Ask any security expert about the top cyber attacks to the modern enterprise, and they will invariably list Web application breaches such as SQL injection and cross-site scripting, as well as DDOS attacks to Web-based infrastructure. As a result, it stands to reason that advanced solutions such as Web Application Firewalls (WAFs) have grown, and will continue to grow in popularity to reduce the risk these common attacks pose. Given the role of WAFs in the evolving application architecture, it also stands to reason that the best cyber security vendors will expand the scope, intensity and applicability of their web-based defenses to protect the enterprise ecosystem. As part of the research for my 2017 TAG Cyber Security Annual (https://www.tag-cyber.com), I had the great honor to sit down with industry luminary, and CEO of Imperva, Anthony Bettencourt to discuss these cyber security issues.
EA: Anthony, why do you think the WAF has become such a popular device in the typical enterprise?
AB: Web attacks have long been the staple of cybercriminal organizations. According to the most recent Verizon DBIR, 40% of data breaches occur through Web application attacks. A well-designed Web application security strategy, including a modern WAF, is therefore a critical element of an enterprise’s overall security posture. In addition, we’ve all experienced how pervasive Web services and applications have become. Just consider, for example, all the banking applications on smart-phones for the individual and cloud-based file transfer solutions for business. It thus stands to reason that if basic functions like file transfer are done using Web services, then the corresponding security solutions must be designed to protect the shifting and growing portfolio of application services that use these services.
EA: The PCI-DSS standard recommends either WAF functionality or source code review as means for strengthening Web applications. Do you see these techniques as equivalent?
AB: A strong Web and mobile application security strategy will incorporate both WAFs and a review of source code. Our team at Imperva recognizes that these solutions are compatible. WAFs provide a powerful, flexible mechanism for enterprise security teams to deploy real-time protection for their valuable Web services without having to change the services themselves. This is an important advance that reduces risk considerably. Source code reviews to improve these same Web services are a good idea, but unfortunately, the reality is that humans will be unable to catch every potential error introduced into code by another human. We see a large number of attacks on well-documented and old vulnerabilities that just have not been fixed. We have also seen cybercriminals use application-based DDOS attacks that exploit bad application design, rather than just simply trying to flood the network pipe. These kill the enterprise connection and cannot be stopped with network DDOS mitigation tools. Rather, this requires a modern WAF to inspect the application traffic and block these attacks before they can exploit the application.
EA: WAFs began as a hardware appliance inserted to some on-premises segment for inspection of application traffic. How does public cloud usage change this?
AB: You are correct. The modern enterprise is virtualizing, and many are starting to use public cloud services, or considering doing so in the near term. Companies are using the cloud for handling regulated personal information like health records, as well as for storing intellectual property and delivering essential services. This is what cybercriminals target with either DDOS attacks, direct break-ins, or through insiders. As enterprises virtualize and consume cloud services, the idea that a solution can reside as a hardware appliance deployed at the perimeter is no longer viable in many cases. Instead, WAF functionality, Web security, and nearly every aspect of enterprise security must have the ability to virtualize across all entry and exit points of the enterprise. Today this implies that Web application security is deployed as a cloud service itself, as well as via virtual or physical appliances that can be deployed both on infrastructure-as-a-service clouds and within on-premises data centers. Our platform solution at Imperva, therefore, includes three major functions. First, our Imperva SecureSphere and Imperva Incapsula platforms halt DDOS attacks aimed at Web services. Our Incapsula, SecureSphere and Imperva ThreatRadar solutions detect and mitigate live attacks and break-in attempts to Web applications before they can produce damage. And our SecureSphere, Imperva Skyfence and Imperva CounterBreach solutions help discover sensitive data across the enterprise and in both sanction and unsanctioned cloud apps. This includes breach detection of insider access to business-critical assets.
EA: Everyone knows that DDOS attacks at Web services are moving up the stack toward Layer 7 application functionality. Does the WAF offer protection here or do enterprise networks need to complementary DNS and geographic protections of a CDN or similar network architecture solution?
AB: Yes, layer seven DDOS attacks are more clever and tougher to filter than earlier layer three DDOS attacks that flood a site with traffic. There is no question that defenders have to get smarter, which is why our platform has been designed to deal with live attempts to manipulate Web applications such as those that would be found in a more advanced DDOS attack. We’re seeing DDOS attackers use both application and network-level DDOS attacks together. We believe a comprehensive DDOS mitigation strategy needs to be able to mitigate both volumetric and “low-and-slow” attacks against both the network infrastructure and Web applications. Our solutions are designed to deal with these broader spectrum attack scenarios. We combine WAFs with a cloud DDOS mitigation infrastructure that is best able to protect against today’s more sophisticated attacks and keep the impact of mitigation out of the enterprise environment, which often are still pretty conventional with Web applications hosted in the data center and accessible through a perimeter gateway.
EA: Do you see more critical functions, perhaps supporting life-safety or critical infrastructure services, gravitating to Web-based solutions? Does this change the nature of the Web application security business?
AB: There is no question that Web services have become the most critical underlying technology for so many aspects of life-safety and critical infrastructure services. The growth in excitement and utility of the Internet of Things (IoT) is a perfect example. While many of the devices in factories or industrial plants today are based on older protocols and access methods, many are being redesigned or extended with Web services. As a result, platforms such as those from Imperva will not only protect traditional enterprise applications from cyber-attacks, but could increasingly play a role protecting essential services. This doesn’t change the nature of our business, though, because we have long understood how important our mission is to business, government and the entire Internet ecosystem.