Defending The App Eco-System: Developing A Modern WAF Strategy

Web and mobile application cyber-attacks are on the increase, with Forrester reporting that 40% of all security breaches are aimed at these services.[1] Even more worryingly, attacks specifically targeting secure Web services such as e-commerce are particularly on the rise, with Arbor Networks recently reporting “a massive increase over last year”.[2]

It is not surprising that cybercriminals are targeting web-based applications. Due to agile working methods and new forms of user engagement the scale of their deployment is exploding. Apps are also being delivered through a variety of different methods such as on-site servers, virtual machines, public and private clouds, and hybrid solutions. This new and complex eco-system makes security more of a challenge.

In this evolving landscape, where the network perimeter is less well defined, protecting vital web assets has become more taxing. We, therefore, thought it worth revisiting the issue of web application firewalls (WAF) and looking at the latest developments.

WAF Developments

WAFs have evolved in recent years to incorporate a range of new techniques and innovations. In a recent market report, summing up developments, Forrester highlighted three improvements that should make network administrators reconsider their use of existing firewalls to protect increasingly complicated web applications:[1]

  • A focus on ease-of-use and automation to make WAFs far easier to maintain
  • Improved defences against newer attack forms such as bots and Layer 7 DDoS
  • More flexible deployment options as applications migrate to the cloud
WAF Strategy: WAF dashboard
Typical WAF dashboard

Evolving WAF Strategy: Machine Learning Techniques

A major innovation in WAF technology has been the adoption of machine learning techniques. These allow protection systems to adapt to threats by monitoring forms of malicious behaviour and adapting defences proactively. Using dynamic risk assessment and whitelisting techniques, modern WAFs can adjudicate between legitimate website users and the malicious, keeping a site open and running whilst blocking suspicious behaviour. As the systems self-adapt to threat behaviour, machine learning has also improved detection and response to novel, zero-day threats.

A significant drawback with older WAFs is their over-reliance on IP address-based blocking and mitigation. Thanks to a number of recent developments such as the sheer scale of botnets, anonymous proxies and address spoofing, Black Hats can, unfortunately, get around these older forms of protection. Newer generations of WAF make use of device fingerprinting, measuring key characteristics of the browser, such as version number and fonts installed, a technique that provides what is known as IP-agnostic security filtering. Attackers using the same tools and techniques on a completely different machine can be identified and tracked as they move between machines and IP addresses during an attack.

These WAFs also have facilities to detect and block malicious bots that attempt to perform highly repetitive tasks on websites such as scraping for price information or email addresses (by, for example, issuing automated JavaScript challenges). They also make use of network behavioural analysis (NBA) for detecting abnormal traffic flows. This empowers the firewall to analyse traffic patterns and develop unique baselines for normal, legitimate traffic (for the web service in question). These baselines are used to spot abnormalities, even when the attack is a novel, zero-day threat.

Finally, increasingly, these WAFs are deployed as part of a wider network of security analytics, in a so-called ‘hive mind’ arrangement, whereby threat information is crowd-sourced and shared. Big Data techniques are also used, to analyse global threats and continuously update and improve the response of individual WAFs. So, for example, information about a malicious web scraper might be found on a single client’s WAF, but the rules to block it could be rapidly shared with other clients.

You might also like: Get Ready For GDPR: WAF is a Must-Have Security Control to Aid Compliance

WAF Deployment Stagnating

Given these substantial improvements, it is worrying to learn that, according to Forrester, WAF adoption is actually stagnating, with many organizations not undertaking a refresh with modern firewall technologies.[1] This leaves them seriously exposed to emerging cyber-threats. One of the reasons for this may be that WAFs have, over the years, acquired a reputation for being difficult to manage; requiring detailed configuration, tweaking and patching to keep up with threats. For many smaller organizations, this level of maintenance is a challenge, and all too often it is left sitting on the ‘to do’ list. Unfortunately, this ‘firewall and forget’ approach, whilst understandable, means being unnecessarily exposed to security risks and also, potentially, not being fully aware of the latest developments in WAF technology.

Developing A Modern WAF Strategy

So, what is the right way forward? Clearly, WAF adoption is stagnating, despite the rising cyber-threat and introduction of new techniques. For this reason, here at activereach we have recently been advising clients that it is important to review their current WAF strategy. This often leads to the question: “which application firewall deployment should we be adopting?” The exact answer depends on the organization in question, its networking and server infrastructure, and its individual security and compliance requirements. However, in general, all firms need to be aware of the latest threats to web-based apps and the rapidly evolving technical developments in sophisticated mitigation systems.

There is still a place for older forms of WAF, either physical firewall appliances, that sit on the edge of the organization’s own network, or software plugin modules within server systems (e.g. ModSecurity). Organizations should make sure, though, that these are updated, with physical appliances, in particular, making use of the latest machine learning and behaviour analysis techniques.

However, as the delivery environment changes, WAFs are being deployed outside the hosting environment as virtual machines, cloud-based services, third-party SaaS or as features of content delivery networks (CDNs). Given this, it is clear that in today’s complex eco-system of app delivery, where combinations of on-premise, virtual machine and cloud-based environments are working in concert, there is the need to develop an integrated and highly secure strategy for application firewalling.

“The threats to customer data from web application attacks are not going away – and are increasingly sophisticated. With the EU GDPR coming into force soon, now is the right time for customers to review their WAF strategy. Modern WAF developments, such as machine learning, offer considerable advantages and provide a pathway to fast, reliable, and secure delivery of mission-critical business applications.” – Max Pritchard, Pre Sales Consultant at activereach.

Modern WAF developments offer considerable advantages
WAF: Machine learning is on the rise

WAFs have changed substantially in recent years, with major developments in ease-of-use and anti-hacker machine learning techniques. Given the increasing emphasis on apps, now is the time to be future-proofing Web security.

If you would like to discuss your WAF strategy, please call an activereach Networking and Security Specialist on 0845 625 9025. Alternatively, please visit our WAF solutions page.

[1] DeMartine, A., Vendor Landscape: Web Application Firewalls (Cambridge, MA: Forrester, Jan 2017).

[2] Arbor Networks, 12th Worldwide Infrastructure Security Report, (Burlington, MA: Arbor Networks Inc., Jan 2017), p.78.