Customer dissatisfaction with WAFs stems from various factors including cost (as highlighted in our previous blog) but what about security and performance?
It’s very possible organizations are not using their WAF to its fullest potential. A common and rather concerning trend among recent WAF studies are many organizations keep their WAF on detection (or bypass) mode only:
- 43% of respondents in a survey by the Ponemon and Sullivan institutions said they rely on WAFs to generate alerts, while 35% use them for detection and blocking. Only 22% use them for both functions.
- Users complained that lots of attacks are bypassing their WAFs, even though only slightly over 40% use their WAF for blocking.
These are interesting finds considering security and performance is a common compliment among WAF users. 66% of respondent organizations consider WAF as a critically important security tool but it’s clear that there is a disconnect between organizations understanding the need to invest in a WAF and actually utilizing a WAF correctly to prevent cyberattacks and data breaches.
According to Ponemon, “65% of users experienced attacks bypassing their WAFs and only 9% of users said that their WAFs have never been breached.” Despite some organizations never experiencing a data breach, there is no guarantee it won’t happen in the future. Organizations are right to be concerned with the security and performance of their WAFs.
WAFs can be configured to run in three modes: bypass, detection, and prevention (or protection) mode. In bypass mode, it means you have turned off any WAF rule completely. In bypass and detection mode only monitors traffic and lets you see what kind of cyberattacks or exploits are happening against your web applications. In detection mode, incoming requests are not blocked.
Prevention mode, on the other hand, does take specified action when an incoming request matches one of your security policies. In other words, incoming traffic that is identified as an attack by the WAF is blocked.
In both modes, incoming requests identified as attacks are recorded in the WAF logs. Simple configurations such as switching between detection and prevention mode should be handled by your system administrators.
Security & Performance
According to Forrester, many WAFs are struggling to encompass a “broader range of application attacks.” The ideal WAF should be able to adapt to evolving attacks, recognize anomalies in data patterns over time, and respond effectively to attacks. But as many organizations know, WAFs are not created equal. Traditional WAFs, for example, may rely on blacklist models (which blacklist signatures) but this typically results in more false negatives.
False positives and false negatives
False positives and false negatives are important indicators of a WAF’s performance. False positives are legitimate requests the WAF mistakenly detects as malicious traffic and wrongly blocks that traffic. Meanwhile, false negatives are malicious requests that are not detected nor blocked by the WAF and pass through as legitimate traffic.
It’s crucial that a WAF filters the “wrong” traffic into a website while ensuring that the “right” visitors can access the necessary web applications. In other words, a WAF with a lower false positive rate is more “accurate” in filtering out the ‘wrong’ among the “right” traffic.
Underperforming WAFs with high false positives, on the other hand, means these WAFs cannot distinguish sophisticated web attacks and are letting the malicious traffic pass through without blocking them. This may be due to either a weak threat detection engine or specific WAF configurations that have not been set up properly. Some outdated or “mis-managed” WAFs may not stay up to date with rules to handle newer types of web attacks.
Fortunately, innovation is widespread in the WAF market with the integration of new technologies like AI to combat the concern of high false positives. Gone are the days of blacklists and whitelists. Slowly but surely, pattern-matching techniques are becoming a thing of the past too.
Signature-less detection methods, which require no signature updates, are gaining traction; Signature-less detection methods based on logic and/or intent, analyzes the code of the attack to understand the purpose of web attacks. This new detection methodology requires a higher level of technology, and are much more effective in blocking modified or unknown attack patterns (i.e. zero-day exploits) without a need for a constant signature and WAF ruleset updates.
Compliant WAF can mean many things. Many organizations will choose to invest in a WAF for compliance standards like PCI-DSS, HIPAA, etc. In fact, 34% of WAF users have claimed that compliance is the main mission of the WAF, as opposed to vulnerability mitigation and/or protection against web attacks.
Just because a WAF is being used to meet compliance standards does not mean that the organization is being protected from cyberattacks. Nor does it mean that it will be easy to reproduce audit reports on the part of the organization.
Compliance is more than deploying a WAF in front of your web servers. It’s important to review which threats are most pressing to your organization so that you can be fully protected. If you’re using legacy systems, it’s also time to review whether your current infrastructure is able to keep up with the evolving threat landscape.
A whole article can be written about the various techniques that WAF systems use to filter traffic. Suffice to say, WAF vendors are developing or integrating newer technologies into their WAF like AI. (You can read more about the different WAF technologies in this blog post).
In a study surveying WAF customers, 72% of respondents said they wanted more intelligence and automation integrated into their WAF. 74% wanted to see “WAF functions integrated with other application security functions into an AI-powered software platform.”
Organizations will always want more from their WAFs. Those WAF vendors are continuously following the market and will continue to lead the way and surpass those WAFs that rely on traditional technologies.
Security and performance are important factors for WAF satisfaction among customers. Web application security impacts every organization, and when it comes to WAFs there are of course both good and bad WAFs.
No two WAFs are alike so it’s up to your organization to understand the security needs and WAF features that you benefit from the most. The cheapest models may not provide the most security or performance. Ultimately WAFs are an investment. (Check out our previous article that discusses WAF ROI in more detail).