What is most valuable?
I would say that the active threat detection feature and adaptive rules are the most valuable for us.
With active threat detection, we are no longer over-swamped with tons of useless events. As all the payloads from malicious requests are analysed with a cloud scanner, we don’t need to do this manually. We also built up an incident management process when Wallarm confirmed that some of the attacks are exposing actual vulnerabilities.
Adaptive security rules allowed us to use WAF in blocking mode which was almost impossible previously.
How has it helped my organization?
We added a real-time protection layer for all the web-facing applications and APIs in our CI/CD pipelines. As every one of the applications are updated almost every day, it was impossible to use any tools based on signatures or static rules.
What needs improvement?
It needs more customization in PDF reports.
For how long have I used the solution?
Our company has had a contract since February 9, 2016. Previously, our engineers also used the product in other organizations (banks, etc.).
What do I think about the stability of the solution?
We had some issues with a post-analytics engine last year. But they were quickly fixed. That didn't affect traffic analysis.
What do I think about the scalability of the solution?
We have not yet had any scalability issues, and as Wallarm node instances scale horizontally (we have orchestration tools to make it in a fraction of a second), it hardly can be an issue.
How are customer service and technical support?
Technical support is 9/10. They provide customer-focused support. What’s interesting is that they have a live chat with us, so we get answers in real-time.
Which solution did I use previously and why did I switch?
We tried to use open-source mod_security for some of the projects, but there was a lot of pain with the complicated rules/signatures and non-stop false positives. As far as I know, we ended up turning it off because of endless complaints from the Ops and Support teams.
How was the initial setup?
Technically, setup was more than straightforward. We already used NGINX load balancers, so it was a smooth shift to NGINX with a Wallarm module.
Our DevOps guys worried a bit about a post-analytics engine which is required to be installed and has significant requirements for the RAM. It was a new component which they needed to cover with monitoring tools.
What's my experience with pricing, setup cost, and licensing?
As Wallarm charges on a per-instance basis, you need to keep in mind your future scale. In our case, the customer traffic is increasing year-to-year.
My piece of advice is to ask for a bundle of 10-50-100 instances (they have a special offer) and not to be limited in scalability because of the agreement issues.
They also made a discount for a 2+ prepaid contract.
Which other solutions did I evaluate?
We tried mod_security. Imperva was not a good fit as we can’t use hardware boxes or VM images in a cloud environment. Incapsula and other cloud-provided solutions did not work for us as we can’t share our traffic and SSL keys with any third-party vendors; we have a lot of customers’ data and obligations.
Wallarm’s hybrid approach of deployment with NGINX-based nodes is a good fit for us as it creates almost no tension between the Security and Ops teams.
What other advice do I have?
It's better to evaluate Wallarm nodes (WAF functions) on production traffic to understand false positive rates under real conditions. Otherwise, it's hard to evaluate the adaptiveness of the rules.
You can also start a pilot with only the scanner to get some insights about issues on your network perimeter. In our case, they shared some results even before the agreement was signed.