Black Hat insights: WAFs are getting much more dynamic making them well-suited to protect SMBs

By Byron V. Acohido

A cornucopia of cybersecurity solutions went on public display today as Black Hat USA 2021 convened once more as a live event in Las Vegas.

Related: Kaseya hack raises more supply chain worries

For small- and mid-sized businesses (SMBs) cutting through the marketing hype can be daunting. That said, there is one venerable technology – web application firewalls (WAFs) – that is emerging as a perfect fit for SMBs in today’s environment, as all companies shift to a deeper reliance on cloud services and mobile apps.

I had the chance to get into the weeds of this trend with Venky Sundar, co-founder and chief marketing officer of Indusface, a Bengalura, India-based supplier of  cloud-hosted WAF services (Indusface has numerous enterprise deployments and also offers the same protections, cost-effectively, to SMBs.)

For a full drill down on our discussion, please give the accompanying podcast a listen. Here are the big takeaways:

WAF resurgence

Web apps and mobile apps are where they action is. SMBs must continually come up with cool new apps to stay competitive; it’s no surprise that this is also where threat actors are focusing their attention.

Criminal hacking rings are carrying out big sweeps, 24X7, hunting for well-known application vulnerabilities that they can manipulate to breach company networks. WAFs help companies keep track of these malicious probes by scanning incoming HTTPS traffic and taking note of parameters such as IP address, port routing, cookie data and incoming data.

The knock on WAFs for many years has been that while they are excellent at parsing HTTPS traffic, all too many companies choose not to instruct their WAFs to actually block any traffic that might be malicious. “Businesses were paranoid about getting false positives and having their WAF block any legitimate traffic,” Sundar says.

Fast forward to the current era of digital transformation. Malicious hackers have stepped up their game. Bad actors are finding ever more efficient ways to scan all public facing web apps and mobile apps, non-stop, for a long list of known app vulnerabilities.

Conversely, threat intelligence resources, like the Open Web Application Security Project (OWASP,) are also playing close attention to the growing catalogue of app vulnerabilities, as well. OWASP not only archives all known app vulnerabilities, it also regularly updates a comprehensive catalogue of the tools and techniques in active use by the most active hacking collectives.

This has proven to be a perfect set up for a WAF resurgence. WAFs are making high use of extensive threat intelligence feeds – from OWASP and others. And WAF suppliers have been upping their game as well, providing richer threat analysis and reducing the rate of false positives.

And, indeed, the global WAF market is growing annually at an estimated 17 percent clip; companies are projected to spend $8 billion on WAF services by 2026,  up from $3.2 billion in 2020, according to Mordor Intelligence.

“WAFs sit as a gateway in front of an application intercepting all traffic,” Sundar says. “It can be a traditional web app or a mobile app using a web API. . . . so WAFs sit in the midst of all this traffic and can be tuned to make decisions, in real time, whether something has malicious intent.

“So if the bad actor does a series of things and surpasses a threshold, showing his malicious intent, then it becomes the company’s responsibility to block him out, and make sure the backend applications get only pure, legitimate traffic.”

Managing vulnerabilities

This is where extending the legacy role of WAFs comes in. In addition to just detecting and blocking malicious traffic, WAF suppliers, Indusface among them, have begun integrating other proven security tools into their core offerings; services like runtime malware detection, protection from malicious botnet activity and anti-DDoS technologies are being woven into WAFs.

For its part, Indusface is leveraging machine learning and automation specifically to help SMBs find and close well-known app vulnerabilities — before the bad guys’ sweeping probes can flush them out and take advantage, Sundar told me.

It does this by conducting a vulnerability scan that checks each of company’s applications against the OWASP catalogues of known attack vectors and known attack exploits. This risk assessment can help company leadership sleep better at night.

“The vulnerability scan ensures that you as a business owner, can stay one step ahead of the bad actor because you can do the risk assessment of your own applications much more frequently, and much more deeply, than any hacker who is spreading a broad net,” Sundar says. “And you can take steps to fix vulnerabilities before they get exploited.”

Indusface’s managed cloud service relieves companies from the day-to-day responsibility of refining and implementing blocking policies. Indusface has introduced something it calls “risk-based learning” to continually refine blocking policies based on real time feedback from the service. Sundar described how they do this:

“You start with identifying your application risks. And then you create policies based on those risks. When you observe your policy blocking somebody who is doing the same probes over and over, you have confirmation that somebody is probing certain weaknesses.

“The moment you identify this, you’re actually adding intelligence to your policy engine . . . it’s like having a burglar alarm, and then once the intruder enters you have motion detectors and additional levels of security kicking in.”

Alerts can be set to work in a progression until a threshold is reached; tripping a low-level alert might not result in blocking. However, a series of steps recognized as leading up to, say, malicious privilege escalation, or to the uploading of a malicious file, will trigger a block.

“Based on the risk of the application and the parameters of the traffic, you are able to come up with a dynamic policy engine that can make a decision, in real time, that properly deals with a bad actor who needs to be blocked out,” Sundar says.

Clearly there are myriad nuances to striking the optimum balance between enabling agile business operations and stopping bad actors. WAFs lacked the capacity for fine tuning ten years ago. It’s encouraging to see those capabilities are being brought on line, just when SMBs need them most. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone