The Web application attack landscape is evolving quickly in conjunction with the ongoing changes around application development, hosting and maintenance. Trends such as DevOps and cloud migration are forcing application security teams to investigate new ways to keep up with new vulnerabilities and to manage policies across disparate hosting environments. As cyber-attacks and mitigation techniques continue to evolve, enterprises need to look beyond static protections and focus on more automated and adaptive solutions to effectively protect their networks and applications.
Providing protection for web applications is a core part of Limelight’s – Powered by Radware, security offering. Through its Web Application Firewall, and its Enterprise-grade Cloud WAF Service, Limelight offers full web security protection including OWASP Top 10 coverage, advanced attack protection and Zero-day attack protection, that automatically adapts your protections to evolving threats and protected assets. Limelight’s WAF technology incorporates machine-learning algorithms to keep web assets protected always, even while applications constantly change and threats rapidly evolve, assuring web security is future proof.
The most common protection includes a negative security model, which defines what is disallowed, while implicitly allowing everything else. Most Web application security solutions leverage a negative security model that utilizes few signatures for specific, previously seen attacks. Relying solely on negative security models, offers only partial protection against OWASP Top 10 risks. In most of the cases different risk categories will not be covered at all.
Blocking Zero-day attacks, which are previously unseen attacks, requires a different approach rather than signature-based protection. A positive security model, which defines the set of allowed types and values, is required to provide a proper protection where signature-based protection cannot fill the gap.
Yet the use of these security models requires defining policies and rules which can sometimes be labor intensive. Limelight’s goal is to use automation to reduce the cost of ownership and to avoid human errors associated with such manual processes. Auto policy generation technology introduces machine-learning capabilities for automatic rule definition and maintenance. Different methodologies may be involved with automation, where the idea is to identify the legitimate traffic to the application and profile the application based on that traffic. Most WAF solutions, especially cloud services, do not offer any auto policy generation capabilities, while those that do offer such tools are focused on very specific attack categories, such as DDoS attacks.
As part of its WAF, Limelight offers an Auto Policy Generation mechanism that provides the best tool for automatically generating security policy for the secured Web application. The Auto Policy Generation module is included in the Cloud WAF Service and will automatically utilize the required security filter, create security filter rules, and switch the security filters into active mode. These operations would normally require manual refinements. Building a security policy usually demands intensive work on the part of the administrator, while still leaving a system potentially open to attack due to human errors.
By leveraging machine-learning algorithms, Auto Policy Generation is able to secure a web application automatically with as little or limited user interaction. There are different attributes of the secured application—the environment needs that impact the process of policy generation. The system automatically discovers the structure of a web application, while at the same time, Auto Policy Generation sets the relevant security filters, analyzes traffic properties from the production environment and builds a dynamic network profile for a specific site according to the Auto Policy Generation module.
Auto Policy Generation generates rules for different security filters. For example, when enabled, the Parameters security filter rules are automatically generated by the Auto Policy Generation module. When enabled, the Allow List security filter will automatically white list the allowed URLs to be accessed.
At the HTTP parsing module, various settings can be automatically optimized and modified by the systems. Examples for such automatic modification include message size settings for the request and HTTP parsing properties exceptions such as allowing High ASCII chars in the HTTP parameter value. Such HTTP RFC violation exceptions will be defined automatically either on specific URLs, or globally if required across many resources in the application.
In the case of the Cloud WAF Service, once a policy is automatically generated, it is reviewed by security experts to validate the quality of the generated policy. It will be reviewed to ensure validity of the policy, integrity, false positive risks, and false negative risks. This is also available to WAF customers who chose to add the ERT Premium managed service. The security and cloud experts have extensive real-world experience providing protection form advanced cyber-attacks with deep knowledge of WAF technology.
Beyond the obvious value of reducing the risk of human errors when expecting the customer to generate the security policy rules and the cost of ownership involved with such activities, the most important value involved with Radware’s Auto Policy Generation capabilities has to do with the quality of protection.
The fact that different levels of protection can be automatically learned and optimized by the auto policy generation system allows enabling ALL RULES and activate various security filters. With this capability, the rules and filters are being optimized and updated automatically, thereby removing the risk of generating false positives.
If we take a simple example of the Always True Expression type of SQL Injection such as “ OR 1 = 1,” we can easily understand that rules which are aimed to block such inputs will have a high tendency to generate false positives. If there is no automatic mechanism to create such policy exceptions, it will not be reasonable to define such rules which may block legitimate traffic. Most cloud WAF vendors do not define such risky rules.
The auto policy generation technology allows enabling all rules, while automatically creating the exceptions for these rules in those areas where these rules generate false positives, while properly securing the rest of the application. All HTTP RFC rules are enabled, all Injections rules are applied and being optimized automatically. This alone offers a dramatically higher quality of protection even if positive security model is not involved.
The unique Auto Policy Generation includes a set of machine-learning algorithms that analyze the protected application, generate granular protection rules and apply a security policy in blocking mode that offers the following benefits: