Traditional WAFs speak to bigger adoption problems for technologists, innovators, and businesses.
Making a decision in today’s marketplace is like being a kid in a toy store. There are so many options that excitement quickly turns to settling on a familiar choice, so it’s no surprise that businesses are settling for subpar solutions from familiar brands. In a time when customers are overstimulated by a nauseating flurry of new ideas, over-promises, and social media marketing that verges on stalking—brand recognition and trust have gained influence in how people consider new technology. A legacy tool or brand has tremendous power, from high marks in share of voice to simply having created a well-worn path of least resistance via familiarity. But legacy solutions may not be the best solution right now. Worse, as shown in a recent study on traditional WAFs, users are actively unhappy with legacy solutions, but they aren’t adopting security innovation at a rate proportionate to their unhappiness.
So why is adoption such a finicky thing from one new tech to another?
I’ll tell you why: disillusionment. And here is where we explore that—and how we can get past it to better technology.
In the last 40 years, we have moved from rotary phones to carrying around powerful pocket computers. The level of adoption is incredible. And machine learning has been long imagined by utopianists (and naysayers alike). So in an age revolutionized by innovation, when next-gen promises fail, it creates disillusionment.
As users, no one needs to understand technology to gain a dependence on it. We expect it to work well and work indefinitely. We come to love and yet be quickly disappointed by the everyday tech we rely on. And we find it tremendously difficult to change our smartphones, let alone critical tools like security.
The disappointment around traditional WAFs and owner unhappiness sours people on the adoption of newer solutions, and examining it can reveal more universal insights on innovation and adoption problems. (Based on the 2019 State of Web Application Firewalls study by the Ponemon Institute.)
The big spoiler: all technology lives in a human environment. It makes sense that people will be disappointed when their environments and problems change and the technology does not continue to save the day. We have gotten them used to updates. They simply expect the next-gen solution for their own next-gen problem.
So, how are traditional WAFs failing, and what can security technologists do to help businesses evolve in the face of failing failsafe tools?
On a long enough timeline, all technologies have to mature into a normalized, highly-adopted technology as regular to users as smartphones; that or fail and exit the market. Traditional WAFs are taxing patience and resources as they come into adolescence. Understanding those owner pain points can be incredibly useful to security technologists—and every technologist.
The trifecta of complaints about WAFs and what we can learn from them are fairly universal for DevOps, business, and innovation: they are weak, time-consuming, and expensive.
Over half of companies using WAFs are unhappy, according to a recent article by Help Net Security, and unless you’re a politician, that’s a very bad statistic to own. Unhappy WAF owners, unsurprisingly, complain about the trifecta. In reality, traditional WAFs are a known quantity. As IT professionals we loathe risk, which gives them a certain charm in spite of all the warts. The problem is that development and infrastructure are changing quickly and security solutions have to fit into the exact risk analysis and personal business landscape of each company. A solution built for 2010 just doesn’t work under that scenario, no matter how much we loved it a few years ago.
“It’s so much easier to suggest solutions when you don’t know too much about the problem.”
Malcolm Forbes
Thanks Mr. Forbes! Let’s do a deep dive on the trifecta:
1. WAF WEAKNESS
Pain point: WAF users complain that too many attacks bypass their WAFs, even though only slightly over 40% of those polled use their WAF for blocking.
Solution: Stronger, more comprehensive security solutions need to be available, adapt to continually evolving attacks, recognize changes in data patterns over time, and respond in tandem with identifying vulnerabilities and issues.
Technology takeaway: Yesterday’s cutting edge is tomorrow’s dull blade. As the cycles of obsolescence get faster, technologists need to predict continually changing total contexts, including changing social conditions that impact where and how a technology will change. Disrupted work-life balances, for example, mean that people access data for work and pleasure in a multitude of places and endpoints (and often on the same insecure mobile device!). Work efficiency services and software can make an endrun around security entirely on accident.
2. TIME-CONSUMING FOR SECURITY
Pain point: Continuous, time-consuming WAF configurations and administration take up security team time and expertise. Security teams have lots of expertise, but little time. Economists would call this an inverse supply curve. We call it a headache.
Solution: Companies cannot always afford the staff to dedicate to time-consuming manual configurations, heavy oversight, and expertise. Even if they could, the size of team required to keep up would still ridiculous. Even the most elite security teams would still wobble under the weight of endless configurations and administrative duties.
