Skip to content

Penta Security ( WAPPLES ) 智慧型 Web 應用程式和 API 保護

Penta Security 是一家韓國的網路安全公司,成立於1997年,專注於提供全方位的安全解決方案,涵蓋應用程序安全、數據加密和物聯網(IoT)安全等領域。其核心產品之一是 WAPPLES ,一款領先的 Web 應用防火牆(WAF),以人工智能技術為基礎,能有效地保護網路應用免受各類攻擊。

WAPPLES 特色:
1. 基於邏輯分析引擎 (Logical Analysis Engine)
採用了 Penta Security 自主研發的邏輯分析引擎(Cocep™),與傳統基於簽名的防禦方法不同,它能通過分析攻擊模式的行為邏輯來檢測威脅,大幅降低誤報率並提高檢測準確性。

2. 全面的攻擊防護能力
提供針對各類 Web 攻擊的防護功能,例如:

  • SQL注入攻擊
  • 跨站腳本(XSS)
  • 文件包含漏洞
  • DDOS 攻擊
  • 網站篡改防護

3. 易於部署和管理
支持多種部署方式,包括內嵌模式、旁路模式和混合模式,以滿足不同網路環境的需求。它還具有用戶友好的管理界面,便於監控與配置。

4. 實時監控與報告
提供詳細的報告和分析功能,用戶能夠通過儀表板即時掌握應用安全狀況。

5. 高效能與擴展性
無論是處理大量流量還是面對複雜的攻擊場景,WAPPLES 都能保持穩定的性能,並適應企業需求的增長。

WAPPLES 的核心優勢:
1. 高準確率的威脅檢測

  • 邏輯分析引擎(Logical Analysis Engine)
  • 與傳統的簽名基礎檢測不同,WAPPLES 採用了 Penta Security 自主研發的邏輯分析引擎(Cocep™)。該技術通過分析攻擊行為的邏輯而非依賴固定簽名,能夠更準確地檢測新型和變種攻擊
  • 低誤報率與漏報率
  • 相較於依賴模式匹配的傳統 WAF,邏輯分析減少了誤報和漏報的發生,提升了檢測的可信度

2. 全面覆蓋的安全功能
支持防禦多種類型的攻擊,包括但不限於:

  • SQL 注入
  • 防止未經授權的數據庫操作
  • 跨站腳本(XSS)
  • 保護用戶端免受惡意腳本影響
  • 文件包含漏洞(LFI/RFI)
  • 阻止惡意文件的調用或執行
  • DDOS 攻擊緩解
  • 提供針對應用層的分佈式拒絕服務攻擊的防護
  • Zero-day 漏洞防護
  • 通過行為分析檢測未知威脅
  • 支持 API 安全性保護,適應現代化應用架構需求

3. 易於部署與靈活性

  • 多樣化部署模式
  • 內嵌模式(Inline mode)
  • 提供即時防護,適合高安全要求場景
  • 旁路模式(Bypass mode)
  • 適合測試或輕量化的部署需求
  • 支持混合雲與虛擬化環境
  • 無需修改現有架構
  • 快速集成,降低部署成本和時間

4. 高性能與穩定性

  • 低延遲設計
  • 即使在高流量環境中,也能保證網路性能不受明顯影響
  • 高併發支援
  • 適合應用在高流量電子商務網站或大型組織中

5. 可視化管理與實時監控

  • 提供直觀的儀表板,用戶可以快速了解安全狀態
  • 支持詳細的報告功能,包括攻擊趨勢分析和威脅統計數據
  • 實時報警功能,幫助安全團隊即時響應潛在威脅

6. 合規性支持

  • 符合主要安全標準和法規的要求,例如:
  • PCI-DSS(支付卡行業數據安全標準)
  • GDPR(歐盟通用數據保護法規)
  • ISO 27001

7. 成本效益高

  • 降低運營成本
  • 通過高效的威脅檢測和低誤報率,減少了對安全事件的誤處理需求
  • 軟硬體靈活選擇
  • 支持硬體設備、軟體解決方案以及雲端部署,滿足不同預算需求

8. 合規性支持

  • 協助企業滿足多項合規性要求(如GDPR、HIPAA、PCI DSS等)
  • 提供審計和合規報告,簡化法規遵循的流程

9. 品牌信譽與技術支持

  • 領先的市場地位:Penta Security 作為亞太地區網路安全領域的領導者,擁有良好的品牌信譽和豐富的行業經驗
  • 專業的技術支持:提供全天候技術支持,確保系統穩定運行

WAPPLES 作為一款功能強大的 Web 應用防火牆(WAF),適用於多種行業和場景,特別是那些依賴網路應用的企業和組織。以下是一些主要的應用場景和適用行業:
1. 金融業:金融機構如銀行、證券交易所和保險公司,面臨著高風險的網路攻擊,特別是針對網上銀行、支付網關和用戶數據的攻擊。WAPPLES 提供針對 SQL 注入、跨站腳本(XSS)等常見攻擊的防護,保護用戶數據和交易系統的完整性與機密性。
例如:網上銀行平台、數字支付系統、金融 API 安全

