Why Businesses Should Consider Managed Cloud-Based WAF Protection
The City of Baltimore was under cyber-attack last year, with hackers demanding $76,000 in ransom. Though the city chose not to pay the ransom, the attack still cost them nearly $18 million in damages, and then the city signed up for a $20 million cyber insurance policy.
It’s very evident that cyber-attacks are not only costly in terms of time and money but also bring extensive legal liability with them. According to Juniper Research’s prediction, the cost of a data breach could cross $150 million by 2020.
With the rising cost of data breaches and cyber-attacks, cybersecurity has become a board room conversation on an unprecedented scale. In this ever-connected online world, web application security is the cornerstone of the overall cybersecurity of any company.
When it comes to application security, web application firewall (WAF) based protection has been the first line of defense against web attacks for a while now.
A web application firewall is deployed in front of web applications that aim to intercept the traffic to and from the web servers with the intent of identifying malicious requests and blocking them.
WAF is not a new technology and has been around for a while now, where many organizations have some form of WAF deployed. But unfortunately, the efficacy of WAF remains to be a question. The ever-increasing cost of a data breach, as well as the number of successful web attacks, suggest that WAF, in its traditional form, has not been doing an effective job.
A recent independent study by Ponemon institute further strengthens this claim.
- 65% of the organizations surveyed have said that they are not sure about the effectiveness of WAF,
- 43% of them use WAF only in log/monitoring mode,
- 86% of them have experienced an application layer attack that has bypassed WAF.
- The annual spent on WAF has been increasing year by year,
- In total, organizations spend 620K/year on average,
- 420K on WAF products and 200 K annually on staff who spend 45 hrs a week fine-tuning the rules and managing WAF.
It’s clear the traditional form of WAF is not working, and that’s because:
- Static WAF rules in traditional WAF do not provide visibility to application vulnerabilities, nor do they provide complete protection when it comes to the everchanging threat landscape.
- Applications are continually changing, and it is hard for WAF to be deployed in block mode, as it requires constant monitoring and fine-tuning of rules.
- Management of WAF requires expertise, and not all organizations have the requisite skill set for proper deployments.
- Traditional WAFs are deployed in on-premise (customers infrastructure), which means it becomes customers’ job to manage the infra. This leads to additional CAPEX and OPEX.
- With sophisticated attacks, especially in the case of DDOS attacks, it becomes near impossible for On-premise deployments to scale to thwart such attacks.
- With the complex heterogeneous environment in an organization with different deployment models as well as languages and architectures used, it becomes nearly impossible to have an inbuilt team that could fine-tune WAFs to protect such a diverse environment.
Hence, there is a need for a better form of defense:
- That can scale with your business, leveraging the power and scalability of cloud networks.
- Dynamically change the protection profile to adapt to everchanging application and threat landscape.
- That does not require to build an army of resources inhouse who have security expertise.
- Have significantly lower CAPEX and OPEX.