Making solutions easier, more integrated, and require less high-touch oversight is necessary.
Technology takeaway: Developing technologies that cannot adapt to changing scale, resources, or organizational priorities and bandwidths; or that rely on experts to cover a capability gap, are limited by how well a technology can actually function in that environment. High tech is not the same as highly usable.
3. EXPENSE OF OWNERSHIP AND STAFFING
Pain point: High costs in ownership and staffing are cumbersome, especially at a public company where tight OpEx has the last say in every debate.
Solution: The costs of ownership have to provide value sufficient to the IT user. Effectively measuring the ROI of security can be hard to justify, unless a company has already suffered a breach. Educating technology users and keeping them aware is part of any technology earning its place. Making things easy enough to use that all the features and benefits are obvious, adopted, and have a real impact is also important.
Technology takeaway: The best solutions aren’t always the most expensive, particularly if the consumer is unable to afford the ongoing support costs. Ultimately, your target market needs to see the value in action, not in theory. Cut back on unnecessary features and pitches.
New technologies evolve when innovation can match interest. Once that sprouted new technology is adopted and proves itself, there’s greater user expectation. Going back in time, early technologies in any product line will likely be seen as “weak, time-consuming, and expensive.” Think of your early cell phone. So, why do people resist new technology?
“We fail more often because we solve the wrong problem than because we get the wrong solution to the right problem.”
Russell L. Ackoff
Better isn’t always better adopted. As technologists and business leaders, we need to understand how adoption happens. Then, we need to educate and prove the value of newness.
Users naturally fear any new technology that appears to over-promise and under-deliver, especially when it claims to be better, cheaper, and less time-intensive.
If something seems too good to be true, in other words, it usually is. Customers know that.
Familiar systems and processes aren’t exciting but they’re reliable. Businesses know that by chasing the latest technologies and trends they are likely to be disappointed by false promises, so they remain loyal to the devil they know. “Bigger” has lived through maturation and “better” comes with a lot of unknown risk factors. As we recognized before, however, older technology isn’t without significant liabilities.
Old reliable solutions can go a long way, this is true. Newer can be better, this is equally true. We have long recognized this as the difference between sustaining and disruptive technologies.
To summarize – within the security space, legacy solutions have tapped out existing (sustaining) technologies but users in this space are rarely willing to trust the disruptors. That leaves a nasty gap in the middle for hackers to take advantage of, as evidenced by the ever growing number of high-profile breaches in the news.
Remember, we want technology to solve problems, not take up time-consuming expertise and resources. So, new—whether brands, technologies, or methodologies—runs up against one of the major pain points for adopters of new technology. It requires we trust a company’s promises, gather expertise, or some combination of both.
To compensate for this tension, technology can strike the balance between putting solution focus on:
- Easy adoption, interoperability, and integration
- Intuitive UX/UI and design
- Understanding pain points and value of technology applied
- Broad support across groups
- Clear value reporting and support in accessible language
- Proven testimonials and case studies
- Data-driven support and easily-proven value
According to the Ponemon Report, over 70% of these unhappy WAF owners wanted automation, but that requires trusting machine learning or an AI. There is likely no resident AI expert in their security team, and no way to evaluate the quality of a vendor as a result. There are a lot of promises of automation in the marketplace, but few that actually deliver fully automated solutions. This has resulted in a substantial trust gap between IT Professionals and AI-driven solutions.
And, the idea of change is always problematic for any business. It is not enough to have a better mousetrap. You have to have one that is easy-to-integrate into your household. It also has to be that easy to set up, and understandable without a PhD in machine learning systems.
Wallarm was founded on this premise.
If the Ponemon Institute sample is any indication, most people who have new technology nonetheless only use some of its capabilities. For their WAF users, most users apply the WAF for alert generation, but not blocking, contrary to the higher number of people who understand a WAF as “critically important” for security. So, why does the possession of technology not equal the full use? The simple answer is, “Batteries not included.” People have increasingly busy lives and decreasing attention spans.
