Operating AWS WAF in-house is quite challenging.

  • Can you tell us a little bit about how you decided to implement WafCharm?

    Can you tell us a little bit about how you decided to implement WafCharm?

    Both “Hachidori” and “CAST” are services provided for AWS. In both services, there is a need to handle personal information such as addresses and telephone numbers, so sensitive operations are required. As a service provider, we must take strong security measures to protect customer’s information.

    I also believe that when customers ask me about security measures, I need to be able to answer them with confidence. If you don't seem to be able to say, "It's okay," you're making your customers concerned. This was when we first decided to consider implementing a WAF.

  • Please tell us about the products you considered when introducing WAF

    We picked up about 4 products, mainly cloud-type WAFs that seem to fit our services. We examined from them, but there was no WAF that matched well, such as CNAME-type WAF couldn’t be introduced due to Apex domain problems, or the introduction and system switching was troublesome, or the cost to continue using them was high.

    In the end, we came to the conclusion that it was smart to use AWS WAF, and we implemented it in October 2019. However, operating AWS WAF was harder than we expected.

  • How difficult was it for you to operate AWS WAF?

    If you want to use AWS WAF as-is, you need to create rules that are appropriate for your company. I tried writing my own signatures, but I soon realized that I had to have the expertise to operate AWS WAF. It is difficult to define what to do when there is a detection in the first place, so we thought it was impossible.

    Of course, we can operate AWS WAF if we take all day long, but unfortunately, our resources are limited. Our department has to look at the entire infrastructure, so we don't want to be burdened with operating AWS WAF. So, we decided to look for a solution for AWS WAF operations.

Fully automated operation of AWS WAF with WafCharm

  • Does this mean that you wanted WafCharm to operate AWS WAF?

    We reviewed WafCharm with Managed Rules provided by security vendors as a tool to ease the operation of AWS WAF. We chose WafCharm for the following reasons.

    Automatic operation and flexible rule setting
    In case of Managed Rules, if you try to change the rule when there is a false-positive, you have to do it yourself from the dashboard. If this happens, it's not much different from operating AWS WAF as-is, and the intention to introduce it will be diminished.
    With WafCharm, there is no need to tune the rules and it's easy to change them in the event of a false-positive. Since I was able to check this area with a free trial, the barriers to adoption dropped significantly.

    Being a product of a renowned security company
    Being a product of Cyber Security Cloud, Inc. that develops and sells "Shadankun" which boasts a top-class track record in cloud-based WAF services, WafCharm felt highly reliable. Also, the 24/7 technical support system was reassuring.

  • Please tell us about the effect of WafCharm after implementation.

    We are currently using WafCharm as it is without any special customization. And since we have been using it for a few months now, we have noticed the following benefits.

    Let WafCharm do all the work for you
    My honest impression is that it is very easy to use. With WafCharm, you don't have to do anything in particular. Most of all, I'm happy that it doesn't become a burden on my work.

    Visualization of attacks and organization of logs
    Attacks targeting vulnerabilities are blocked by WafCharm, and you can see them on the screen. Also, it used to be hard to check both attacks and errors in the same log, but now, thanks to WafCharm's ability to block the attacks, the log is no longer contaminated.

    Discovering awareness through visualization
    WafCharm's visualization has brought us to a new realization. For example, we didn't realize on our own that there is an attack that scans the zip file or config.bak in the root directory. Fortunately, we didn't keep any such files, but we did learn to avoid it in the future.

WafCharm lets you get the most out of your AWS WAF without any hassle.

  • Do you have any advice for companies using AWS WAF?

    Do you have any advice for companies using AWS WAF?

    Operating AWS WAF on your own can take a lot of manpower and time. Also, if you have limited resources, you won't be able to respond immediately if something really does happen. In that sense, I think it's more efficient to outsource it to specialists. In fact, with WafCharm, we've been able to get the most out of AWS WAF's security features in a hassle-free way, and we'd recommend WafCharm to anyone deploying AWS WAF.

  • Lastly, please tell us about your plan for future security measures.

    AWS has a variety of security-related features, so we want to make good use of it to establish a system that can quickly respond to incidents. Of course, we'll continue to use WafCharm's enterprise plan as well.
    In addition, we would appreciate if CSC could share information, such as overall trends and summaries of threats with us. This information will help us prioritize vulnerability responses and spread the word internally. We look forward to your continued support in the future.