Most people use the Internet, that’s a known fact. It’s a useful resource for collecting data, catching up on the news, connecting with friends, and watching cat videos.
However, that’s not the only thing that you can do on the Internet, and many organizations have made it a core part of their business model. Beyond using it as a resource to gather data for their products, companies can use websites and web applications to interact with their customers. A web app provides a custom experience to each user, allowing organizations to automate a large portion of their customer service work and letting them focus their time and energies on developing products and services.
However, the reason that these web apps work so well is that they have access to data. In order to act like customer service or sales, the web app needs the same data that a traditional customer service or sales representative would need. This direct connection between a company’s databases and the public with only a bit of code in the middle means that this bit of code comes under a lot of scrutiny and attack by hackers.
This is where a web application firewall (WAF) comes in. The role of a WAF is to stand between the Internet and a web app and ensure that no attacks make it through to the web app and back out with sensitive data. The value of the data that the WAF protects and the ingenuity of the hackers that want that data means this isn’t an easy job, and a WAF needs to work very hard to provide a web app with the level of protection that it needs.
The Trouble with WAFs
The concept of a web application firewall isn’t a tough one. As the name suggests, a WAF is a firewall specifically designed to provide the type and level of protection that a web application requires. However, this is easier said than done.
At a base level, a WAF needs to provide protection against known attacks. The OWASP Top Ten provides a good list of these; however, they aren’t the only threats that a web app can face. Signature-based WAFs can only protect against the types of attacks that they know about.
Protecting against unknown attacks is tougher but necessary. In fact, a survey by the Ponemon Institute found that 72% of the surveyed WAF owners wanted more intelligence and automation built into their WAF. Only 47% of those surveyed even considered protection against OWASP threats a useful feature (making it third to last on the list of useful features). In order to be truly effective, a WAF needs to be able to do more than protect against known threat vectors.
Introduction to Dynamic Application Profiling
The problem with detecting and protecting against unknown threats is that they’re unknown. If it was possible to develop signatures for these attack vectors, protecting against them would be a piece of cake. However, you can’t develop a signature for a threat until you’ve seen it, and once you’ve seen an attack, it’s already too late for the victim. A classic ‘you snooze, you lose’ situation if you will.
One solution to the problem of dealing with novel attack vectors is called dynamic application profiling (DAP). DAP is a bit different from how WAFs traditionally operate since it flips the paradigm on its head. Signature detection involves defining the abnormal aspects of an attack and looking for those signatures. DAP involves profiling the normal attributes of a web application’s behavior and looking for anything that deviates from that baseline.
The majority of user interactions with a web application fall into a narrow band of potential inputs. There are things that the web app is designed to do and most users “follow the rules”. By observing the web apps under its protection and how users interact with them, a WAF using DAP can have a pretty good idea of what is “normal” for its operating environment.
Once it has built a baseline, all that a DAP solution needs to do is figure out how to manage abnormalities. Some deviations may be benign (i.e. responses to updates to the web apps), and the app should learn to ignore them. By observing context and how these deviations occur (i.e. a large number of users will begin exhibiting “deviant” behavior with no ill effects), a DAP system can identify these and appropriately update its baseline. This provides the level of intelligence and automation in defense that 72% of WAF users wish their product had.
Other deviations will be malicious. These are the attacks that the WAF is designed to prevent. The same level of context and breadth of experience that allows DAP to identify benign deviations can help it to identify these deviations as malicious and take the appropriate action.
Why You Need DAP for Your WAF
Deploying and maintaining a strong WAF solution for your organization can be a challenge. Purely signature-based systems can require a great deal of maintenance due to their complete reliance on man-made signatures. Also, these systems don’t have the ability to automatically adapt to a changing protected environment.
With dynamic application profiling, a WAF is no longer completely reliant on signature for attack detection. By building baselines of “normal” behavior and comparing traffic to these norms, DAP-enabled WAFs have the ability to both adapt to a changing environment and detect novel attack vectors. With the rapid pace of development in the cybersecurity threat landscape, a DAP-enabled WAF is the best choice for protecting an organization’s valuable web apps.
