Prediction Series #12: Moving WAFs to the Cloud Means Dialing Down App Security

As the Cloud Takes Over, Many Organizations Consider WAF Replacement;

Different from a traditional firewall that monitors traffic between servers, a web application firewall (WAF) filters the content of specific web applications. It’s designed to filter, monitor and block HTTP traffic to and from a web application. As such, WAFs have been viewed as a critical line of defense for enterprise application security for some time.

The concept is appealing, evidenced by the fact that stats show roughly 80% of companies are using WAFs. They initially became popular because they play a role in protecting credit card information and PCI compliance. But companies with WAFs have expressed real doubts about WAF accuracy in attack detection and ability to defend against critical attacks. Facts are emerging that WAFs in a cloud environment deliver the lowest common denominator for security.

WAFs in the cloud are easier to run but they “dumb down security”

In ordinary installations, realizing the full value of WAF security takes tremendous expertise. WAFs require constant re-configuration to avoid falling out of proper tuning. This routine must be done by someone with extensive security knowledge and WAF administrative training to ensure that as applications change, the WAF’s configuration also evolves to ensure efficacy on a continuum. Constant oversight is needed.

These demands are a challenge for many organizations and migrating applications to the cloud may seem like a relief of burdens to the staff. But in the cloud, it’s impossible to do the granular, painful application protection that network-based WAFs provide (and staff hate). Either way, WAF security hasn’t paid off for businesses.

While WAFs may be easier to manage in the cloud, the result of that easing means a dumbing down of security. Cloud providers by default include some of the same network-based security that WAFs provide, such as DDoS, but these mechanisms are woefully inadequate against today’s attacks.

For these reasons, organizations are considering WAF replacement - WAFs in the cloud do not protect applications against the full scope of modern-day, sophisticated exploit techniques, such as injections, buffer overflow, path traversal, de-serialization manipulation and attacks that weaponize at runtime. The massive Equifax breach in September of 2017 proved that having a WAF in place does more to provide a false sense of security than any actual security. The Data Breach Investigations Report (DBIR) prove the point with findings that highlighted that web applications are one of the top assets present in successful data breaches.

Fileless attacks are a security game changer

The principal challenge to most WAF strategies is the rise in evasive fileless attacks. Attacks that weaponize at runtime (WRT) are the most dangerous of fileless threats that are out there, targeting critical application components in memory. WRT attacks are fully optimized to infect libraries, affect operations, change system files and control process workflows in memory without human intervention. These attacks are especially dangerous because they avoid network-level detection. They execute immediately, directly affecting the business logic of application processes and are almost indefensible to most organizations. Because of this, attacks of this type are highly successful and becoming more frequent.

Because these threats are so efficient and effective, we predict that businesses will recognize in 2019 the need to seek other, newer technologies to protect their web applications. Ongoing publicizing of cyberattacks will fuel this awareness and heighten their motivation to find more effective security measures to protect their vital web applications and data in the cloud.


Further resources:

White paper: Why Web Application Firewalls Are Not Enough

White paper: White Paper: Making Applications Truly Self-Defending