Application Security Analytics and Insights

To address the real-time Monitoring of Application Security Policies, A10 Lightning ADS provides detailed security analytics with a big-data analytics engine that can provide granular security insights by application, by end-user and by other abstractions and resources. Predefined security dashboard of vulnerabilities, detailed logs with drill down capability helps you to troubleshoot and learn more. It also provides the ability to import data to your favorite analytics tool. The security dashboard in A10 Lightning ADS also provides predefined graphs, pie charts and detailed information related to DDoS attack protection. Select Analytics > Dashboard to view these details.

Web Application Firewall (WAF) Security Metrics

When WAF security policies are configured the A10 Lightning ADC Controller?s analytics subsystem collects all the relevant WAF metrics from the LADCs and presents it to the App administrator as insights into the application?s security profile.

Web Application Firewall (WAF) Events

To view the WAF events goto Dashboard > Blocked Requests

_images/image6.0.png

Click to see the corresponding logs for each event in this table.

name

Categorized WAF Events

The Categorized WAF events show the time series graphs for each of the various levels of violation: Warning, Alert, Error, Critical or Emergency. These can be selectively seen for each of the Services.

To view WAF-related metrics or events goto Analytics > Metrics.

Multiple charts displaying suspected WAF attacks from clients.

User can Analyze using Per Request Analysis. User can block the client if it is an attack or create exception rule to avoid such attack.

_images/image6.2.png

Top WAF Events

This table analyses the data collected for all the WAF violation events that have occurred over the period selected and shows the client IPs that are the top violators. By clicking on any of the rows of this table, the logs can be filtered to show only transactions from that specific client.

_images/image6.3.png

Analytics for Blocked Bad BOTs

A similar table is provided for the clients that have contributed the most number of bot traffic identified by the security service of LADS.

./images/image105.png

Top Threats

The percentage distribution of various threats identified by A10 Lightning ADS is displayed in this pie chart. It provides a quick glance of potential threats to the application along with their volume. User need to get into detailed analysis if there is a real threat.

Top threats/attacks detected by LADS in the pie chart below are WAF, bad BOTs, SQL injection. There are others that the security policy execution engine can identify, but the pie chart allows a user to identify the threats which are most common.

_images/image6.4.png

Anomaly Detection Analytics

The A10 Lightning Controller supports various kinds of Anomaly detection. You can view the analytics and insights for anomaly detection from the Dashboard. Usually shows up as markers on the main time series graphs for application response time, security threats, and system health. Three kinds of Anomaly Detectors are supported:

  1. Baseline Anomaly: in this case, certain metrics are baselined over days, weeks, months or years to generate a periodic seasonal model and applied on real-time observations to see if the current statistics are significantly different than what is indicated by the seasonal statistical model. If different means an anomaly.
  2. A dynamic anomaly that compares a longer time window statistical property of any metric against a shorter time window based statistics and if one of them varies significantly compared to others it is an indication of sudden change and is flagged as an anomaly.
  3. App dev based Anomaly where the violating sample histogram far exceeds a weighted sum of the non-violating histogram by a threshold at any time using cumulative counts.

Blocked Requests

These metrics represent the total number of requests that A10 Lightning ADC blocks because of various security policies like BOT protection, WAF, Access Policy, and much more.

_images/image6.5.png

The drill down of this metric provides these additional trend graphs:

  • Threats Detected
  • Threats Trend
  • Session Tracked

Threats Detected

This chart represents the total count of the threats detected (plotted against time), which include:

  • Botnet attacks
  • IP Blacklist
  • Web Application Firewall (WAF) events
  • Surge Protection
  • Other threats detected
  • Blocked Sessions
_images/image6.6.png

Threats Trend

Displays the pattern showing the trend of suspected attacks flagged as threat over time.

This graph represents the total count of all Threats detected plotted against time. The total number of Threats detected is calculated as the total count of all these detected defects:

  • Botnet attacks
  • IP Blacklist
  • Web Application Firewall (WAF) events
  • Surge Protection
  • Other threats detected
  • Session Tracking Policy Analytics
_images/image6.7.png

Session Tracking

The chart below displays the trend of new, active, and blocked sessions. The information displayed here helps the user to fine tune rate limiting or scale the infrastructure accordingly.

_images/image6.8.png

Surge Protection Policy Analytics

The chart below displays the list of clients potentially involved in slow communication and resource hogging. The information displayed here helps the user to fine tune Surge Protection Policy. To access this chart goto Dashboard > Blocked Requests

_images/image6.9.png

Surge Queue Health Metrics

The chart below displays the trend of request-queue length at the time of traffic surge. If request-queue prolongs for most of the time, then user need to scale the infrastructure accordingly.

Normally this should be at zero or close to it. Occasionally there maybe a pile up in the queue but rapidly followed by draining of this queue.

_images/image6.10.png

Connections to the A10 Lightning ADC or Application Servers

This chart provides a comparison of the number of connections to A10 Lightning ADC- LADC and connections to the Application Server(s). Specifically, this chart shows the number of connections from clients to the LADC, and the connections from LADC to the Application Servers.

_images/image6.11.png

Access Policy (Whitelists/Blacklists) Analytics

_images/image6.12.png

Analytics for SSL Connections

_images/image6.14.png
_images/image6.15.png

Other Security Analytics

_images/image6.16.png
_images/image6.17.png