You wouldn’t don a medieval suit of armor to protect yourself from a .50 caliber machine gun. Yet some approaches to cybersecurity are the modern digital equivalent of that kind of approach.
One example is the Web Application Firewall (WAF), which applies the traditional perimeter-based firewall approach to risks associated with modern web apps.
Cloudflare, a major WAF vendor, recently announced that it is updating its WAFs with machine learning-based security analytics in an attempt to identify zero-day threats more quickly and block risky sites sooner. But improving WAFs is a little like putting better hinges on that old medieval armor – the technology is still not suitable for the threats businesses face today.
What’s a WAF?
Wikipedia defines a WAF as follows:
A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks that might exploit a web application’s known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.
WAFs monitor all of the data packets coming to a website or web application and block any traffic that is deemed a threat. They can be implemented either as an appliance, which is a physical device – essentially a specialized computer, or as cloud-based service.
WAFs utilize detection-based technology. They examine all traffic and, based on a combination of rules and signatures, decide which traffic poses a threat, then block any traffic deemed potentially dangerous.
The Problems with WAF
A WAF is only as good as the rules and signatures in its databases. There are two major problems with WAFs:
- Too many attacks get through the WAF undetected.
- They generate too many false positives in an effort to stop attacks from getting through, and as a result, block legitimate traffic and frustrate users.
Cloudflare’s idea is to analyze traffic with machine learning so as to flag activity that resembles a known threat but does not resemble a signature closely enough to trigger rules-based blocking. Probabilities can be assigned indicating the likelihood that HTTP traffic contains malicious code. This may help WAF companies identify threats more quickly – but there will still be plenty of new threats that sneak through before there is sufficient data to identify all the variations on a freshly-minted bit of malware.
Significantly, since the models are probabilistic, the number of false positives is likely to increase further, which will frustrate users who are already complaining about too many false positives – already a big problem.
Many companies are running their WAFs in “alert only” mode, because having too many legitimate requests blocked imposed a higher security productivity tax than users were willing to bear. Even in “alert only” mode, the false positives issue is far from benign: The high level of alerts creates unnecessary work for IT staff and the WAF becomes like the “boy who cried wolf.” Alerts – even those that should be heeded – end up being ignored.
The Zero Trust, Preventative Solution to Threats to Web Apps
A better approach is to strengthen detection-based technology by adding a Zero Trust solution.
Instead of relying on detecting known threats or guessing – albeit intelligently – at possible novel ones, ZTEdge Web Application Isolation (WAI) defends vulnerable data and systems by treating all traffic as potentially harmful. It isolates your public or private web and cloud apps in a secure environment that keeps malware, ransomware and other malicious code air-gapped away.
WAI also cloaks app surfaces from hackers’ view so they cannot identify vulnerabilities to exploit. Since it is not detection-based, zero-day vulnerabilities are blocked just as effectively as those that are known.
WAFs have their place since plenty of known threats are out in the wild. But for protecting apps against zero-day threats, misconfigurations and other OWASP Top 10 threats, WAI is essential.
Protecting Apps from Unmanaged Device Risk
Protecting your apps from danger that arrive via web addresses is only one source of risk. Unmanaged devices, whether BYODs with which your own users access corporate data and apps when working from home, or those used by 3rd party contractors, may be infiltrated by malicious actors and coopted to access or download sensitive data, steal user credentials, or deliver malware to your network and apps.
WAI empowers organizations to restrict access from unmanaged devices solely via an isolated, secure web environment, where granular app access controls and data user policies can be enforced. Users access the apps they need via their preferred browsers on their unmanaged devices, without having to install and update software or agents.
To discover additional simple ways to protect your web apps, SaaS and cloud apps and the data they hold, request a demo today.