Creating Order Out Of WAF Management Chaos

Uploaded on 2023-02-08 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Cybercrime is now a major concern for every business. A recent Interpol report found that cybercrime and financial crime are the world’s top criminal threats, with more than 70% of police officers expecting offences like ransomware and phishing attacks to increase over the next three to five years. 

For instance in 2022 alone, the Cybersecurity and Infrastructure Security Agency (CISA) added 66 new vulnerabilities to its Known Exploited Vulnerabilities Catalogue in the US.

Businesses want to protect themselves effectively from this deluge of new threats, with a focus needed on web application firewall (WAF) management and rules. So, what makes WAF rules more effective?

In this journey towards higher levels of cybersecurity, organisations will target a reduction in false positives, false negatives, and alert fatigue. At a high level, it has to do with the special order in which WAF rules are run and the speed in which they are processed – in essence, to provide security without sacrificing performance. 

Peeling Back The Onion

The first step is to look at the different layers of protection in your WAF. In order to provide a holistic level of protection,  a WAF should follow a modular approach, to address different cybersecurity functions:

  •  Access control rules provide the ability to create allowlists, denylists, and positive-security access lists. These filter traffic based on factors such as IP address, country, cookie, or content type.
  •  Rate limiting rules restrict the flow of HTTP requests to an application being protected by  the WAF, preventing malicious or accidental application distributed denial-of-service (DDoS) traffic. This also prevents a customer origin server from being overloaded with requests.
  • Bot manager rules mitigate automated traffic by requiring a client (e.g. a web browser) to solve a challenge before allowing the request to proceed. The WAF prevents requests from reaching the application when the client cannot solve this challenge, blocking basic bot activity. This protects your site from bots scraping your content, carding, spamming your forms, launching DDoS attacks, and committing ad fraud.
  • Custom WAF rules help organisations to identify malicious traffic using a combination of variables (e.g. request headers, body, query, method, URL, cookie). This customisation provides added flexibility for threat detection and enables businesses to filter for specific malicious requests and take action to mitigate them.
  • Managed WAF rules identify malicious traffic via a predefined ruleset. In the case of Edgio WAF, these rules consist of over 500 rules spread across three categories: Edgio Proprietary Rules, advanced application-specific rules, and Generic Open Web Application Security Project (OWASP) rules. This comprehensively collects various security policies and rules for different attack categories and applications. When performing a threat assessment, each managed WAF rule can be customised to prevent false positives by excluding certain variables.

Creating Order Out Of Chaos

Powerful WAF engine aside, the key to gaining clarity is creating a proper order of operations to run the WAF most efficiently and effectively. Best practice would be to run different layers of rule modules in a specific sequence. 

  1. Access control rules:   First, incoming traffic should hit access control rules, where requests are filtered by a static set of access control lists (ACLs) configured by the organisation, where unwanted traffic is blocked. 
  2. Rate limiting rules:   Next, the time windows for requests should be tracked by rate limiting rules, with the WAF dropping any requests that fail to reach the specified threshold. 
  3. Bot manager rules:   Bot manager rules serve browser challenges to detect automated clients or primitive bots.
  4. Custom WAF rules:   For higher precision, the WAF should inspect requests using various bespoke filters. These can include any application-specific rules deployed in real time to mitigate zero-day vulnerabilities without waiting for the managed WAF ruleset to be updated - an invaluable tool to gain visibility and control over specific attacks. 
  5. Managed WAF rules:   Finally, any request that has reached this stage is processed by Managed WAF Rules before they reach the application.

Processing rules in this sequence ensures that multiple layers of filtering capture different kinds of attacks before the precision Managed WAF Rules are triggered.

The effectiveness of a WAF isn’t determined by its ability to mitigate attacks (true positives) alone - it is also defined by its ability to prevent legitimate traffic from being blocked (false positives).