There is also the very real problem of technology that only helps on paper, but clogs up the machinery it was supposed to help. Those teams that aren’t adopting may be using tech, like their WAF, perfectly alright. Take the well-known problem: “If someone has a WAF, why aren’t they using it in blocking mode?!” Technology doesn’t always understand that it has to live in that human environment. Low usage in a traditional WAF’s blocking mode is due to a high number of false positives. If you have hundreds or thousands of blocked requests per day that are actually legitimate then you have lost as many purchases or transfers, translating into thousands or tens of thousands of dollars per day. Try explaining that to stakeholders.
Rather than blame teams, users, or otherwise kick the can down the road, solving for poor use of a new technology requires we understand this usage problem as a variable like any other. We need to solve for it. Take a hint from Apple: no user manual required. The technological experience needs to be friendly, highly intuitive, and anticipate and adapt to the context it’s being integrated into.
- Batteries included:
Ease of use from deployment to adoption - Expertise is a bonus:
Customization as a secondary consideration - Integration:
Fit within the existing toolchain, teams, and workflows - AI Power:
Automated runs throughout various features - User-friendly:
Understandable UI out of the box - More than theory:
Value-gain is not offset by negative effects or interruptions to the broader work ecosystem.
Adoption requires that a solution answers at least two of the pain points the Net Security responders pointed towards. A new technology has to be two of the following three: more effective, time-saving, and cost-saving. It has to make us happier in how our day-to-day lives function. That means we, as technologists and managers, have to work harder to be creative about how well our products function and bring people together. We have to continually add value to their lives—even more than we save their bottom line.
Offering complex support materials and extensive trainings are also a harbinger of doom. Remember when we said “time-consuming” and “resource intensive” are major complaints?
Extensive trainings can be appealing to large enterprises, but won’t help with morale any more than high-tech language will. Time is the most valuable resource we have in today’s work landscape, as proven by how you feel about every single conference call invite you’ll receive this week that isn’t strictly necessary.
The struggle is real.
Focus instead on making your product flexible, intuitive, and customizable only so far as additional functions can be added as easily as possible, but not as mainstays of products.
Employees are not machines—and now that we have machines, automation, and AI, they don’t need to be.
Keeping up with competition will undoubtedly mean accepting a level of AI-automation.
“We simulate that about 70% of companies might adopt some AI technologies by 2030, up from today’s 33%, and about 35% of companies might have fully absorbed AI, compared with only 3% today. The econometrics demonstrate that peer competitive pressure is the largest influencer of the decision to adopt AI and make it work across all enterprise functions.” – Harvard Business Review
High-value resources cannot be replaced by machines or AI in the visible future. Humans are time and expense intensive, but both those values can be better optimized by automating the tasks where humans aren’t inefficient, particularly over time. With data, there is simply no way for any human to keep up with the level of data a WAF or other security solution monitors. It’s equally impossible for them to manually sort through the generated alerts, especially when they’re full of extraneous false-positives. They don’t have the bandwidth or recall to identify patterns in an endless stream of code—and, they shouldn’t be expected to.
“He is being nibbled to death by ducks.”
James Tate
Managing people under the myth that busyness is best for business is probably spot on, per Harvard Business Review. Employees thrive when busy, provided it’s in meaningful ways. The present workday is replete with too many technological shifts that have filled our lives with interrupted concentration and many small tasks. According to Forbes, the average office worker receives 121 emails a day. The workplace is stressed with pressure to continually be in motion (a serious truism for a CI/CD methodology that emphasizes the continuousness of development and integration). Without automation tools for managing workflows, inboxes, and other workplace innovations, it’s unreasonable to expect anyone to prioritize routines that feel monotonous. Repeated tasks cause boredom and shut people down. That leads to dangerous mistakes, oversights, and lower productivity. They will likely tune out, lowering the quality and reliability of their output.
Time resources are a huge obstacle for WAF administration, taking up the time of several security experts who are required to use their valuable time on tedious tasks.
“Managing legacy WAF deployments is complex and time-consuming, requiring an average of 2.5 security administrators who spend 45 hours per week processing WAF alerts, plus an additional 16 hours per week writing new rules to enhance WAF security.”
Help Net Security
Automating WAF is a clear solution to the time and tedium of manual tuning that is required to effectively use a WAF, especially in the context of fast moving DevOps environment. With the average WAF costing the average company over $620K annually on solutions that are not being maximized, any correlation between the administrative time-cost, attack risks, asset value and the financial underperformance is essential to address. That correlation is significant. While traditional WAFs may be ineffective in keeping up with increasingly rapid CI/CD cycles and data flows, even in operations and development processes, the strain on security administration is a problem.
