Rydex Next Generation WAF - WAAP Platform, a one-stop dynamic active defense covering Web, APP, Cloud and API
There is no doubt that traditional WAFs are losing their
value.
According to a survey published by Neustar's International
Cyber Security Council in 2020, 40% of security stakeholders surveyed said that
at least half of attacks against their application layer bypassed the WAF;
while 10% said that over 90% of attacks could easily avoid WAF defences.
This report also corroborates the Ponemon Institute's
findings in 2019: 65% of organisations experienced bypass in their WAF, while
only 9% said they were not compromised; meanwhile, only 40% of respondents were
satisfied with their existing WAF. the Ponemon Institute also found that, on
average, each organisation employs 2.5 security administrators who spend 45
hours a week dealing with WAF alerts and another 16 hours a week writing new
WAF rules.
The reliability and satisfaction issues of traditional WAFs
have become a major concern for the industry, meaning that the WAF market is
facing a major restructuring and change.
The rise of multiple types of applications highlights the
limitations of traditional WAF protection
In fact, WAF is a fairly mature security category that has
been in development for nearly 20 years now.
In the early days, when web applications with websites at
their core emerged, traditional WAFs based on rules and feature matching could
meet the needs of web application protection due to the single type of
application and the low complexity of malicious programs.
However, times are changing at a rapid pace. The rapid
development of the mobile Internet in recent years has given birth to a variety
of application forms such as APP, H5 and applets. More and more enterprises'
core business and trading platforms are increasingly dependent on these new
applications, which may be deployed locally, on the cloud or even in a hybrid
environment, and can be accessed by enterprise employees and users from
anywhere on the network. At the same time, more and more third-party API
interfaces are being called, and the API business brings with it an
ever-expanding web exposure risk and chain of risk control that is beyond the
scope of traditional WAF protection.
Bot threats are on the rise and Bot bot management goes
beyond traditional WAFs
Bot threats are not only increasing the number of attacks
that exploit web application vulnerabilities, but are also having a significant
impact on digital business. Addressing the known and unknown application risks,
data leakage risks, and business risks posed by Bots is well beyond the scope
of traditional WAF protection.
Forrester Analytics: Application Security Solutions
Forecast, 2020 To 2025 (Global) reports that the application security solutions
market size will grow from $4.7 billion to $12.9 billion between 2019 and 2025,
and that Bot bot management will cover many of the core features of Web
Application Firewalls (WAFs) and be able to overtake traditional WAFs as the
core application protection solution by 2025. With Bot Bot Management, a range
of Bot-based attacks, including fraudulent threats such as crashes and
crawlers, can be detected and blocked. In addition, while Bot Bot Management
tools protect applications from malicious bot attacks, bona fide bots will be
allowed to pass and human users will not be hindered by unnecessary CAPTCHAs
and other challenges.
The next generation of WAFs, from WAF tools to WAAP
platforms
It is easy to see that traditional WAFs have struggled to
keep pace with the evolution of the threat landscape. How should WAF protection
mechanisms evolve in the digital era to help enterprises defend against unknown
threats and secure their operations in the new era? In 2021, Gartner will
change the Magic Quadrant for WAFs, which has been published for many years, to
the Magic Quadrant for WAAP, further extending the scope and depth of security
protection.
Gartner states that by 2023, more than 30% of public-facing
web applications and APIs will be protected by the Cloud Web Application and
API Protection (WAAP) service, which combines distributed denial-of-service
(DDoS) defence, Bot Mitigation, API protection and WAF.
WAF Capabilities: WAFs are able to detect not only known
threats but also unknown threats, which is a big challenge for traditional WAFs
based on rules and feature matching.
Bots automated attack protection capability: Bots automated
attacks are increasing year by year, with almost 60% of internet traffic being
generated by bot programs. To increase the efficiency of their attacks, Bots
attackers try to use a variety of means to bypass detection measures, which
escalates the front-end confrontation. However, compared to traditional security
attacks, enterprises generally lack knowledge of Bots attacks, which further
exacerbates the damage caused by Bots attacks. Therefore, the next-generation
WAF should have the ability to identify and protect against automated Bots
attacks.
API protection capability: Compared with traditional web
pages, APIs carry more business processes. As the API access environment
becomes more and more open, the number of APIs climbs extremely fast, and the
APIs themselves change rapidly, the rule-based protection against API
application vulnerability attacks can no longer meet the security protection
needs of API interface abuse, unauthorized access, bot APIs and data leakage.
Therefore, the next generation WAF should have the ability to protect inside and
outside the API, which is the direction that many WAF products in the market
are trying to fill.