The Power Of Managed WAF Rules

When a request reaches step 5 above, it should be evaluated to mitigate a broad spectrum of application attacks. This presents an additional layer of complexity as there are extensive categories of generic and specific rules. For example, depending on the business infrastructure, organisations may require protection from generic SQL injections (SQLi), cross-site scripting (XSS), or remote code execution (RCE) attacks, or more specific WordPress, Joomla and Apache Struts vulnerabilities. 

As is the case with other WAF rules modules, their sequence is paramount. Businesses must carefully prioritise and customise these rules to ensure they complement each other and maximise accuracy. When organisations customise these rules to ignore specific request parameters, such as request header, cookie, query, and body parameters, they can then quickly remove false positives using a simple user interface or API. 

WAF management can be a tricky element for organisations to tackle but is easier when broken down into manageable pieces. Designing and assembling WAF components and rulesets is like making a hamburger.

It's not just about having the right ingredients - it's about combining them in the right order to make a great meal.

The same ingredients put together differently can drastically impact the taste and the consumer's experience, and the same is true of WAF management. When an intelligent order of operations is combined with various WAF rules modules and Managed WAF Rules, security does not have to impede performance.  

Paul McNamara is Senior Solutions Engineer at Edgio

You Might Also Read: 

Reduce Vulnerabilities & Defend Your Brand Against DDoS Attacks:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« SMBs Are Taking Cybersecurity More Seriously
Insider Threat Management: Keep Up With Growing Threats »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

L3Harris United Kingdom

L3Harris United Kingdom

L3Harris UK (formerly L3 TRL Technology) designs and delivers advanced electronic warfare and cyber security solutions for the protection of people, infrastructure and assets.

Conceptivity +360 Cybersecurity

Conceptivity +360 Cybersecurity

Conceptivity +360 Security addresses advanced cybersecurity and supply chain security issues in policy, regulatory, legislation, standardisation, compliance and project management areas.

Exabeam

Exabeam

Exabeam is a global cybersecurity leader that delivers AI-driven security operations.

Infortec

Infortec

Infortec provide consultancy and solutions for the protection of digital information and the management of computer resources.

National Accreditation Authority Hungary (NAH)

National Accreditation Authority Hungary (NAH)

NAH is the national accreditation body for Hungary. The directory of members provides details of organisations offering certification services for ISO 27001.

EOL IT Services

EOL IT Services

EOL IT Services is the UK’s most accredited provider of IT Asset Disposal (ITAD), Lifecycle Services and Data Destruction.

Binary Defense

Binary Defense

Binary Defense protect businesses of all sizes through advanced cybersecurity solutions including Managed Detection and Response, Security Information and Event Management and Counterintelligence.

Cord3

Cord3

Cord3 delivers data protection, even from trusted administrators – or hackers posing as administrators – with high privilege.

Futurae Technologies

Futurae Technologies

Futurae - enabling trust and invisible security for your users on all devices and applications. Strong customer authentication (SCA) made easy.

Wickr

Wickr

Wickr's mission is to secure the world's most critical communications. Wickr provides the highest standard of encryption trusted by millions worldwide.

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER) conducts full spectrum military cyberspace operations in order to enable freedom of action in cyberspace and deny the same to the adversary.

IntegraONE

IntegraONE

IntegraONE is a IT solutions provider offering a full range of networking and technology solutions.

MDSec

MDSec

MDSec is a consultancy with a passion for information security. Our consultants specialise in application, mobile and hardware security and targeted red team attacks.

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce Cybersecurity Technology Research Network

Rolls-Royce has partnered with Purdue University and Carnegie Mellon University to create the Rolls-Royce Cybersecurity Technology Research Network.

Morpheus Enterprises

Morpheus Enterprises

Morpheus Enterprises offer managed security solutions designed to keep your web applications secure and your business running smoothly.

Longbow Security

Longbow Security

Longbow automates root cause for your application and cloud risks, enabling teams with intelligent remediation actions that reduce the most risk with the least effort.