Automation may help both.
Moreover, it’s pretty unlikely that security teams can grow at a rate to cover the increase in data that will undoubtedly accelerate as technology exponentially grows.
[Automate WAF that deploys in minutes and scales with your business. Skip to some tech specs on realtime API security solutions.]
“It finds that AI could (in aggregate and netting out competition effects and transition costs) deliver an additional $13 trillion to global GDP by 2030, averaging about 1.2% GDP growth a year across the period. This would compare well with the impact of steam during the 1800s, robots in manufacturing in the 1900s, and IT during the 2000s.” – Harvard Business Review
Best bets are that larger enterprises that can afford to play big are, undoubtedly, going to be early-adopters of AI. When technologies promise something like full automation and real solutions, but then fail to deliver it can do irreversible damage to small-to-midsized companies. Not only can enterprises feel overconfident in their technology solution, but they can make the mistake of overlooking real advances based on a difficulty in understanding the tech.
For WAF users who feel disillusioned, postponing trying real automated security solutions can cause them to be left behind. Most companies who suffer a security breach or attack have enormous recovery costs, both financially and in their reputation.
“Beyond the technical maturity issue, there are several other problems with the idea that companies will be able to adopt quickly once technologies are more capable. First, there is the time required to develop AI systems. Such systems will probably add little value to your business if they are completely generic, so time is required to tailor and configure them to your business and the specific knowledge domain within it. If the AI you are adopting employs machine learning, you will have to round up a substantial amount of training data.” – Harvard Business Review
Wallarm’s Advanced Cloud WAF combines multiple approaches to have easy-to-use, powerful protection out-of-the-box. It’s designed to integrate and play friendly with other solutions, focusing on the API-level area where new data is continually coming in. Solutions include OWASP top 10 identification to monitor, generate alerts, and block attacks. It also learns quickly, automatically running and learning from 1000x the tests in ways that surpass traditional WAFs. And, it’s customizable to really learn from your infrastructure, business, and traffic. However, later adoption means less time to keep up with other companies using machine learning to monitor and identify data. Machine learning can recognize weaknesses and patterns over time. That means it gets smarter as it ages, better-identifying false-positives, subtle attacks, and even weaknesses in code. Your entire CI/CD pipeline can get stronger as an AI runs.
Early adoption is going to be a serious advantage as AI becomes an increasing part of making the DevOps environments more secure and robust in the face of accelerated digital transformation and technology self-cannibalization. Those who fail to adapt may fail entirely.
Our lives have been revolutionized in ways we don’t even notice. As a professional in technology, I should understand the complete and constant overhaul of our lives like some sort of metaphysical CI/CD complete with constant bugs and need for improvement. For as much as I’ve seen change in the last 20 years of technological innovation, I am just as indoctrinated as anyone. I refresh my phone every 3 seconds if a page from anywhere in the world doesn’t load perfectly and instantly. That presents a problem for technologists and businesses who need to deliver the speed that keeps the modern digital machinery moving and secure consumer trust. Technology has to balance output, consumer loyalty, and innovate away from the safe-feeling legacy tools that are outmoded. We need that old WAF to work like new—like it promised.
Expectations are high because our ability to deliver feels unstoppable. In other words, we’ve gotten used to quick advancement because we are quick at technological evolution. Adopting new automation, AI, and smarter ways of protecting the infrastructures we depend on is not only necessary, it’s inevitable and it’s now. It’s simply a matter of realizing the solutions are there, rather than getting caught up in our frustrations.Technology and business should align around creating and adopting easier automation. It’s the only way to secure:
- Higher retention of specialized labor
- Better workplace balance
- Stronger security solutions inside pipelines
- Product improvement
I think this applies more broadly than to API Security Platform and microservice protection. This applies to everything technological, including our quickly redefining workspaces and structures. We have adapted to expecting more because invention follows these tantrums of usability. It’s our responsibility, as technology’s vanguards and apostles, to understand and gently, but tenaciously, lead the users we are responsible towards better understanding, not complacent disillusionment and slow adoption.
