The term “next-generation” gets thrown around a lot in security. Marketers have overused the term to the point that, for many, it has become an empty buzzword used to describe virtually anything. On the other hand, technology does go through major transformational changes where new approaches are needed to replace the old ways of doing things. The rise of next-generation firewalls (NGFWs), which replaced the old port-based firewalls are a classic example of this sort of transformation.
WAFs are in the midst of their own next-generation transformation, in which the fundamental detection mechanisms, operational approach, and architecture are all being reimagined. In this blog, I want to dive into what the next-gen WAF is, what it’s not, and why, in this particular case, next-gen is more than just hype.
If we again look back at the example of NG-firewalls, we see that “next-gen” was largely defined by new types of detection and visibility. Instead of simply basing policy on ports, firewalls gained the ability to detect applications. They also assimilated a variety of techniques that were previously separated into a unified approach (e.g. URLs, IPS, reputation, etc).
A similar transition in the detection methodology is underway with the NG-WAF. While traditional WAFs have added countless features over the years, the heart of their approach has remained rooted in signatures. While signatures can have value, they also have some pretty fundamental challenges. The more specific and targeted a signature is, the easier it is for an attacker to make small changes and avoid the signature (a false negative). The more general the signature is the more likely it is to block a valid user (a false positive). This has put security staff in an "un-winnable" position and forced them to perpetually tune and customize signatures to find an acceptable trade-off between false negatives and false positives.
In much the same way that the NGFW introduced a new application-centric way of looking at firewall traffic, ThreatX introduces a new attacker-centric detection model to the WAF. ThreatX introduces a multi-dimensional approach to detection that blends machine learning, behavioral analysis, and active attacker engagement to identify threats. The approach automatically learns application behavior, tracks user and attacker behavior, actively interrogates suspicious entities, and even tracks entities over time and across different locations. All of these components work automatically to deliver a complete picture of risk without work from security staff.
In addition to providing new ways to see threats, the combination of complementary approaches make detections far more reliable than any single technique used alone. For example, application profiling could reveal abnormal behavior of a particular application service, attacker-facing machine learning models could reveal the progression of an attack along the kill-chain, and active deception could lure an attacker into revealing their goals. Each approach could identify a threat without the need for signatures and tuning, but the combination ensures very high-confidence detections and low-false positives.
Next-Gen WAF for Next-Gen Apps
In addition to a new detection methodology, NG-WAFs need to support many different application architectures used in the real world. WAFs need to support on-premises applications, and virtually any combination of public, private, or hybrid cloud models. But supporting these various hosting models is really just the beginning. The rise of microservice architectures and APIs are changing the makeup of applications themselves. WAFs need to be able to natively fit into a containerized approach so that security can automatically and elastically follow the changes in applications.
ThreatX’s NG-WAF is natively designed for these environments and can adapt to applications in ways that physical or virtual appliances simply can’t. In addition to supporting local and cloud deployments, ThreatX can be deployed as a sidecar in a Kubernetes deployment. This allows security to scale in lockstep with the application while ensuring that backend traffic between modules remains protected.
Still a WAF
And while so many aspects of the WAF seem to be changing, it is important that the NG-WAF still serves as… a WAF. It needs to do the things that a WAF has always (or at least should have been) trusted to do. This includes actually blocking threats and preventing damage. In addition to stopping more advanced threats, malicious automation, and Layer 7 attacks, it needs to be able to stop the more traditional OWASP Top 10 style of attacks.
It should, likewise, provide an independent layer of security that is tightly coupled to the application, but also independent from it. Building security into the application and ensuring secure coding practices are critically important, but it falls to independent security controls like the WAF to objectively detect and protect the application from a 3rd party perspective. Likewise, the NG-WAF should easily coordinate with and enable DevOps without friction, but it ultimately needs to serve a threat and risk-focused mission first and foremost. The goal should be for security to work hand-in-hand with DevOps teams while still maintaining appropriate checks and balances.
The ThreatX NG-WAF provides all of these items, as well as a host of other capabilities that we don’t have time to cover in a single blog. That said, hopefully this helps to lay out some of the key concepts that make the NG-WAF truly “next-generation”. From the way that it is deployed to the way that it detects threats, the NG-WAF brings a new approach based on the needs and challenges of modern AppSec. However, seeing is always believing, so if you are still skeptical, we encourage you to take ThreatX for a test-drive and see what the next gen is really all about.