Kasada’s mission is to revolutionize protection of web applications. First-hand experiences confirm the challenge of protecting applications has exceeded the ability and coverage of traditional solutions.
The change in application development cycles also drives the need for a rethink. Daily code drops don’t gel nicely with static, invasive security configs. There is either compromise on customer experience (false positives) or security coverage (false negatives). Neither is ideal.
Organizational processes and politics are also obstacles. Yes, a web application firewall (WAF) rule may be available for the latest code exploit, but how long does it take for everyone to approve the change?
It is the awkward juncture between technology and people that presents attackers with a window to exploit their targets.
WAF vendors have experimented with different models to overcome these challenges, without solving the problem. Static rulesets provide greater coverage but cannot respond quickly to new threats. They are effective but not efficient. The alternative – automatically updated rulesets – can’t be as aggressive, and ends up being less effective but more efficient. In both scenarios the security outcome is suboptimal.
The latest Struts exploit serves as a great example. Kasada sits behind all the major WAF vendors and it provides us with a unique viewpoint. We’re a virtual “goalkeeper”, capturing everything the first line defense lets through.
Observations of the Struts exploit in the wild:
- 100% of the payloads targeting Kasada customers were delivered via bots
- these targets accompanied the new vulnerability with other / older payloads
- WAF effectiveness was suboptimal for this code exploit.
In all likelihood, the human factor allowed these payloads to evade the WAFs. All the vendors had made public statements about the availability of a rule. Clearly there is a gap between rules being created and the protection being enforced. Alternatively, these WAFs are not configured to block attacks.
Onsite solutions will present a greater exposure as the ruleset-updating process is typically delayed.
The reality is attackers are automating all stages of the attack process as they look to increase efficiency of their business models. The use of bots to distribute the Struts exploit is a perfect example.
Modern-day security solutions need to disarm attackers’ ability to automate.
Kasada focuses on the application sending the request, rather than the request itself. We disrupt the attack-generation process. This allows us to automatically protect our customers from all the payloads that we have seen so far.
Experience shows automation is the common link between all the attack types – Application DDoS, code exploits, credit card fraud, gift card and voucher fraud, ticket scalping, data theft, or API exploitation.
Kasada’s service removes the awkwardness that sabotages the junction between technology and people. With a single decision, on/off, our customers protect themselves from a wide variety of threats and negate the need for expensive and divisive ongoing management.
We all loved learning to ride our first bike, and especially when we could show off “no hands”. Kasada customers experience the freedom of untethered control.