Web application firewalls do not protect cloud native applications
Your web application firewall (WAF) buzzes around the edges of your network, faithfully blocking malicious attacks before they can do any harm.
Better yet, it’s a New Generation WAF (NG-WAF). It consists of signatures, rules, and a pinch of machine learning to protect your apps (and user data) from damage. You’ve got it covered, haven’t you?
You are a security expert. You don’t take anything at face value. How can you be sure that your applications are protected?
What if you have cloud native applications: microservices, HTTP requests flowing, multiple touchpoints for each user request? Can an NG-WAF protect all these applications from external and internal attacks?
We have discovered the answer. Let’s take a look at what NG-WAFs do well, what they struggle with, and if a solution makes up for their shortcomings.
The challenge of traditional web application firewalls
According to OWASP:
A “Web Application Firewall (WAF)” is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection.
Modern apps are more transparent than traditional web apps. With a focus on speed and agility of development – continuous integration, continuous delivery (CICD) and DevOps replacing the waterfall development model – developers tend to use open source projects to save time and costs. of development.
This transparency, ease of access, and incredible detail in the documentation make modern applications attractive targets. Frequent changes in applications make it almost impossible to detect and secure every vulnerability.
WAFs have added new features over the years, but the backbone of their detection still lies in their signatures or rules. The question is, are WAFs a good fit for the needs of cloud native applications?
Applications have moved from massive monoliths to microservices and distributed architectures. They now live in virtually any combination of public, private, or hybrid cloud. The new challenges and threats induced by distributed architectures gave birth to NG-WAFs.
Network firewalls have undergone a similar transition, where Next Generation Firewalls (NGFWs) introduced a new perspective of examining firewall traffic with deep packet inspection and detection models focused on the attacks.
New generation WAFs have often been defined with three main characteristics:
- Detection is based on the application and the behavior of the attacker.
- Go beyond signatures to identify anomalies and the fundamental actions of attackers.
- Cloud native deployment supporting various cloud platforms, APIs, and microservices architecture
What NG-WAFs Solve
NG-WAFs propose to solve the new problems introduced by the evolution of application architectures.
How did they do well? Let’s start by looking at what NG-WAFs do well.
Increased cost for attackers
Attackers have a distinct advantage: they don’t play by the rules.
We live in an age where you can connect almost any device in your home to the Internet. Unfortunately, many IoT devices don’t take security measures, which means attackers are salivating over the opportunity.
Malicious actors try to hide their origin and escape detection using an army of “bots”. Yes, they attack you with DVRs, cameras, and bulbs.
NG-WAFs take a new approach of correlating such behavior to detect attackers and block them, increasing the cost to attackers and partially deterring script kiddies.
Layered protection: defense in depth
Defense in depth increases system security by using a multi-layered approach with intentional redundancies. It is commonly referred to as the “castle approach” because it reflects the layered protection of a medieval castle. If one layer fails, another waits to take its place.
NG-WAFs have evolved to protect at multiple levels, including the traditional perimeter and the new approach to integrating alongside applications. These layers make the job of an attacker much more difficult and expensive.
Machine learning and behavioral analysis with automated policy learning
NG-WAFs bring together the detection of multiple applications to understand attackers from a broader perspective and assess them in a contextual way. Using machine learning and behavioral analysis on aggregated data, NG-WAFs automatically disable signatures that would trigger false positives and update application policies accordingly.
Ideally, you want to identify and fix every vulnerability found in your code. But real business situations dictate that not all vulnerabilities will be fixed quickly or at all.
Some NG-WAFs support virtual patches to prevent attackers from exploiting critical vulnerabilities until an official patch is available.
Cloud native support
NG-WAFs now support deployment in public, private or hybrid cloud. NG-WAFs automatically integrate with a containerized approach to evolve security natively and resiliently. They distribute nodes around the world to maximize coverage without increasing latency.
What the NG-WAFs failed to resolve
NG-WAFs have made progress in securing applications. They used defense in depth to make successful attacks more and more difficult to achieve.
They incorporated new architectures and virtual patches to fit the pace and style of current application development. But they haven’t solved all the problems.
Now let’s take a look at the missing NG-WAFs that can open up holes in your security.
Motivated attackers can bypass NG-WAFs
WAFs introduce obstacles for hackers and penetration testers by making finding and exploiting vulnerabilities more resource intensive. However, an experienced hacker or a sufficiently motivated researcher would probably be able to find ways around it.
When the application use case becomes complex, it may require disabling many defenses that produce a higher false positive rate. The more complex a web application, the larger its attack surface and the easier it is to find a workaround.
NG-WAFs are vulnerable to exploitation of use cases
The same application deployed in different contexts exhibits different behavior. Requests harmful to one application may be perfectly normal for the other because user behavior varies for each case.
NG-WAFs do not have a complete picture of application usage – they cannot detect the business use case. Attack patterns remain hidden in normal traffic and nested protocols. Eventually, the attacker can adapt to corporate traffic and bypass NG-WAFs, resulting in a window of vulnerability and delay in detection of breaches. Simple implementations to detect such an exploitation of use cases often result in a high rate of false positives and false negatives. In addition, clients rarely use all of the features and rules available in modern NG-WAFs.
Machine learning and behavioral analysis are limited to perimeter defense
NG-WAFs evolved from WAFs and are based on a “perimeter defense” model: it only protects against malicious traffic coming from outside the network. However, this model fails if an attack comes from within, which is common given the wide variety of ways that users can connect to an internal network.
The new normal and increased risk of “staying at home” from insider threats has led companies to adopt the Zero Trust model. It is essential to monitor external traffic as well as internal flow and status of applications.
Missing runtime protection
Malicious hackers attack all levels of the application stack, be it the web, memory, or database. By design, NG-WAFs are limited to the edge of the application module and cannot protect the application at runtime. With this knowledge, the attacker could also bypass virtual patch defenses once the vulnerability is known by changing their attack method or interfering with corporate traffic.
Blind spot monitoring
Monolithic frameworks base application visibility on logging frameworks. Want to know what’s going on? Only one directory to check.
Modern microservice-based, serverless applications have advantages for application development, but there is also the cost of reduced visibility. You can monitor each service individually, but you can quickly lose sight of the overall behavior of the system.
A single request to the modern app can create a chain of behind-the-scenes calls. What seems simple can sometimes be incredibly complicated. For example, take a look at what happens in Netflix when you hit play on your last binge.
This call chain generates a massive amount of data along its flow path. External applications have a hard time ingesting everything. Instead of solving this problem, most NG-WAFs limit the amount of data they can capture and process, introducing blind spots that attackers can exploit to bypass them.
How to protect cloud native applications
Cloud-native microservices architectures have considerable advantages, but are also difficult to defend. Although NG-WAFs have made some progress, they still fail in several crucial areas. To fully protect your cloud native applications, you should look for a solution that transparently offers both security observability and intelligent threat detection. Look for solutions that offer:
- End-to-end distributed tracing and visibility, increasing the accuracy and depth of attack detection at no additional cost
- features that set benchmarks for user behavior, API logic, and data flow to identify anomalies
- the ability to block abuse of business use cases, insider attacks and threat actors, even in distributed systems
- visibility that provides a complete picture of how data (especially sensitive business and personal data) moves through your application so you can see problem areas before they turn into exploits
- discovery and protection of the complete ecosystem of your microservices
If you want to learn more about TraceableAI, you can watch a recorded demo of Traceable in action.