We all can agree that cyber attacks are on rise. Be it Yahoo's data leak in 2013 where 1 billion user accounts were compromised or the more recent Equifax data leak which affected its 143 million customers, these events show the increased risk each web application is facing. Web applications are the bones and flesh of today’s businesses, and are often soft targets for damaging attacks. Unfortunately, applications need to access, collect, process, and relay sensitive data to execute business logic. Web application security is paramount for businesses that provide services using sensitive data. To understand the problem in more detail, we should examine what occurred in the case of Equifax—the attack is mind boggling in its scale and damage.
Apache Struts is an open source web development framework used by many Fortune 500 organizations in their web applications. There is a security flaw in Apache Struts versions 2.3.x prior to 2.3.32 and 2.5.x prior to 126.96.36.199. This flaw could be exploited by sending a crafted HTTP header that caused incorrect exception handling in Jakarta Multipart parser, which could then allow an attacker to execute code remotely. In other words, the attacker could execute code on the affected system and gain access to sensitive data residing on it. This security flaw was made public on March 2017 and classified as severe in impact and easy to exploit. The Apache Struts team issued a patch addressing this problem very quickly. It seems intuitive that all application owners exposed to such flaw should have acted promptly and patched their systems. Had Equifax followed this logic, such a catastrophic event wouldn't have taken place 8 weeks after this disclosure. Before pointing any fingers, let’s try to understand the underlying problem which is far more complex. We will also explore how such events can be avoided in future.
First, flaws like this are exposed and identified regularly and, due to complex multi-party deployments with multiple dependencies across systems, it's extremely hard to patch or upgrade affected applications instantly. It doesn't surprise me that Equifax failed to fix this vulnerability immediately. According to available data, hackers successfully compromised Equifax's online dispute portal on May 13, 2017 and it went unnoticed till July 29, 2017. This means Equifax's web application, where customers go to get their credit reports, was under attack for a whopping 11 weeks before someone noticed. This is an important point that we’ll come back to, but it highlights how vital it is for organizations to keep their system up to date against all possible known threats. While keeping systems patched and current is critical, it doesn't completely remove the risk of getting compromised since attackers are actively looking for newer and smarter ways to exploit systems.
Organizations need to ensure that the building blocks and software components they use are secure in the first place. This is even harder given complicated interdependent systems, the movement towards service micro-segmentation, and the need to operate alongside legacy systems. Even after the due diligence from quality assurance cycles and lab trials, there are flaws which go unnoticed. Another facet to consider is the use of open source software which can make corrective actions harder since there is no service liability. Open source is double-edged sword—on the one hand since such tools are publicly available, individuals can often find and report flaws, but on the other hand, these tools are developed using crowd-sourced talent and fixes may not be available before the vulnerability is exploited.
Applications are vulnerable even after taking precautions. To mitigate threats, security admins can deploy a web application security module called a Web Application Firewalls or WAF. WAF systems are the last line of defense for web applications and are trusted to ward off attacks in real time. A WAF includes myriad security rules on the basis of well-known attack signatures as well as rules specific to each application. This means that the WAF configuration should get updated regularly to include new attacks in order to stay effective. Even application-specific rules need maintenance as the application evolves. In most organizations, this activity is performed by an experienced security professional on a regular basis (hopefully). As you can imagine, performing these security audits in a timely fashion is an expensive and extremely time-consuming task. It also means that security teams should have in-depth knowledge of all the applications they are accountable for (you’d be surprised at how often this is not the case).
Another issue for updating security policies in a timely fashion is the occurrence of “false positives.” This happens when a genuine user or request gets denied by the WAF because it triggers a rule and gets classified as an attack. False positives can occur due to a new policy change targeting a newly found attack. It can also happen if security policies and rules don't closely follow application demands. False positives are a big operational challenge for teams managing web application security. Since such events affect business and customer experience, it's not surprising that teams prioritize avoiding false positives over application security. There are many other issues with existing WAF solutions, but the key takeaway is that they can be difficult to deploy and manage.
Now imagine an Intelligent WAF (iWAF) solution which can identify false positives in real time and adapt to allow “good users and transactions” without human intervention. This will change the paradigm and help admins will feel more confident when adding new rules. That's our thinking at Avi Networks. If we take Equifax’s case, the security flaw would have been caught very easily by a security admin if a single malicious request was investigated, but it took 11 weeks for someone to do so. Traditional WAFs look at individual transactions through an insanely cumbersome operation. Our first objective was to streamline this process. Avi's iWAF allows security admins to use a web interface on a centralized controller that, in real time, flags all possible security risks, provides information on rules triggered (and why), and implements a mitigation plan. All of this is achieved with a few clicks on a single screen. This kind of visibility into application performance and security is unparalleled.
We also believe that the application of machine learning to the web application security challenge is particularly useful. The Avi Platform is a closed loop system managed by a centralized, highly available controller cluster. Our platform scales automatically depending upon application load and can be deployed in multi-cloud environments. It already has built-in, real-time analytics which can be used as a building block for a self-learning security module. The platform is deployed as a reverse proxy so we have the unique ability to perform deep inspection on each and every transaction. It also enables us to block any malicious intent even before it reaches the actual application. Each application can build its own learning model as our platform supports a per-app deployment. This allows applications to share findings and attack signatures. The information can be shared with other application security models based on application type or environment, and the learning can be incorporated on an as needed basis.
Avi’s iWAF adapts to individual applications. It can build profiles for end-users, clients activity, geo-location, IP-trust, usage patterns, and in-depth application learning model on runtime basis by inspecting actual user traffic. The iWAF can also account for seasonality (e.g. holidays vs off-season) and thus can separate normal trends from anomalies and use these insights in avoiding false positives. It can be configured with an initial security policy consisting of well-known attack signatures and identify custom rules from its ongoing learning. Once deployed, the iWAF can provide feedback to admins by generating alerts in real time. Then the iWAF can incorporate any corrections done by security admins to manage its decision efficacy. Security admins can add a new rule based on a newly discovered flaw without fear of its effect on legitimate users since the platform evaluates the effect of any newly added/modified rules and suggests or enforces corrective action. Such an intelligent system can minimize manual intervention in the maintenance of complex security policies, making applications more secure and help to deliver a comprehensive security posture designed to mitigate events like the Equifax hack.
Take a look at Avi's iWAF in action with an overview and demo by Co-founder and VP of Product, Guru Chahal.