The number of attacks on web applications is rising. Research for the SonicWall 2020 Cyber Threat Report found that in 2019, web application attacks increased 52 percent year over year, totaling more than 40 million.
To protect web applications – and the business that uses them – you can deploy a web application firewall (WAF). These solutions monitor web applications for unusual activity and log events, send alerts, or take action to stop the threat.
Most WAFs use application learning (AL) to stop attacks such as SQL injections or cross-site scripting (XSS). AL technology builds profiles based on how users typically interact with an application – and on the application itself – that reflect typical use. It uses that data to create policies, and when activity occurs that doesn’t align with those policies, it logs the event or triggers an alert.
A common complaint about web application firewalls is the number of false positives they generate. A Fortinet article for CSO Online explains, “There is simply no good way for AL to account for every variation of normal application usage, or to easily adjust to changes in an application, without triggering an anomaly-based filter.”
Therefore, managed security service providers (MSSPs) or other professionals that manage WAFs often have resources dedicated to addressing activities that have been flagged as potentially malicious and, in response, managing policies and exceptions. Ponemon’s 2019 State of Web Application Firewalls report states that a WAF deployment takes an average of 2.5 administrators spending 45 hours per week dealing with alerts and an extra 16 hours per week writing new policies.
Moreover, people assigned to this task walk a line. If you make policies too liberal in an attempt to avoid false positives, an attack could get through. But if you keep policies strict, you deal with constant alerts and possibly even block legitimate traffic.
A More Intelligent Solution
AL is limited because it depends on what it learns from usage patterns that it has encountered. Web application firewalls that leverage machine learning ML, however, take a different approach. With ML, the WAF can minimize false positives by using a statistical model to determine the probability that an anomaly is actually evidence of a cyberattack or if it’s just an error or a change in how users interact with the application.
WAFs can utilize ML in an additional way – training ML models to recognize specific threats based on data collected from actual attacks or from security solutions. The Barracuda Web Application Firewall, for example, leverages machine learning to detect advanced bots, providing a total picture of bot activity on web applications.
What Else Can Web Application Firewalls with Machine Learning Do?
In addition to decreasing false positives and more accurately identifying malicious activity, web application firewalls leveraging ML can also make life easier for security professionals managing these solutions.
An Airlock blog points out that machine learning can, for example, automate log analysis or help create or optimize WAF configurations.
Web application firewalls that leverage machine learning technology can also help you differentiate your business. With a WAF + ML, you can deliver a superior security solution that works without the inefficiency of high numbers of false positives, trained to recognize known threats as well as to spot activity associated with zero-day attacks.
Web application firewall technology is advancing, with some vendors even exploring how deep learning can enhance their offerings. The takeaway is not to be complacent about the solutions you offer. Stay informed about how vendors are using advanced technologies to deliver better results and greater value to benefit both your customers and your business.