Illusive Safety: How to Tell If Your WAF Is Actually Secure
The 2018 Trustwave Global Security Report took a close look at one hundred IT companies and found that each one of them had at least one security vulnerability – but mostly more.
This is a gentle reminder that your company is also vulnerable to exploits. Even the best security practices during development and deployment can’t account for all the threats. There are just too many ways to exploit web applications, and the number grows by the day.
Security Equals Strategy
The 2019 report by the National Cyber Security Alliance was not particularly hopeful for IT companies either. 28% of the respondents dealt with a data breach at least once within the last year, and one in four companies had to file for bankruptcy because of that. 10% went out of business completely.
The main point here is this: if you don’t invest enough resources into security, you are abandoning the long-term picture of your IT business. Here are some of the reasons:
• Monetary loss. Depending on the problem, you might be able to fix it before you start losing customers. But if you’re unlucky, you’ll be out of business within a month or two.
• Permanent data loss. If it’s possible to find all the backups of your databases and delete them, it’s a potential attack angle.
• Reputation risk. A security breach can irreversibly compromise your company’s integrity in the eyes of others. It’s especially true if you’re working with other businesses: the slightest smell of an insecure system will spread like a disease.
In 2008, Heartland Payment Systems was processing over 100 million transactions a month. Riding the wave of success, the company failed to notice a time bomb in their backyard.
When a hacker used a known SQL injection exploit to obtain 134 million credit card records, it was too late to listen to security consultant’s warnings (of which there had been plenty).
The breach cost Heartland $145 million dollars and resulted in a year of limited operation due to payment processing restrictions.
Poor security puts the integrity of your business at risk. More often than not, that risk is invisible – which might be twice as dangerous. Thankfully, it’s also preventable.
One of the most cost-effective security solutions is a WAF, which stands for Web Application Firewall. It’s an all-in-one tool that serves as a protective layer between an app and the internet.
A good WAF utilizes advanced mechanisms to detect, block, and log all kinds of security exploits. Developed by cybersecurity experts and employing top-of-the-line technology, good WAFs stand at the forefront of IT security.
Effective WAFs achieve a microscopic False Positives and False Negatives percentage, thus keeping legitimate requests untouched while preventing real attacks from reaching your systems.
Picking a Secure WAF
The landscape of exploits grows larger every day. People are ingenious when it comes to breaking things, so the security mechanisms of today might be insufficient tomorrow.
It’s important to use a WAF that employs a strategic approach to protect your app from both existing and future exploits.
How WAFs Identify Threats
There are four main approaches to detecting exploits: signature policy, behavior analysis, logical analysis, and machine learning. Depending on the WAF you choose, it might utilize one, two, or all of the above.
The majority of attacks are being handled by a signature policy, which serves as the first line of defense. A signature policy is a set of rules and patterns that are designed to catch the most common exploits.
In order for it to be effective, it has to be developed by security experts and constantly updated to account for new attack vectors.
Unfortunately, it’s still not enough. The ways to go around the rules are plenty.
Let’s take an example of an SQL injection attack attempting to call UNION SELECT (a command to fetch the records from the SQL database). Although blocked in its standard form, the attack can still go through. Here are some methods to achieve a False Negative result:
Obfuscating the string:
Splitting the string between the parameters (HTTP Parameter Pollution):
Altering the case:
Encoding a string:
The example above is just scratching the surface of all possible methods to break past a signature policy. It’s extremely difficult to define the rules for all edge cases, which is why some WAFs are vulnerable to such exploits if they only use a signature policy.
Another problem with a signature policy is scoring.
Rules are not always binary. If you forbid the usage of the word UNION altogether, you will end up blocking real requests. The usual solution is to assign a score based on the context the string is used in.
For example, the following malicious string will probably get a high score because of the use of ORDER and BY (SQL operators to sort the database records):
The next string, however, is completely safe – but it might still score really high and get rejected:
The New World Order is a book written by H. G. Wells
As you can see, the drawbacks of a signature policy approach are plenty. It’s an important WAF security mechanism that rejects the most common attacks, but it’s certainly far from impenetrable.
What makes security policy more malleable is the behavior analysis approach. Instead of working with a single request, it works with sequences of requests.
This dynamic approach is based on a specific behavioral model. The rules are still pre-defined, but they are designed to recognize patterns that have no specific attack vector.
For instance, here’s what an attempt to find an SQL injection vulnerability may look like:
index.php?id=1 and sleep(5)
A security policy might not categorize some of the requests above as threats and therefore let them through. But behavior analysis will inspect the sequence as a whole and identify it as malicious.
The best WAFs use AI to compensate for the drawbacks of the previous approaches. This approach utilizes Machine Learning to create data models and build learning algorithms around various data sets. It’s dynamic, adaptive, and highly reliable.
Machine Learning allows WAFs to adapt to context-specific scenarios in real-time, as well as improve the behavior rules and the strength of a signature policy.
Machine Learning can employ either inductive or deductive learning mechanisms. The inductive method works from the specifics towards a general pattern. Deductive learning is the opposite, analyzing a broad landscape and making specific decisions based on the patterns it finds.
Security experts combine learning algorithms with data sets to create a model. In turn, models are trained on the data they receive – which is also how they adapt and expand.
For example, when edge cases are grouped into a separate data set, it leads to new patterns.
Some companies use a sophisticated method usually referred to as logic-based threat analysis. In a nutshell, it combines pre-defined rules of various complexity that are coupled with heuristic and semantic analysis.
With heuristic analysis, the focus lies on unknown threats. The system compares a request with known vulnerabilities, thus preventing known exploits even when the implementation of a malicious request is new.
Semantic analysis works similarly to the behavior and ML detection methods. Specific requests are generalized and categorized depending on their structure and other patterns.
The Core Mechanisms
The combination of a good signature policy, behavior and logic-based analysis, as well as ML is the best way to ensure the least amount of False Negatives and False Positives in a WAF.
Each approach compensates for each other’s weaknesses. Behavior analysis makes sure the Signature Policy doesn’t miss a bigger picture, while logic-based algorithms and Machine Learning work with edge cases and application-specific environments.
Traits of a Good WAF
Additionally, there are several security aspects to consider when choosing a WAF:
• If you’re working with payments and sensitive information, PCI DSS Compliance is a must for creating a secure, strictly defined processing environment.
• Make sure a WAF is using both Positive and Negative security models. A negative model defines the blocking rules while a Positive one defines how legitimate requests look like.
• Server response inspection is a must. It allows you to prevent sensitive data leaks in case an attacker finds a way in and attempts to steal data from your application.
• An extra convenient feature is virtual patching, which is a way to adjust security rules in real-time without modifying the application itself.
Cybersecurity is a highly dynamic and complex field. In most cases, dealing with it on your own is ineffective and costly (not to mention the risks involved), which is why WAFs have become a must-have tool for web applications.
An effective WAF should utilize diverse detection methods: signature policy, behavior and logic-based analysis, and Machine Learning.
In this case, effective means having the least amount of False Positives and False Negatives. These metrics tell you how good a WAF is at detecting real threats and letting legitimate requests through.
Last but not least, you should always consider the needs and specifics of your application. The best WAF is the one that is either built for your use case or is flexible enough to adapt to it.