Web Application Firewall Goes Hybrid to Amp Up DDoS Defenses
DDoS solution has emerged as a promising approach to protecting internet-facing assets from attack. Let’s explore why organizations should embrace a hybrid WAF strategy.
While accelerating digitization creates new opportunities for businesses across industries to engage with customers, this increasing reliance on websites and applications gives bad actors more opportunities to strike. A well-timed DDoS attack can bring an organization to its knees. Randy D’Souza, director of product management at Neustar Security Services, explains how a hybrid web application firewall (WAF) can be instrumental in efforts to mitigate escalating cyber risks.
The best-laid schemes tend to have one thing in common: a reliable backup plan. For cybersecurity professionals, incorporating defense in depth across a wide variety of tech and data is mainly second nature by this point. The acceleration of life online has introduced new opportunities and efficiencies across industries, but it has been a double-edged sword in some sense as the increase in functionality of websites, applications, and their management interfaces has resulted in a corresponding increase in attack surfaces and has accelerated opportunities for bad actors to find and exploit vulnerabilities. The DDoS threat alone can be enough to bring organizations to their knees but implementing a hybrid WAF solution can be instrumental to mitigating risk.
One of the ways that organizations build their defense in depth is to use an on-premises WAF. They can be great for certain needs – particularly if you combine the WAF with an application delivery controller, you’re dealing with legacy infrastructure, for Transport-Layer Security (TLS) termination inside your data center, or if you need close contextual analyzation of data right in front of the actual application server. They are also great for internal-facing applications that are not publicly exposed to the internet and can be quite functional for very specific rule writing and propagation. But their limitations – physical (an on-premises WAF is often tied to a load-balancer that is also within the physical data center and usually contains an application delivery controller) and otherwise – are well documented.
Conversely, a cloud-based WAF allows you to easily do things like failover from one data center to another, apply more site-wide rules that consume more processing resources, and help to easily maintain cost efficiency as it allows organizations to shift costs from a capital expense to an operational expense.
But there is also the ability to use both an on-premises WAF in conjunction with a cloud WAF in order to balance out each other’s capabilities and to provide a better defense in depth. I would like to explore where you should consider using both, particularly where a cloud solution will offload from an on-premises solution.
Keeping Pace with DDoS Attack Evolution a Challenge
Like other cybersecurity threats, those of a DDoS nature have evolved quickly in recent years with regard to frequency, duration, maximum size in megabits per second (Mbps), quantity of packets per second (PPS), and the number of requests per second (RPS). Organizations that have not refreshed their security protocols accordingly are likely to become increasingly vulnerable.
DDoS attacks have been on the rise, with targets spanning a diverse range of companies and industries. In addition to their growing number, these attacks have grown in size thanks to the proliferation of larger botnets. Technological advances have also contributed to noticeable changes in DDoS attack complexity, with nefarious actors better able to control those larger botnets as well as customize attacks based on better victim surveillance and introduce variations in technique, time and duration that keep security professionals guessing.
The pandemic-induced shift in how the world works has only added to security challenges. As many companies pivoted to remote and hybrid work arrangements, relied more on the cloud, and the intranet became the extranet, the number of necessary applications increased exponentially in some cases, resulting in a significantly expanded attack surface. These company ecosystems must maintain their integrity to retain internal operations and productivity as well as external interoperability.
Just as hybrid work has become a solution for many organizations seeking to balance the needs of their workforce, a hybrid approach to WAF implementation is being considered as a current best practice to mitigating DDoS attacks.
Not Just for Workers: Hybrid Moves to DDoS Defense
Orchestrating an on-premises WAF solution with an upstream provider of an on-demand — or better yet, always-on — DDoS solution has emerged as a promising approach to protecting internet-facing assets from attack.
The first-line defense is naturally the on-prem component. As always, at the network level, enterprises should establish controls to allow legitimate traffic and maintain traffic visibility. Under normal circumstances, an on-prem WAF is expected to use a lot of RAM and CPU to inspect traffic hitting HTTP content, particularly in cases where security teams establish more and site-wide rules. While such systems can manage regular traffic and even some elevation, they will come under stress when flooded with requests, such as from an HTTP Flood or another application-level DDoS attack. The WAF will either fail open or fail closed, and neither of these options is acceptable.
When anticipating or actively under a DDoS attack, enterprises with an on-prem WAF can augment their CPU as needed and throttle requests upstream with an on-demand cloud-WAF provider. With such an always-on solution in place, organizations have greater confidence that some protection is always enabled, and traffic is being evaluated through mitigation infrastructure. In this mode, you can think of a cloud WAF as being offload to an on-premise WAF, where rules are made on-premise but then pushed to the cloud WAF to get them to scale to more users and more requests.
An additional benefit of a hybrid WAF approach with an always-on service is that upon detection of an attack, more stringent protocols can be applied instantly. Such a feature has an advantage over on-demand services due to faster detection speeds that help contain the damage and minimize disruption. When offered through a proxy, that same always-on protection can enable security teams to unencrypt traffic and apply specific defenses to identify and combat nuanced application layer attacks.
See More: DDoS Attacks: A Growing Cybersecurity Problem in Remote Learning
Adaptive Defense for a Changing Offensive Environment
The adage of “the best defense is a good offence” is particularly apt for cybersecurity professionals. The threat landscape and business environment are ever-changing, and bad actors are quick to identify gaps and take advantage of enterprises that move too slowly to close them. Protocols adopted to address DDoS risk even two years ago may be insufficient to protect against the threats of today, let alone those that are emerging.
It is nearly impossible for organizations to predict when, where and how DDoS attacks will materialize, but they can take proactive steps to instill confidence in the security measures adopted. First, an enterprise’s threat surface is in constant flux as applications are introduced and removed. Keeping a running inventory of what needs protection will help guide security teams to know which solutions are the best fit. For instance, they may determine that an on-prem WAF solution coupled with on-demand cloud WAF is sufficient, or they may find that an always-on approach is the only method to deliver the level of security desired.
Additionally, it’s not enough to know what needs protection. Security professionals should also understand each asset’s value and develop solutions accordingly. The disruption of internet-facing assets, for instance, can damage customers’ confidence in a brand and have knock-on effects if a prolonged outage prompts customers to seek services from competitors. Engaging a proxy for on-demand or always-on WAF services can have a far-reaching impact on the bottom line. Keep in mind, a cloud WAF can be upgraded with much greater ease than an on-premises solution.
Finally, outsourcing some security coverage is inevitable, given the speed at which DDoS attack vectors develop and the specialized knowledge and skills required to address them. As companies engage vendors for WAF services, it is critical to become educated on and maintain a comprehensive understanding of how those solutions integrate with existing systems and how they, too, are evolving to tackle emerging trends.
The Good News: Resources are Available
When it comes to maintaining cybersecurity and a reliable internet presence, the stakes are undoubtedly high. Employees, leadership, customers and partners all expect 100% uptime, and prolonged outages of internet-facing assets are costly. By engaging security experts and leveraging the advances available, organizations can learn and apply the best combination of WAF support to mitigate risks and ensure business continuity.
What are your thoughts on embracing a hybrid WAF strategy for your organization? Tell us on Facebook, Twitter, and LinkedIn. We’d love to know!
MORE ON DDoS:
