By Frank Orozco, Chief Technology Officer
As chief technology officer of a network that delivers a significant percentage of internet traffic globally, people often ask me what cloud security threat their company should be most worried about. They’re usually expecting me to mention the possibility of a zero-day vulnerability like Heartbleed or a massive DDoS like the Mirai botnet.
However, today it’s no longer as simple as monitoring two or three threats. The attack that’s most likely to compromise your website or application will be specifically tailored to it. What’s more, attacks may not be directly initiated by a human attacker, but by highly sophisticated bots.
Bots probe your perimeter defenses for, not two or three, but hundreds of known vulnerabilities in your web server, applications, and other network layers. They zero in on that one piece of software that went unpatched or that single piece of hardware whose firmware your IT team didn’t update. Once the bot determines the characteristics of your application or website, it can exploit these weaknesses – with unhappy consequences for your company.
These types of bespoke, bot-driven attacks are growing in frequency and are expected to peak in the next two to three years. Defending against them requires a new evolution of cloud security. Instead of building defenses against specific attacks, smart organizations are deploying systems that continuously evolve new protective strategies against the latest threats.
Why you need a next-generation WAF
The first line of defense against automated attacks is the Web Application Firewall (WAF). A WAF is essentially a giant filter for web traffic. It blocks or quarantines suspicious requests based on specific rules.
However, not all WAFs are created equally. Many vendors, such as OWASP, build their rulesets on open-source libraries of the most common attacks. But that approach won’t provide the flexibility and agility required to defend against the onslaught of highly sophisticated bots. By the time a threat is added to OWASP, a bot might have already used it to compromise your system.
More forward-thinking vendors are deploying machine learning to their network parameters’ edge and can identify threats before they ever get reported. While bots use a variety of tactics and can even imitate human users, their variations follow similar patterns no matter what targets they probe. For instance, they may repeat headers or originate from the same locations. A state-of-the-art WAF will learn to automatically identify and effectively respond to these patterns known as "digital fingerprints." Often WAF’s respond before a human security team is even aware of specific threats. By drawing machine-learning insights from their entire network, today’s most innovative vendors stay ahead of the attack curve.
Flexibility is key
Best-in-class vendors will give their customers another layer of security: flexibility. They offer their customers the flexibility to update their rulesets – with minimal propagation time. Because not every business faces the same threats or has the same risk tolerance, each customer needs the flexibility to customize a bot mitigation solution that works for them.
Another critical piece of the puzzle is determining response. Once a malicious bot is detected, what response is right for the customer? State-of-the-art WAFs designed for bot mitigation will arm customers with a variety of nuanced responses to suspicious traffic.
Since bots can imitate legitimate users – and legitimate users can sometimes appear to be bots – it is not always appropriate to completely block suspected malicious traffic. Instead, the user could be redirected to a page with a challenge question designed to determine if there’s a human user on the other end of the line. Alternatively, the user could be put in a kind of time out, where they are denied access to the site for a few seconds or minutes.
With bots increasing in sophistication, the task of defending cloud infrastructure has become larger than most companies can handle on their own. A smart approach to mitigating the threat is to employ a managed cloud service from a trusted partner. Be sure your partner has expert capabilities to watch for, alert, and defend against threats as they change. With the right partner, your organization will have assurance against not only conventional threats, but whatever carefully tailored attacks today’s advanced bots might throw at them.
To learn more about Verizon Digital Media Services’ Managed Cloud Security service, register for our upcoming security webinar: 5 website security issues you can fix now.