2. 電子商務:電子商務平台經常遭受針對交易數據、用戶信息的攻擊,以及分佈式拒絕服務(DDoS)攻擊。WAPPLES 支持高流量環境,能有效保障用戶交易的安全性,防止用戶數據被竊取或篡改。
例如:線上商店、會員管理系統、第三方支付網關

3. 政府與公共機構:政府網站和服務平台經常成為網路攻擊的目標,例如信息洩露、網站篡改或攻擊公共服務系統。WAPPLES 提供網站篡改防護功能,並能確保系統的穩定性和敏感數據的保密性。
例如:公共服務網站、國民數據平台、政府內部應用

4. 企業內部系統:現代企業依賴多種內部網路應用(如 ERP、CRM),這些系統面臨來自內部和外部的潛在威脅。WAPPLES 提供 API 安全保護、漏洞防禦等功能,確保內部數據和業務邏輯的安全。
例如:業務系統(ERP/CRM)、內部協作平台、API 接口

5. 教育機構 : 大學和教育機構經常遭遇針對學生信息系統和研究數據的攻擊。WAPPLES 可幫助教育機構保護在線課程平台和學生管理系統,防止數據洩露和服務中斷。
例如:線上學習平台、學生和教職工數據庫

6. 雲端應用與服務:提供商雲端環境中的 SaaS、PaaS 和 IaaS 平台需要應對動態的威脅,並確保多租戶數據的隔離性和安全性。WAPPLES 支持虛擬化和混合雲部署,為雲應用提供靈活且高效的安全解決方案。
例如:雲平台 API 安全、虛擬化環境保護、多租戶數據安全

7. 健康與醫療行業:醫療機構需要保護患者數據(如電子病歷)免受未授權訪問,同時保證系統的連續性。WAPPLES 的高準確率威脅檢測功能,可有效阻止數據竊取與篡改行為。
例如:電子病歷系統(EMR)、在線預約平台、醫療數據交換

8. 大型活動與娛樂行業:資料流密集的娛樂網站或大型活動網站經常面臨高流量和惡意攻擊。WAPPLES 提供流量管理和分佈式拒絕服務攻擊防護,確保用戶瀏覽體驗順暢無憂。
例如:流媒體平台、票務系統、粉絲互動平台

WAPPLES的多元部署選項集核心優勢:
1. 客戶需求:本地部署(On-Premises):某些客戶對於數據安全性、合規性或內部 IT 策略有嚴格要求,可能無法使用基於雲端的服務(例如 Cloudflare 或 AWS 的解決方案)。對於這類客戶,本地部署的解決方案是滿足其業務需求的關鍵。

2. WAPPLES 的靈活部署模式:

  • 支援多模式:不僅具備 SaaS 模型的雲端部署能力,還支持本地部署(On-Premises),滿足不同業務場景的需求。
  • 本地部署選項:提供硬體設備 (HW) 和軟體設備 (SA) 兩種形式,客戶可根據自身 IT 基礎設施與需求靈活選擇最適合的方案。

3. 專業的安全功能:WAPPLES 的核心競爭力在於其針對 Web 應用的成熟防護功能,能有效抵禦多種網路威脅,同時滿足各項合規要求,是客戶提升安全性的理想選擇。

WAPPLES 的卓越檢測準確性、全面攻擊防護能力、操作便捷性及部署靈活性,使其成為企業應對多變網路威脅的最佳解決方案。特別是對於追求高效能與穩定性的企業,WAPPLES 是值得信賴的首選防線。

關於 Penta Security
Penta Security 是全球網絡安全、數據安全和物聯網安全領域的領先供應商,擁有 27 年的專業經驗,被 Frost & Sullivan 評為亞洲頂級網絡安全公司。自 2009 年以來,其 Web 應用防火牆 WAPPLES 連續 16 年在韓國市場保持領先地位,並自 2016 年起在整個亞太地區佔據主導市場。此外,Penta Security 也在歐洲、中東及北美市場有所布局。

關於 Version 2 Digital
資安解決方案 專業代理商與領導者
台灣二版 ( Version 2 ) 是亞洲其中一間最有活力的 IT 公司,多年來深耕資訊科技領域,致力於提供與時俱進的資安解決方案 ( 如EDR、NDR、漏洞管理 ),工具型產品 ( 如遠端控制、網頁過濾 ) 及資安威脅偵測應 變服務服務 ( MDR ) 等,透過龐大銷售點、經銷商及合作伙伴,提供廣被市場讚賞的產品及客製化、在地化的專業服務。

台灣二版 ( Version 2 ) 的銷售範圍包括台灣、香港、中國內地、新加坡、澳門等地區,客戶涵 蓋各產業,包括全球 1000 大跨國企業、上市公司、公用機構、政府部門、無數成功的中小企業及來自亞 洲各城市的消費市場客戶。

Redacting Message Fields for Privacy Purposes

Many organizations today have strict data privacy regulations that they must comply with. These privacy regulations can often clash with the requirements of security, application and operations teams who need detailed log information. This how to guide walks you through redacting message fields for privacy purposes.

