It’s all about security rules

Stephen Hawking said, “Intelligence is the ability to adapt to change”.

One could say much the same of web application firewalls and WAF security rules. With web applications now one of the most attacked components of IT infrastructures, organizations have a critical need to protect the systems and application programming interfaces they expose to the web.

The stakes are high, including PCI-DSS compliance (or fines for non-compliance) for financial transactions, and loss of revenue, data, and customer trust if hackers succeed. Feeding, teaching, or even self-learning — is there one WAF approach above all others that optimizes web-enabled application and API security?

Why a WAF?

Web applications need security that traditional network-level firewalls cannot provide. Attacks can arrive encapsulated in apparently innocent HTTP traffic and related protocols and formats like dHTML, CSS, XML, and SOAP API.

WAF addresses this application-level security, adding an extra layer to any security already built into the application. The technologies used may then differ in terms of how their deployment on premises or in the cloud, and whether they drive security by themselves or are driven by external rules and policies.

Your Signature Here, Please

Conventional web application firewalls use attack “signatures” and security rules. The initial information and subsequent updates may be provided by the WAF vendor or a free or commercial external source.
They may also be defined manually by IT security staff in the organization that is using the WAF. Update frequency for signatures and rules may vary, although more often is usually better.
The WAF compares HTTP traffic with the signatures and rules, and alerts the organization to problems it detects. It may function by blacklisting certain types or sources of traffic, by content, IP address, user ID, or some other parameter, which it then blocks. The other traffic is then let through. Alternatively, it may whitelist traffic, meaning it will only let through the traffic that has been pre-approved. The other traffic is then blocked, possibly at the expense of “false positives”.

Free Feeds and Commercial Feeds

Free attack signatures and security rules for WAFs are available, for instance, in OWASP ModSecurity.
This is a set of generic attack detection rules that apply to any web application. SQL injection, remote command execution, file includes, and cross site scripting (XSS) are examples of the types of attacks concerned.

However, generic rules tend to produce a higher rate of “false positives”. In other words, the WAF not only filters out attacks, but also incorrectly blocks traffic that should have been let through. Some commercially available signatures and rules try to address this shortcoming. For example, the
ModSecurity version from Trustwave SpiderLabs correlates specific attack vector locations with the different types of vulnerabilities, thus reducing the rate of false positives.

The Problem of the Unknown

A security rules feed can only help defend against problems that are known by the feed provider. Zero-day attacks, meaning those that are unknown to the web application or WAF vendor, may not be included in such a rules feed. This includes previously identified attacks whose code has been mutated to
avoid detection via the original signature. In a signature-based approach, security organizations may also be at least 24 hours behind hackers, enough time for many attacks to compromise web applications and their data.

What’s wrong with Regular Expressions

Most of the signature feeds, both free and commercial, send out millions of regular expressions to become the basis of the WAF security rule set. Each of the regular expressions tries to match a known attack signature to the content of http session. Sequentially checking all the regular expressions creates significant performance impact. By comparison, rules generated by machine learning, a form of artificial intelligence, allows a WAF to tackle attacks and other security issues that a purely signature-based approach cannot detect.

Correctly applied, machine learning uses data gathered by the WAF on traffic flows and patterns to construct its own set of dynamic blocking rules for different application types based on any abnormal traffic patterns detected.

Threat Intelligence feed from Wallarm is an example of a solution meeting these criteria. By removing the signature approach, performance is improved dramatically. The feed is generated by Wallarm Cloud from the statistical information which it continuously collects from many thousands of applications protected by Wallarm WAF and relies on “hacker intelligence” to generate dynamic security rules, based on its learning of traffic and application behavior.

To paraphrase the saying at the start of this article, while a WAF without a threat intelligence feed does more harm than good, a WAF with signature-based security rules feed can provide reasonable basic protections, a WAF with the threat intelligence feed which “adapts to change” can offer more effective protection against the aggressive internet environment.