Akamai Diversity

The Akamai Blog

A WAF for the Other Half

A WAF for the Other Half FIG_1.png

The other half asks "May I please have some more (application security)."

Another lifetime ago, way back in 2014, I wrote that "updating WAF rules is like flossing, everybody knows they should be doing it but it can be an easy step to forget and difficult to find the time to do it." At the time my conclusion was something along the lines of "so if you don't have time to do it, you should pay someone to do it for you".  In hindsight that conclusion was flawed for two reasons:  First my analogy at that point got a little bit weird - who in their right mind would let someone else floss their teeth for them?  By the same token, what if you don't trust a 3rd party to update your rules for you?  Some security professionals, quite rightfully, probably take better care of their apps than they take care of their own teeth, and they are perfectly able, thank you very much, of taking care of their apps and their WAF rules themselves.  Some of the larger eCommerce companies and banks, for instance, have teams of 4, 5 or even 6 full time employees studying WAF rules, tuning configurations, and generally making sure that the bad guys are kept out while the good guys get through to their websites unmolested.  Second, even if you are comfortable with someone else flossing your teeth or updating your rules, what if you can't afford to pay someone else to do it for you?

Since 2014 I've had the opportunity to talk to many security professionals.  There are those who have the good fortune (mostly those in eCommerce or Banking) of having a security department that includes a cadre of application security experts.  Then there are those who have ceded control to a 3rd party, and sometimes to Akamai's Professional Services team (Managed Kona remains a popular option for most of the largest and most heavily trafficked sites in the world).  Even among this second group, though, I hear sighs of resignation from customers and prospects who admit that they don't have time to even discuss the 3rd party's findings, and thus their rules remain in alert or "listen" mode and they continue to worry that they are exposing themselves to threats.

Even worse, I'd say 50% of the customers I meet, and maybe more, cast their eyes downward when I ask them about the state of application security in their organizations.  In this latter group, I get sheepish glances, and then the admission "we have a WAF, but we haven't updated the rules since we installed it 18 months ago" or "we have a WAF but the rules are still in listen/alert mode" or the rock bottom comment "we have a WAF but it is still on the shelf".  This is of course the most worrisome comment of all, and prompted 451 research to name WAF to its "Most Likely to Become Shelfware" study in 2014. 

For this "other half", I've concluded that neither well-meaning articles equating rule maintenance with flossing nor 3rd party services that still require "opt-in" from the application owners will fix the application security problem.  What these companies need is a new approach to application security:  A Web Application Firewall driven by a data analysis engine with enough visibility into threats that it can recognize the vast majority of common threats, and an interface that allows for self-service configuration in less than 4 steps, and -most importantly - a new approach to malicious threat detection that minimizes false positives to the point that the WAF customer can safely allow rules to be updated and deployed on a regular basis by themselves - no intervention, no phone calls, no permissions required. 

Web Application Protector, the newest product in Akamai's Cloud Security, does just this.  How? 

False positives are minimized by an improved threat research methodology that includes field testing new detections on live traffic in a non-intrusive manner.  The result of this approach is that the customer needs to do no tuning for their individual configurations when new security logic is added to WAP Threat Groups. Because Akamai's Cloud Security Intelligence Data Analysis Engine sees legitimate and malicious requests directed at the most visited and most attacked properties and sights in the world, Web Application Protector makes more accurate determinations than other WAFs on the market.

For more information on the Web Application Protector product, see our press release here, visit the newly minted WAP page, or contact your Akamai representative directly.