At Graylog, many of the organizations who use our tool are logging sensitive data that may contain personally identifiable information, health related data or financial data. Often, to ensure compliance with data privacy laws, this information must be redacted or hidden from many of the end users of the tool.

I’m going to walk through a simple way we can use processing pipelines to scrub personally identifiable information from a log message so that it is only visible to an elevated Graylog user account.

Caution: To achieve this functionality we need to replicate the message. This will increase the amount of data written to OpenSearch which may impact licensing or storage requirements.

Configuration

In my lab environment I have Auditbeat running on my host machine.. Log messages are sent to a Graylog Illuminate stream called “Illuminate:Linux Auditbeat Messages”.

Message Stream

In these messages I can see my username. First in the user_name field and again in the message field.

redacting message fields that require redacting

Pipeline Rule

For privacy purposes I am going to redact these usernames and route the messages into a separate stream, “Auditbeat Redacted”. I’ll retain the unredacted message in the “Illuminate:Linux Auditbeat Messages” stream. We’ll then restrict the access rights to these different streams.

To achieve this we need to write a pipeline rule that will create a copy of the message, edit the contents, route it into the new stream and remove the copy from the original stream.

This is what the complete pipeline rule looks like, I’ll walk through it line by line:

rule “redact_usernames”
when

    // check whether the message has the username field and hasn’t already been redacted
    has_field(“user_name”)
    AND NOT contains(to_string($message.user_name), “REDACTED”)

then   
   
    // clone the message
    let cloned_mess = clone_message();
   
    // grab the username and replace it in the message component
    let x = to_string($message.user_name);
    let new_field = replace(to_string(cloned_mess.message), x, “REDACTED”);
    set_field(field: “message”, value:new_field, message:cloned_mess);
   
    // replace the username field with REDACTED
    set_field(field:“user_name”, value:“REDACTED”, message:cloned_mess);
   
    // route into Auditbeat Redacted stream
    route_to_stream(id:“637e24115833463dd73bf617”, message:cloned_mess, remove_from_default:true);
   
    // remove from original stream
    remove_from_stream(id:“638f5d7cacb74d540a215aa9”, message:cloned_mess);

end

Identify The Message

The first step in the rule is to identify the messages we want to modify. This is achieved by finding messages with the relevant username field and also performing a check to ensure the message hasn’t already been modified. This check is important and I’ll explain why in the next part:

 

when

    // check whether the message has the username field and hasn’t already been redacted
    has_field(“user_name”)
    AND NOT contains(to_string($message.user_name), “REDACTED”)

Clone The Message


After we have identified the message we want to process we then clone the message. 

IMPORTANT: When a message is cloned an exact copy of the message is created however it will be given a new message ID. From the view of the processing pipeline, this message has not been processed so it will flow through the pipeline as a newly seen message. If the check in the previous block was not performed, we would end up in an infinite loop of cloning the same message:

 

// clone the message
 let cloned_mess = clone_message();


As the message field in the log contains the username, we are going to first redact it from here, before removing it from the auditbeat_user_name field itself. I am using the original $message field to find the username, but then replacing the the message field in the cloned message, cloned_mess:

 

// grab the username and replace it in the message component
    let x = to_string($message.user_name);
    let new_field = replace(to_string(cloned_mess.message), x, “REDACTED”);
    set_field(field: “message”, value:new_field, message:cloned_mess);

 

We then replace the username field with “REDACTED”:

// replace the username field with REDACTED
    set_field(field:“user_name”, value:“REDACTED”, message:cloned_mess);

Stream Routing

Before routing and removing from the relevant streams:

    // route into Auditbeat Redacted stream
    route_to_stream(id:“637e24115833463dd73bf617”, message:cloned_mess, remove_from_default:true);
   
    // remove from original stream
    remove_from_stream(id:“638f5d7cacb74d540a215aa9”, message:cloned_mess);

end

 

Once we have written the rule, we need to apply it to our Auditbeat stream. Create a new pipeline, ensure you have selected the relevant stream in the Pipeline Connections, and apply the rule at an appropriate stage. In my case I only have 1 rule so I am applying it at Stage 0:

redacting message fields pipeline

Search And Share

If we now go to the Search page, we should be able to see the redacted and non-redacted fields when switching between the Auditbeat stream and the Auditbeat Redacted stream:

Search and Share

search and share

We can now share these streams out with the relevant user accounts. In my example I have created a test account of an analyst who is only allowed to view the REDACTED stream. On the Streams page I can click on Share and assign this user Viewer rights to this stream:

Redacting message fields and sharing the information

If we log in under this user, you can see that they only have access to the Auditbeat Redacted stream:

redacting message fields stream

redacting message fields

Additional Thoughts

Finally, with Graylog Operations and Graylog Security, you will be able to audit which users are accessing sensitive data inside of Graylog for even more control and oversight.

As you can see, processing pipelines are a very powerful way to modify, enrich and filter your log messages. If there are particularly novel or complex pipelines that you think would be useful to the rest of the community, please share them on the Graylog Marketplace.

About Graylog 
At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.