Schedule a Demo
Leave your details and we’ll get in touch to schedule a live demo
Prevents Account Abuse
The Reblaze platform includes ATO protection as a core part of its comprehensive web security software suite. It blocks unauthorized attempts to use or discover credentials, access user accounts, compromise active sessions, and other forms of ATO.
Complete Account Security
Reblaze uses multivariate analysis, identifying threat traffic not only by its source but also by its identity, behavior, and intent. The platform deploys in a dedicated VPC (Virtual Private Cloud) geolocated immediately in front of the protected network, blocking malicious traffic with near-zero latency.
Many Threats, One Security Solution
Modern threat actors use a variety of sophisticated tactics to wage ATO attacks. Reblaze protects against them all: it prevents credential theft, credential discovery, session attacks, and the abuse of valid credentials.
Prevents Credential Theft
Many ATO attacks are intended to steal credential sets from within the targeted network:
System breaches
Allow hackers to exfiltrate
account data
Code and command injection
Allow attackers to discover backend resources for access and exploitation
SQL injection
Allows retrieval of private account data from user databases
Complex system-specific ATO
techniques
Penetrate the targeted networks, e.g. SSRF attacks which target cloud IAM services
Reblaze defends against credential theft in all its forms, by including:
“Negative security” (blacklisting)
Reblaze maintains a comprehensive database of web-related vulnerabilities, and automatically blocks requests that match known threat signatures. The platform is a fully managed service; whenever a new threat is discovered, the database is updated with the solution that neutralizes it, and the changes are pushed immediately to all deployments of Reblaze, worldwide.
“Positive security” (whitelisting)
Reblaze includes an automatic mechanism (which can be set in a supervised mode) that creates a granular application ruleset for each application that it protects. It strictly defines the allowed headers, HTTP methods, resources, content types, encoding, languages, forms, input fields, and so on. Once this ruleset is defined, it is virtually impossible to inject code of any kind.
Input Sanitization
Reblaze includes a variety of protective mechanisms to sanitize and validate all content (headers and payloads) of incoming traffic. These defeat any attempts to bypass threat detection, e.g., when hackers use nested encoding in an attempt to obfuscate their hostile requests.
Other I/O Hardening
Reblaze can run custom code at any point during processing, and can harden the traffic stream in both directions (incoming and outgoing). For example, when a cloud provider defines a new cookie attribute or request header (e.g., to mitigate SSRF attacks), Reblaze can be programmed to add these new capabilities to the I/O stream, even if the application servers themselves cannot.
Prevents Session Attacks
If attackers can take control of an active session, they can change the user’s password, contact information, and other details to take over the account. To accomplish this, cybercriminals can use a variety of techniques to discover session tokens, and then use them to perform ATO:
Man-in-the-Middle (MITM)
Attackers intercept user I/O and sniff the traffic.
Cross-Site Scripting (XSS)
Cybercriminals plant hostile scripts within applications, which can compromise users’ session tokens.
Cross-Site Request Forgery (CSRF/XSRF)
Hackers construct malicious URLs; when victims access them, hostile actions are performed within their accounts
Session Side Jacking
Applications which do not use encryption for all URLs are vulnerable to attackers sniffing the post-authentication traffic
Session Fixation
Attackers trick victims into authenticating sessions with tokens generated by the attackers.
Malware
Hackers install malware on victims’ systems, and then sniff and capture network traffic, including session tokens
Prevents Credential Discovery
When threat actors cannot steal valid credential sets, they attempt to discover them in other ways, including stuffing credentials and brute-forcing login forms. Modern threat actors can be quite sophisticated in their abilities to evade detection: for example, a single brute-force attack can include millions of access attempts, each of which originates from a different IP address in order to avoid rate limiting.
Reblaze defeats these tactics by accurately tracking traffic sources, even despite geolocation rotation and other attempts to mask the requestor’s identity. The platform includes granular security ruleset configuration; policies can be defined for broad segments of an application’s traffic, or customized for individual URLs. Policy violations can result in a wide range of configurable responses, from autobanning the requestor to merely monitoring a traffic source’s behavior.
Reblaze uses a variety of techniques to prevent session attacks from succeeding, including:
Fine-Grained ACLs
Reblaze provides high-precision ACL (Access Control List) capabilities. For a new deployment, its ACLs exclude 75-80 percent of hostile traffic out of the box; the rate is generally much higher after only a few days of fine-tuning and customization for the applications.
Comm Layer Hardening
Reblaze can customize request and response parameters within the traffic stream to eliminate a number of common session attack vectors.
Session Monitoring
Reblaze detects suspicious activity during active sessions (e.g., a sudden change of geolocation), and challenges users whose activities are suspect.
User Validation
Biometric behavioral analysis verifies that each user’s activity is consistent with past behavior. More on this below.
Prevents Abuse of Valid Credentials
Attackers can obtain valid credential sets via phishing, social engineering, and other methods. They then use the credentials to access and take over the accounts. This is the most difficult form of ATO to prevent, because it does not rely on security holes, malicious inputs, brute-force tactics, or other hostile activity. The attacker simply logs into the application, as the actual user would do. Nevertheless, Reblaze can detect and block even this form of ATO. Reblaze goes beyond traditional approaches to security, and adds a number of additional layers of analysis. It uses UEBA and Machine Learning to build fine-grained biometric behavioral profiles for all legitimate users and customers. The platform learns and understands users’ characteristics, and how they interact with the sites, applications, and APIs that it protects. Reblaze uses multivariate analysis to distinguish legitimate users from threat actors, and makes decisions not only according to the traffic source, but also according to each user’s identity, behavior, and intent. A threat actor attempting an ATO will have, unavoidably, a number of different characteristics compared to the actual user. Reblaze detects these differences immediately. Furthermore, every attacker must, at some point, deviate from legitimate user behavior. When a hostile actor attempts to abuse an account, Reblaze blocks the traffic source, preventing further access.
Automatic Protection
Reblaze analyzes global traffic patterns, identifying and adapting to new attack techniques. As a fully managed platform, Reblaze is updated immediately as new security policies are issued. Even as hackers develop new attack techniques, Reblaze provides robust protection, automatically.
Full traffic transparency
Reblaze provides unparalleled insights into your incoming traffic. An intuitive Dashboard displays full details (headers and payloads) of all incoming requests in real time. A comprehensive View Log interface provides the ability to view historical data and rapidly construct sophisticated queries against it, showing patterns and identifying anomalous activity in the traffic stream.
