WAF's Must Die Like the Password and VPN's

Over the last few years, the Web Application Firewall or WAF has become one of the most common means of security for applications. But much like other antiquated and archaic security solutions (the password, VPNs, and a few other technologies), WAFs need to die the death that all under-delivering, under performing security solutions deserve.?

One of the main reasons that the WAF has become just as out of place in security solution stacks as the password and the VPN is that now-global Zero Trust initiatives require organizations to reach beyond the firewall model.?The move to Zero Trust began with the idea of “de-perimeterization”, the move beyond the perimeter -- which in an enterprise system is the firewall.?WAFs are antithetical to the move to Zero Trust. They hinder an organization’s move to the cloud and to the café-style internet use that modern enterprises and businesses want.

According to most innovators and experts, the pattern and rule-based engine used by WAFs are not aligned with current security needs. WAFs are not “cloud-first”, and because of the false promise of protection provided by these out-of-date security solutions, organizations are unable to move towards true digital transformation. Instead, they are still tethered to the protections that a firewall seemingly provides – but in actuality, does not.

Security leaders who are stuck with old WAFs are noticing these shortcomings, and they are looking for the next move to a more digitally transformed and secure future. WAFs have been dying the slow death they deserve since 2019, even before the pandemic and COVID made us move beyond the perimeter.?Ponemon conducted research at that time to probe the market for issues with WAF solutions, and more than 600 respondents made their point clear:?WAFs aren’t helping.

The Ponemon report noted the following:

“First, organizations are frustrated that so many attacks are bypassing their WAFs and compromising business-critical applications. In addition, they’re experiencing the pain of continuous, time-consuming WAF configuration, and administration tasks. Lastly, they’re dealing with significant annual costs associated with WAF ownership and staffing.”

The underlying data from that research provided insights into each of these three areas:

·??????While 66% of respondent organizations consider the WAF an important security tool, over 40% use their WAFs only to generate alerts (not to block attacks).

·??????86% of organizations experienced application-layer attacks that bypassed their WAF in the last 12 months.

·??????Managing WAF deployments are complex and time-consuming, requiring an average of 2.5 security administrators who spend 45 hours per week processing WAF alerts, plus an additional 16 hours per week writing new rules to enhance WAF security.

·??????The CapEx and OpEx for WAFs together average $620K annually. This includes $420K for WAF products, plus an additional $200K annually for the skilled staffing required to manage the WAF.

Source: Ponemon Institute – “The State of Web Application Firewalls” (14 May 2019)

In other words, WAFs are not stopping attacks, require continuous configuration and intensive management and security human capital, and are more expensive than other better-suited technologies.?Why would any modern enterprise want to use a solution that costs more, is harder to manage, needs more people (which you can’t find), and costs more??Does that seem like a wise technology investment?

Additionally, according to Ponemon, 65% of respondents say attacks are bypassing the WAF (including the application layer attacks mentioned above). And that was in 2019; Imagine how many attacks are sliding by 3 years later, after attackers have innovated and discovered more ways past the WAF. Only 9% of survey respondents reported that their WAFs have never been breached.

WAFs rely on rules and blacklist models and must “learn” the application during a configuration process. This approach is not effective or realistic and as a result, WAFs often fail at categorizing traffic and tag valid traffic as malicious and vice versa (AKA false positives and false negatives). That configuration issue significantly damages the user experience. In that same report, it was noted that 43% of respondents indicated that their WAFs were in “Detection/Alert only mode,” which means that attacks will be detected but not blocked. So essentially that expensive security solution is only telling an organization there is a problem, it isn’t stopping it.

As many as 30% of WAF users claim that compliance is the main mission of the WAF. But compliance is not a secure approach to infrastructure needs.?

Most WAFs are deployed as hardware on-premises or as managed appliances. This method of deployment does not adapt well to modern deployment strategies based on flexible cloud platforms. WAFs lock in applications to static configuration models which limit and hinder digital transformation.

WAFs are resource heavy and complex to configure and maintain. Licenses are costly. WAF management requires on average a headcount of 2.5 FTEs, and an annual budget of more than $400K.

WAFs are mainstream solutions for sure, but they are old and outdated approaches to security problems that can be better addressed through digital transformation and true cloud-first approaches.?As research shows, WAFs make users unhappy, they offer weak protection, often generate many false positives, do not support developers or development initiatives, are on-prem and most often not deployed with cloud support, are expensive, and are resources hogs that suck up bandwidth and slow throughput.?All bad things for any modern enterprise and all bad for Zero Trust’s strategic alignment.

When it comes to web application security, organizations need to think beyond just defending a simple rule set like the OWASP Top Ten, and modern businesses need a deployment model that enables them to distribute and truly secure web-based applications. Modern businesses need to be able to easily access web-based applications and they need to be able to securely access cloud-enabled business suites like O365, G Suite, and others. In that context, businesses want protection from viruses and control file uploads and downloads, manage access from a singular control point, and gain increased control across their virtual infrastructure.

A better way of approaching those needs is to leverage Web Application Isolation (WAI).?In this model, private applications are essentially “published” on the internet but behind each application sits a controlled broker that operates to apply all security policy controls to both that application and the users that access it.?WAI places the applications “on” the internet for easy access by users, but covertly and intelligently cloaks those applications from non-authorized users and discovery on the web.?In other words, the applications are only available and discoverable to users who access the applications with the correct policy-enabled controls on their machine. Once a user and their approved device access that application the control broker applies further granular controls on an individual basis, using information pulled from the broker engine.?

Under this model, the user is unaware that they are operating in a secure tunnel that is overlaid on cloud infrastructure. Their entire experience is streamlined and optimized using a Zero Trust approach since WAI applies maximum control points across the totality of the user journey while allowing the use of both managed and unmanaged devices to access apps on the web.

In the case of unmanaged devices, a WAI approach has some important capabilities compared to a WAF. While WAFs let you control which applications unmanaged devices can access, they don’t provide the same threat prevention and data security controls as managed devices. With WAI, you can limit data sharing (blocking or restricting copying/pasting/printing and file uploads/downloads) and apply DLP like technologies to prevent data exfiltration. You can also scan traffic for malware, blocking weaponized uploads that can compromise applications and move laterally across your network. All of this can be done without installing anything on the device.

This approach categorically changes the way that users and devices can access necessary corporate applications and applies security controls and policy engine enforcement.?By placing the applications “on the internet” ease of access and use is increased, yet policy engine controls and focused application-specific broker redirection enable maximum control of both user behavior and unmanaged device risk.?

The WAF should die the slow death it deserves; WAI needs to be the way we collectively move forward.