Proactive Meets Preemptive Security

Every day attackers launch malicious payloads on organizations using the same IP addresses. Fastly’s Network Effect Threat Report highlights that 54% of attack traffic is preemptively flagged by the Network Learning Exchange (NLX). NLX leverages this insight to provide a preemptive layer of security to all Next-Gen WAF customers.

Stop attackers before they strike

Fastly’s NLX proactively flags malicious IP addresses, allowing organizations to take action before damage is done. Our position as a global web application and API protection (WAAP) security provider enables visibility at scale into our customers’ global attack landscape that spans high-tech, financial services, media, entertainment, and numerous other industries. From this vantage, we ingest attack data on a massive scale and can highlight the validated malicious IPs as they traffic to other customers’ applications. The shared attack data fosters a network effect, where the collective intelligence of all customers contributes to strengthened security for each organization.

Creating preemptive security layers

NLX is built on the patented approach developed for Fastly’s Next-Gen WAF.

Over 90,000 applications are protected by our Next-Gen WAF, which inspects 4.1 trillion customer requests monthly. The incoming requests are parsed as legitimate or malicious, and anonymized attack data is continuously collected by the Next-Gen WAF’s Cloud Engine.

After attacks from a particular IP reaches a threshold, the IP is added to the NLX feed for future consideration. Any time in the next 24 hours that the IP visits another Fastly Next-Gen WAF customer’s application, the attacker’s client will have a signal (SIGSCI-IP) attached to identify the IP as potentially malicious. When a customer sees the SIGSCI-IP signal, they can apply individual custom rules or combine them with others to block, limit, or monitor the IP before it can strike.

To keep the feed fresh, the SIGSCI-IP signal remains on the IP list for 24 hours. During that time, any request the IP makes will have the SIGSCI-IP Signal in the logs. The IP is removed from NLX after 24 hours and treated as normal until malicious intent is observed again.

Engage emerging threats

Traffic contains varying levels of danger - rulesets can reflect it. Signals are powerful tools that enhance visibility and enable custom rules. When the SIGSCI-IP signal is applied to an IP address, practitioners can create rules to automatically:

• Block the IP from accessing your service

• Rate limit the IP to minimize attack opportunity

• Alert security personnel to monitor the IP from Fastly’s real-time analytics or through integrations with DevOps tools like Elastic, Datadog, Slack, and more

Signals are powerful alone, but when combined, they enable layered rulesets that increase confidence in final decisions. Take initial precautionary measures with NLX signals that are unobtrusive, like monitoring or rate limiting, while creating layers of combined rules that immediately block the IP when met. This capability gives security practitioners flexibility in managing traffic as new information is available. Block IPs classified as malicious by NLX outright, layer their rulesets, or anything in between - the logic is entirely customizable.

Act on trusted intelligence

Making automated traffic decisions requires confidence in the data provided. NLX utilizes the Next-Gen WAF’s highly accurate SmartParse technology to create insights that don’t require interpretation. Using its contextually-aware detection technology, SmartParse quickly and accurately determines if a request will result in a malicious action. It is so accurate that almost 90% of customers run the Next-Gen WAF in blocking mode.

Traditional IP reputation intelligence tools assign a risk score to an IP that can be difficult to take action against. For example, determining what rules to implement when an IP is tagged with a 40 or 80 score is often a daunting task that requires regular tuning. When NLX signals an IP as malicious, it creates a trusted signal that organizations can use to make impactful decisions faster and save security practitioners time. 

Expedite legitimate traffic

The days of “enriching” detection using outdated intelligence are over. An NLX flags an IP for 24 hours and is removed until malicious activity is observed again to minimize any impact on potentially legitimate traffic. By timeboxing this signal, the NGWAF helps practitioners focus on relevant attacks without blocking previously tagged IPs from making purchases, completing forms, or making any other legitimate request once removed. 

For example, a malicious actor may use a public network where legitimate traffic flows, like a local coffee shop. While you may want to preemptively block that IP from making requests, you’ll want to allow legitimate requests when traffic returns to normal. The dynamic nature of the NLX signal helps organizations protect their brand reputation and give customers a better experience because real customers are less likely to be impacted by the previous actions of bad actors. 

The preemptive layer of application security 

Fastly’s NLX provides a preemptive layer of security that complements the Next-Gen WAF’s proactive Layer 7 protection. Included with all Next-Gen WAF packages, NLX enables a modern collective approach to IP reputation intelligence. Contact us to learn more about the Network Learning Exchange and our web application and API protection offerings.