This website uses cookies in order to improve its ease of use. You accept this by continuing to use of the website. You can find more information on cookies and their deactivation here.

​How AI and Automation are Fueling the Next Generation of Web Application Firewalls (WAFs)

06/24/2020        Cyber Security
​How AI and Automation are Fueling the Next Generation of Web Application Firewalls (WAFs)
Shutterstock ID 365647340

In recent years, organizations across every industry have become dependent on their digital infrastructure for core business functions. Many organizations that historically didn't invest in software now provide at least one service that relies on a web-based application. This can be a direct reliance, as in the case on revenue-generating applications, or an indirect reliance on web applications such as digital collaboration tools or office suites.

As a result, more organizations than ever have a business-critical need to protect one or more web applications. So, it should come as no surprise that web application firewalls have become a staple component of most cybersecurity programs.


What is a WAF?

A Web Application Firewall (WAF) protects web applications by monitoring and filtering HTTP traffic between an application and the Internet.

Using a WAF essentially ‘shields’ web applications from attacks. All incoming connection requests pass through the WAF before they can reach the server. When a WAF works well, malicious traffic is identified and filtered, while legitimate traffic is allowed to pass through.

It’s important to note that a WAF is not a complete solution for protecting web applications from cyber threats. WAFs are used specifically to protect against application layer attacks (that’s Layer 7 in OSI terms). These attacks target the data processing and functionality that sits immediately behind the user interface of an application. A successful attack of this nature can lead to loss or manipulation of sensitive data, or disruption of the data exchange process.

Common application layer attacks include SQL Injection (SQLi), Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Layer 7 DDoS attacks.


Learn more about Link11 Zero Touch WAF


How Does a WAF Work?

To protect an application from attacks, a WAF first has to identify the difference between legitimate and malicious traffic. It does this using a set of rules or ‘policies’.

Most WAFs fall into one of two categories:

A blacklist WAF allows all traffic to pass through unless it exhibits indicators that are known to be malicious and are included in the WAF’s policies. Blacklist WAFs are easy to set up and maintain, but are also fairly easy to bypass.

A whitelist WAF blocks all traffic by default unless it is specifically permitted by the WAF’s policies. For obvious reasons, whitelist WAFs are more secure than blacklist WAFs, but are often much more difficult to set up and maintain. They also require a lot of ongoing tuning and maintenance, which is time consuming and prone to human error.

Finally, some modern WAFs use a combination of blacklists and whitelists to distinguish between malicious and legitimate traffic. These WAFs are more secure than standard blacklist or whitelist WAFs, but are usually complex, expensive, and difficult to maintain. They are also much more likely to incorrectly block legitimate traffic.

How Do WAFs Contribute to IT Security?

A WAF is an essential part of any modern security program. However, it doesn’t work in isolation. As we have already seen, a WAF only protects against application layer attacks like SQLi and XSS — it does nothing to protect against lower-level threats such as level 3 or 4 DDoS attacks.

To fully protect web applications against cyber threats, a comprehensive security program is essential. Vital security controls include:

  • DDoS protection. Modern DDoS attacks are often highly sophisticated, and many attacks target infrastructure at a much deeper level than the application layer. To combat these threats, a powerful DDoS mitigation solution is needed — ideally one that incorporates automation and AI.
  • Protection against bad bots. DDoS flooding attacks aren’t the only bot-based threat to web applications and infrastructure. So-called ‘bad bots’ can wreak havoc with web applications if not properly mitigated. WAFs don’t do a good job of identifying bad bot traffic, so a dedicated solution is essential to control cyber risk effectively.
  • A vulnerability management program — Web security solutions are only effective if the web applications they protect are reasonably secure. Vulnerability management programs help organizations systematically find and fix security weaknesses before they are exploited by an attacker.
  • Secure development practices — If a web application is coded poorly, it will always be vulnerable to attack. For this reason, teaching coders to adhere to secure development best practices is essential.
  • Penetration testing — Regular penetration testing is an effective way to identify and fix vulnerabilities in a web application. Ideally, any identified vulnerabilities should be retested once a fix has been applied.


Learn more about Link11 Zero Touch WAF


What are the Technical Requirements of a WAF?

Many WAFs suffer from shortcomings that make them cumbersome to maintain and ineffective for managing real-world cyber risk. These shortcomings include:

  1. Over-focus on OWASP Top 10 threats. While important, these threats (which include SQLi and XSS) are not the only threats a typical web application faces.
  2. Complexity. Many WAF solutions — particularly those that rely on whitelists — require a high degree of technical ability to set up and maintain and are resource intensive. These solutions are also highly susceptible to human error.
  3. Ineffective against new threats. Many WAF solutions do not incorporate AI, automation, or threat intelligence, making them unable to identify new or unknown threats.

Modern organizations face a higher volume and sophistication of cyber threats than ever before. Web applications are a popular target, because they often handle sensitive information that may be valuable to an attacker. As a result, legacy WAF solutions are no longer an effective security tool.

An organization looking to purchase a WAF solution should look for four key features:

  1. The ability to identify and mitigate a wide range of threats. OWASP Top 10 (or any other basic security standard) is not enough coverage for a modern organization.
  2. Speed of identification and mitigation. Time is critical in cybersecurity. The faster a WAF can identify and block attacks — especially unknown attacks — the greater its benefit for security and risk reduction.
  3. Ease of use. Many WAF solutions are complex, hard to maintain, and prone to human error. Solutions that incorporate automation to minimize the need for human effort should be preferred.
  4. Self-learning. The best source of threat intelligence is the intelligence produced by analyzing attacks against your organization. A WAF solution that incorporates self-learning AI and Machine Learning (ML) algorithms ensures that your organization is protected against the threats it is most likely to face.

The ‘Zero Touch’ WAF

Of all the issues presented by legacy WAF solutions, perhaps the most problematic is their complexity. If an organization wanted to deploy a WAF — particularly one that relied on whitelisting — it would also require a dedicated, highly skilled security practitioner to set up, monitor, and maintain the solution.

By contrast, the Zero Touch WAF — part of Link11’s Cloud Security Platform — protects web applications using an automated whitelisting process that requires no human intervention.

The Zero Touch WAF comes ‘out of the box’ with the benefit of Link11’s 15 years in cyber security and uses a self-learning AI approach to identify unknown attacks and create new policies in real-time. Not only is this approach much faster than a human could match, it also avoids the potential for human error and misconfiguration, which would otherwise drastically increase cyber risk.

The Zero Touch WAF uses a three-step approach to identify unknown threats:

  • Step 1: Continuous AI-based learning, which deeply analyzes incoming data traffic and creates a whitelist of legitimate sources.
  • Step 2: A continuous feedback loop ensures whitelist rules are refined based on all incoming data traffic.
  • Step 3: Link11’s Cloud Security Platform uses a combination of WAF scoring and DDoS scoring to distinguish between legitimate and malicious traffic with unbeatable accuracy in real-time.

The combination of WAF and DDoS protection found in Link11’s Cloud Security Platform is unique in the industry. Not only does it drastically reduce the level of human effort required to protect web applications, it also supports maximum cyber resilience by providing real-time defense against attacks at all network levels — not only those that target the application layer.

To find out more about Link11’s industry-leading Zero Touch WAF, visit our website.

Current articles

Stay updated on current DDoS reports, warnings, and news about IT security, cybercrime and DDoS protection.

Stay up to date!

Subscribe to the Link11 blog about the company, it security, and cybercrime.

Link11GmbH​

Follow Link11 on Twitter