WP Out with the WAF, in with the WAAP | Imperva

Out with the WAF, in with the WAAP

Out with the WAF, in with the WAAP

Advanced attacks call for advanced protection

Bad actors are constantly discovering new attack vectors to exploit applications. To meet the threat, organizations need enterprise-level security more now than ever. Traditionally, implementing a Web Application Firewall (WAF) would be enough to secure organizations from most application attacks. As application development becomes more complex, so are attack vectors and WAFs can’t keep up. Organizations need to think beyond traditional protection measures and determine if their security tooling accounts for API security, DDoS attack mitigation, account takeover (ATO) attacks, and bad bots.

Today, organizations need a robust suite of scalable tools that protects applications from the most advanced attacks and threats; specifically Web Application and API Protection (WAAP). In this post, we’ll explain why traditional security solutions aren’t cutting it, why WAAP is critical to application security, and why not all WAAPs are created equal.

What is WAAP?

WAAP is a term coined by Gartner that describes cloud-based services that protect applications and APIs against attacks. WAAP is the next generation of WAF; it provides advanced application security that protects websites from even the most complex attacks. WAAP is a suite of tools that includes next-generation WAF, API security, advanced bot protection, and DDoS protection. Combined, these tools present a powerful force against the most sophisticated threats and attacks.

Why your WAF is not enough

WAFs have been the standard application security solution for decades. The WAF is a reverse-proxy server that acts as a middleman between a web application and users. User requests are passed to the WAF, where they are inspected for malicious characteristics before being passed to the application. WAFs are useful in protecting against many familiar threats, such as SQL injection, cross-site scripting (XSS), and buffer overflow attacks.

WAFs heavily rely on signatures to detect and block attacks. Signatures contain patterns that are components of a known attack. This means that when an attacker targets a website using a common attack vector, like SQL injection, the WAF identifies the attack pattern, knows what kind of attack is being used, and can apply the correct policies to mitigate the bad traffic generated. Using signature-based security policies comes with some advantages; it’s easy for WAF vendors to create and update signatures when new attacks are discovered. If a signature-based policy has been thoroughly vetted in a customer’s environment, it usually has low false positive rates.

While WAFs have been instrumental in the fight against cyber attacks, there is a common misconception that WAFs are adequate enough to protect applications. Unfortunately, that’s not the case. Where WAFs fall short is in recognizing unknown threats in real-time, especially when it comes to bots.

Bots are notoriously difficult to identify. They have become significantly more advanced over the last few years and are able to mimic human behavior. This makes it very difficult to distinguish between human and bot traffic. Bots are also highly distributed. They do not follow the same patterns that WAFs were created to identify; bots don’t have attack signatures. Instead of targeting known vulnerabilities, bots target flaws in site logic. This means that WAFs cannot easily identify bots or botnets, which rotate through thousands of IP addresses to bypass IP-based policies. This insufficiency leaves organizations at far greater risk for DDoS attacks.

For WAFs that cannot identify bots, bot management quickly becomes a nightmare. Bots continuously evolve and re-tool to bypass WAF policies. Since WAFs cannot learn in real time, security teams must create one-off rules to address attacks after they’ve already happened. Because bots are always changing, it’s likely that when an organization is attacked by bad bots again, these bots will have evolved to bypass that one-off rule that was previously set up. In our 2022 Bad Bot Report, the Imperva Threat Research Team discovered that bad bots comprise 27.7% of online traffic. With bad bot traffic on the rise, organizations are at risk if they’re solely relying on WAFs to detect and block malicious traffic.

WAFs cannot adequately protect APIs, either. APIs usually follow a different kind of logic and architecture than traditional web applications, making it difficult fort WAFs to block attacks against them. Similar to bot attacks, many API attacks do not have signatures, so they are more difficult for a WAF to detect. For example, a WAF is not protected from Broken Object Level Authorization (BOLA), the number one vulnerability in the OWASP API Top 10. BOLA occurs when a user is able to directly access resources they should not have access to. By changing user input information, such as within a form or cookie, a bad actor gains access to these resources. Because the API does not check whether this user should be able to access a resource before granting them access, bad actors can take advantage of this. This is a business logic attack and looks like legitimate traffic to a WAF, so the WAF doesn’t block it.

WAFs are also not conducive to a positive security model. Traditional WAFs were created to enforce a negative security model, which means that security teams needed to identify all the characteristics of undesirable traffic to enable the WAF to block it. With new attacks and zero-day vulnerabilities being discovered every day, security teams are under the gun to update WAF policies to account for new threats and vulnerabilities. This put security teams in a reactive position. Since WAFs require a lot of manual tuning, it is nearly impossible to keep up with attacks without blocking legitimate traffic.

So, a WAF isn’t going to cut it, but I also have an API gateway!

APIs are more popular than ever; their ease of use and scalability have made them a cornerstone of application development. According to Gartner, over 50% of B2B transactions will be performed via real-time APIs versus the traditional means by 2023. This rise in APIs introduces new attack vectors. Gartner predicts that API abuse will become the most common attack vector in 2022. Since WAFs cannot protect against APIs attacks, organizations must find a different solution. To mitigate both API attacks and address the difficulty of API management, many organizations have implemented API gateways. These gateways take all API calls from clients and route them to the appropriate location.