DDoS protection capability: DDoS is a common attack method,
especially very effective in attacking applications. Nowadays, the DDoS attack
capability of the black and grey industry is strengthening year by year, and
the organisation capability of large-scale attacks is also increasing.
Attackers try to increase the attack volume by varying multiple attack
characteristics and large-scale distribution to bypass the defence rules and
overwhelm the performance of the protection equipment; at the same time, they
can achieve the attack without triggering the speed-limit defence policy,
making the traditional WAF's policy ineffective. Therefore, the next-generation
WAF should have DDosS protection capabilities, better prediction of the threat
surface of vulnerabilities, and more in-depth and continuous tracking of the
monitoring of attack groups.
Although WAF products have become relatively mature through
years of development, their detection and response capabilities to complex
threats still need to be further improved. Therefore, traditional WAF functions
will be incorporated into the WAAP platform, working closely with threat
intelligence, Bot protection, DDoS defence, API protection and other functional
components to help enterprise users build a proactive protection system for web
applications.
Rydex Next-Generation WAF - WAAP platform, providing
one-stop dynamic active defence
With its unique "dynamic security" as its core
technology, the WAAP platform combines intelligent threat detection technology
and behavioural analysis technology with Bot protection as its core function to
provide traditional web security defence capabilities while stopping threats in
advance at the vulnerability detection and stepping-stone stage of attacks,
easily addressing emerging and fast-changing Bots attacks, 0day attacks,
application DDoS attacks and API security protection.
At the Bot protection level, the identification and defence
of automated tools for Bots is one of the most prominent capabilities reflected
in Clojure's products. The "Dynamic Security Engine", with
"Dynamic Security" technology at its core, increases the
"unpredictability" of server behaviour by continuously and
dynamically transforming the underlying code of server pages with innovative
technologies such as dynamic encapsulation, dynamic authentication, dynamic
obfuscation and dynamic tokens. By continuously and dynamically transforming
the underlying code of the server's web pages, we use innovative technologies
such as dynamic encapsulation, dynamic authentication, dynamic obfuscation and
dynamic tokens to increase the "unpredictability" of the server's
behaviour, making it impossible for attackers to attack and significantly
increasing the difficulty of attacks, thus realising a full range of
"active protection" from the user side to the server side.
At the DDoS protection level, the application of
technologies such as multi-source low frequency, slow attack and precision
strike makes it difficult to protect against CC attacks targeting the
business/application layer. Different from the frequency-based protection
technology, the "dynamic token" technology in the "dynamic
security engine" of RISD can identify and intercept the CC attacks
launched by Bots from the root, reduce resource consumption and guarantee the
normal and stable operation of the business.
At the WAF level, with the help of the "Dynamic
Security Engine", RISD does not rely on traditional rules based on
signatures and features, and can achieve the identification of instrumental
application vulnerability detection and attacks, as well as 0day automated
attacks and detection. At the same time, with the "intelligent threat
detection engine" and "rules engine" to form the three engines
work together to provide more efficient and comprehensive Web application
protection capabilities for manual and automated attacks, to achieve deeper
defense.
At the API protection level, RISD uses intelligent threat
detection technology and behavioural analysis technology to achieve automatic
discovery of API interfaces and establish API lists through four modules: API
awareness, discovery, monitoring and analysis and protection, which can
effectively achieve API asset management and API access behaviour control. At
the same time, API security baseline is established to monitor and analyse API
abuse, abnormal API access, malicious scanning and injection attacks, which can
realize API security protection and sensitive data control.
At present, Clochase's next-generation WAF - WAAP platform
has been widely used in operators, finance, government, education, hospitals
and enterprise customers, helping all kinds of organizations to truly realize
the security protection of websites/APPs/applets/API, effectively fight against
blackmail and reduce their security risks and economic losses. At the same
time, Clochase has participated in a large number of offensive and defensive
practice exercises, the protection of the Fair, the 70th anniversary of the
founding of the country and other national network security re-insurance work,
and has achieved good results, and is therefore praised by users as
"re-insurance magic tool".
As the Director of Information Technology of Ridu, Wu Jiangang
said, "Network security follows the 'barrel principle', the overall
security level of the network is determined by the lowest level of
security". When a single WAF product is no longer enough to solve the
ubiquitous security risks, the overall security capability from WAF to WAAP can
complement the existing security blind spots and realise a truly integrated
application security defence covering Web, APP, Cloud and API assets, and the
next generation WAF - WAAP platform from Clochase is the representative work of
such.
Editor: Zhao Lijing
Source: Ridgid Information
Translated with www.DeepL.com/Translator (free version)