Today’s enterprises exist in a target rich environment, and their IT and security teams face immense operational challenges. As they navigate a rapid evolution in the way applications are developed and deployed, they must find balance between legacy applications that are more monolithic in nature and modern applications that are faster and more efficient but comprised of independently operating microservices that may be written in different languages, ported across multiple public cloud environments, and managed by various orchestration systems.
This evolution has created precarious interdependencies – not only between legacy and new business applications, but also within those new applications – and new security gaps, making it significantly easier to exploit vulnerabilities across the infrastructure, especially at the application layer. Consequently, attackers know they do not have to look very far to find an open, vulnerable, or exposed target.
WAF (What Is It Good For?)
Web application firewalls (WAFs) are ubiquitous. Any organization with a digital presence has one in place, ready to thwart would-be attackers in their pernicious quest for valuable data and business disruption. But just how effective are WAFs in keeping intruders at bay? And just how equipped are they to handle the ever-increasing scope and frequency of attacks?
In a survey released by the Neustar International Security Council, four in 10 security decision makers reported that more than half of cyberattacks bypassed their WAF. Strikingly, one in 10 said that their WAF was ineffective in 90% or more of attacks. Moreover, nearly 30% stated that altering WAF policies to guard against new web application attacks was moderately or very difficult. Such reports are alarming, but not necessarily surprising as on-premises WAFs may be expected to do more than their original designs anticipated.
Acceleration in digital transformation spawns security gaps
To understand why this critical piece of built-in security is faltering, it’s important to consider how the environment has shifted in recent years. Digital transformation has accelerated at a blinding pace, particularly across industries like financial services, e-commerce and healthcare, where enterprises are tasked with securing treasure troves of personally identifiable information (PII) and sensitive financial details.
Organizations in these sectors once had fairly defined digital perimeters with relatively clear security threats. The speed at which new capabilities and functionalities have been introduced on the application level, however, has forced a distinct shift in the architectural approach and blurred those borders. Organizations are often maintaining, updating and patching legacy systems, while simultaneously working to integrate them with new systems and software. At the same time, they are adopting cloud technologies, IoT devices and software-defined infrastructure, leading to more distributed architecture.
To achieve the application functionality desired and expected in today’s environment, enterprises may be cobbling together a variety of microservices. These services may operate independently, use different languages, rely on open-source libraries, and be highly portable. Additionally, disparate teams and locations behind them mean that great care must be taken in weaving together an impermeable fabric. More often than not, the speed of enterprise and digital transformation means that security gaps are simply accepted parts of the package.
Security threats evolve with changing landscape
Unfortunately, as Veracode’s 2020 State of Software Security report noted, 76% of applications have at least one security flaw. Bad actors are focusing their attention on finding and exploiting infrastructure vulnerabilities — especially across the increasingly complex application layer. Application architecture has grown more complicated, but attackers have been watching, learning and adjusting to respond in kind.
Distributed Denial of Service (DDoS) attacks remain dangerous and common in a bad actor’s arsenal, but the proliferation of applications and their areas of exposure have spurred a wide range of attack vectors. For instance, SQL injection (SQLi) attacks may use web forms or other input mechanisms to send commands that work to infiltrate a firm’s database and retrieve valuable information. Cross-site scripting (XSS) may modify a webpage or its content to hijack user data, while cross-site request forgery (CSRF) may trick or force end users to take some nefarious action in an application in which they are authenticated. Through Common Vulnerabilities and Exposure (CVE), criminals may use bots to scan for vulnerabilities — such as finding apps that haven’t been updated with a security patch — and then deploy an attack to exploit that weakness.
The list goes on, but the result is largely the same: loss of PII, intellectual property, sensitive emails and reputation. Security teams must remain vigilant and always a step ahead. Taking advantage of the robust capabilities of a WAF can enhance their protection efforts.
Reinforcing on-premises WAFs offers multiple benefits
WAFs are mission critical and even considered mandatory in certain industries where PII must be safeguarded, such as healthcare and financial services. Many enterprises begin with on-premises systems that are highly tuned to protect specific applications. But as an organization expands its application functionality and adopts new tools, its on-premises WAF may not be able to extend full coverage with the same level of efficiency and effectiveness.
Augmenting an on-premises WAF with a third-party offering may provide enterprises with greater confidence in the protection of sensitive information. Third-party WAFs can provide an additional barrier between applications and attackers, making penetration more difficult and thus encouraging bad actors to move on and apply their energies elsewhere.
The right third-party solution can also enhance the performance of an on-premises WAF, providing an enterprise’s security team with the luxury of time and bandwidth to finetune their code for better performance.
With the rapid acceleration of tech transformation initiatives during the pandemic, companies have invested in application-rich environments that have inadvertently created opportunity for bad actors to exploit security gaps – such as through automated scanning that provides broad coverage searching for certain vulnerabilities in applications and infrastructure solutions – to find and attack new targets.
A third-party WAF can also provide bot management tools that deliver visibility into, and control over, its application layer by filtering out potentially dangerous traffic before it reaches an organization’s local network and reduces the overall traffic load for on-premises tools. A third-party WAF enables security teams to examine traffic patterns to better determine risk, easily set rules, and block nefarious web application traffic. More advanced WAF options offer learning modes, which use machine learning to first understand the behavior of normal traffic patterns and apply those learnings to detect anomalies once switched to an enforcement mode.
Additionally, because of the wide range of tools and environments that now compose an enterprise’s infrastructure, a vendor- and resource-agnostic WAF is a necessity. It must work across all environments, no matter where an application is hosted, to ensure an organization’s entire perimeter is patrolled.
Finally, an outsourced WAF must be customizable. Each enterprise has a unique infrastructure, and any new tool introduced, particularly for security purposes, must be malleable and able to integrate seamlessly based on policies and applications already in place.
A forward-thinking approach
The changing landscape of security threats—from networks to applications, from business disruption to data exfiltration and from single vector to multi-dimensional attacks—is driving an architectural shift in the security industry.
As application-layer attacks only grow in volume, frequency and complexity, enterprises will be challenged to make optimal use of their resources in protecting sensitive information. The right third-party WAF provider can serve as an always-on security partner, enabling organizations to channel their energy and expertise toward honing proprietary systems that will meet future security threats head on.
Author: Michael Kaczmarek, Vice President, Security Product Management, Neustar