API gateways are not a substitute for API security tools. These gateways are management tools; they are not security-focused. The security features of API gateways are primarily focused on authentication, authorization, and rate limiting, which does not protect against the OWASP API Top 10 vulnerabilities. API gateways are primarily focused on protecting the entry point to APIs; they do not monitor what happens after access is granted to an API. These gateways can also be fooled by compromised or forged credentials, leaving organizations at risk if used as their primary API security tool.

WAAP to the rescue

If WAFs and API gateways aren’t protecting organizations from sophisticated attacks, where does that leave security teams? WAAP is the new solution in the fight for application security. Comprised of Next-Gen WAF, API protection, DDoS protection, and advanced bot protection, this suite of tools provides the solution required to take on a threat landscape growing in size and sophistication. WAAPs are well-oiled machines that shield companies from even the most complex attacks.

Unlike traditional WAFs, WAAPs provide sophisticated detection and remediation capabilities against a myriad of attacks. Next-Gen WAFs utilize machine learning to detect and block attacks. Unlike their predecessor, they are no longer limited to signature-based attacks. These automation capabilities increase efficiency; security teams no longer need to manually tune rules to account for new attacks. Advanced bot protection tools protect organizations from sophisticated bot attacks, including DDoS and ATO. They are able to differentiate between bot and human traffic, ensuring that only legitimate traffic passes through to your application. Bot protection can also detect and block credential stuffing attacks. DDoS protection solutions can detect botnets and stop them before they slow down or crash your website. Finally, API security provides insights into and protection of your API ecosystem that are not possible with a traditional WAF and API gateway alone. API security provides protection against API vulnerabilities, including the OWASP API Top 10. This tooling can perform discovery and shed light on any shadow APIs IT teams may have.

A WAAP is more than the sum of its parts

Although all WAAPs may seem similar, they are not all created equal. Organizations should be vigilant about finding a WAAP that protects their applications and has a low total cost of ownership (TCO). Not all vendors take the same approach to WAAP, which means customer experiences will vary.

What makes a good WAAP? It starts with your technology partner. Organizations should prioritize organizations that provide exceptional customer service, value the customer-partner relationship, and have advanced technology that addresses all WAAP use cases. They should also have robust infrastructure with PoPs capable of handling all WAAP functionality. This tooling should be available as a single-stack solution. Each component of WAAP should seamlessly integrate together, be easy for customers to understand, block attacks while allowing legitimate traffic through, provide insights into a customer’s environment, minimize false positives, and increase efficiency.

Having a suite of tools that work well together to create a comprehensive solution cannot be understated. While many vendors provide each of these solutions, their technologies do not always integrate seamlessly.. When choosing a technology partner, you should ask: Do these tools work together to consolidate alerts? Do alerts provide the SOC with the full picture of an attack? Do tools require a lot of manual tuning to work correctly? These are important things to consider when determining the TCO of a WAAP.

Adopting a WAAP should be relatively easy. Exceptional customer service streamlines onboarding and implementation; from acquisition through implementation and maintenance processes. Your WAAP technology provider should be a true partner, and should not up charge for professional services. Your partner should provide ongoing technical assistance without charging additional fees.

Imperva makes WAAP easy

Although WAAP seems complicated, it doesn’t have to be. Imperva provides award-winning protection with our single-stack WAAP. Our tools seamlessly integrate together, protect applications from sophisticated attacks, and provide customers with an enriched view of their environment. Our tooling has a near-zero false positive rate, has flexible deployment methods, and fully supports a positive security model. One of our core values is customer obsession, which means our support team is here to help you with any and all questions about your Imperva products. Whether it’s tuning a policy or creating a new rule for a special use case, we don’t require customers to purchase additional professional service hours for help.

Imperva provides layer 3/4, and layer 7 protection with our DDoS Protection. This tool can withstand even those most powerful of attacks: we were recently able to mitigate a single attack of 25.3 billion requests. Since all of our PoPs are scrubbing centers, we have the capacity to identify and mitigate tremendous, complex DDoS attacks within a three-second SLA.

Imperva API Security protects your APIs from the OWASP API Top 10 out of the box. This solution also provides rich insights into your API environment. Our API discovery component displays all APIs being used in production, highlighting any shadow APIs in an organization. API Security uses data classification tags to spotlight any APIs that are handling sensitive data.

Advanced Bot Protection (ABP) protects websites, mobile devices, and APIs against business logic attacks. It can distinguish between human and bot traffic, ensuring that bad bots are blocked while legitimate traffic is unaffected. ABP also protects organizations from ATO through the detention of credential stuffing and brute force attacks.

While each component of our WAAP provides exceptional protection, our analytics tool, Attack Analytics, ties everything together. Utilizing data from WAF, DDoS, API Security, and Account Takeover, Attack Analytics reviews thousands of security events and consolidates them into a few distinct alerts. These alerts are actionable, decreasing the time to resolution. Each alert provides a detailed narrative of an attack, providing analysts with everything they need to know on one screen. Instead of reviewing hundreds of security events and trying to find the commonality between them, Attack Analytics does the heavy lifting for you. Attack Analytics decreases alert fatigue, increases efficiency, and provides security teams with the full picture of their Imperva environment.

Interested in learning more about WAAP? Imperva is hosting a webinar on WAAP on October 25th. Peter Klimek, our Director of Technology, and Luke Barbarinde, one of our Principal Architects, will discuss why WAAP is so critical to businesses today, common misconceptions about how much WAFs protect, and how Imperva does WAAP. In the interest of helping organizations understand what makes a good WAAP, we’ve created a buyer’s guide that will be distributed to attendees. Register today.