the chances of such a scenario, we are making the following change to the onboarding flow: Customers will now be prompted to set a PII password as soon as they complete the onboarding. This should reduce the likelihood of customers losing any useful username data because a PII password was not set early enough.
Client-Side Protection
For this release, we are focusing on adding new capabilities as well as improving upon recently introduced ones.
NEW – Clickjacking protection: Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick users into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker. (Source: OWASP)
With this latest feature release, Client-Side Protection will be able to prevent Clickjacking attacks. Customers will now be able to specify exactly which third-parties can embed their website in the Content-Security-Policy header set by Client-Side Protection. This will further strengthen our customers’ client-side security-posture while enabling better compliance with data-security regulations such as PCI, GDPR, CCPA and others.
Out-of-the-box blocking of known malicious domains improvements: As part of a previous feature release, we introduced the ability for customers to not only instantly block domains, but to also block known malicious domains out-of-the-box. In this latest feature release, we are extensively expanding the database of known malicious domains that Client-Side Protection recognizes out-of-the-box. This includes anything from malware to any other malicious domains, increasing our confidence in blocking these for our customers. This capability is a result of continuous collaboration with our Threat Research team, which allows us to uncover the most recent threats and ensure that our customers are well protected against them.
Easily submit feature requests: Customers will now be able to easily submit a feature request and provide feedback directly from the Account Takeover Protection and Client-Side Protection dashboards.
Imperva Online Fraud Prevention
Imperva helps organizations prevent online fraud from bot and client-side attacks by providing clear visibility with actionable insights into bot traffic and third-party JavaScript code, adding meaningful context for fraud investigation, all while maintaining a seamless customer experience. Combining a holistic approach, vigilant service, superior technology, and industry expertise, Imperva is your ally in the fight against automated and client-side fraud.
- Advanced Bot Protection protects websites, mobile apps and APIs from automated fraud without affecting your legitimate users.
- Account Takeover Protection proactively blocks account based fraud and allows you to inform consumers before they are victimized.
- Client-Side Protection prevents online fraud from website supply chain attacks like formjacking, digital skimming, and Magecart.
Try Imperva for Free
Protect your business for 30 days on Imperva.