Almost half (49%) of security professionals reported more than a quarter of attempts to sidestep their WAF protocols had been successful in the last 12 months. In addition, as many as four in ten respondents disclosed that 50 percent or more of attacks had managed to get around their application layer firewall.
These findings come at a pivotal time, as organisations continue to adapt their security strategies to cope with the increase in malicious web activity associated with COVID-19. Almost 30 percent (29%) of respondents admitted they had found it difficult to alter their WAF policies to guard against new web application attacks, while just 15 percent said they had found the process very easy.
Despite many having already been on the receiving end of a successful web-application attack, 39 percent of respondents declared they do not have a WAF that is fully integrated into other security functions; a technique that is critical in developing a holistic defence against a variety of attack types. Three in ten also claimed that half of network requests have been labelled as false positive by their WAF in the last year.
“As members of the public we have witnessed the steady and significant growth of volumetric DDoS attacks, fake domains, malicious malware and harmful misinformation. However, while these may be the security concerns capturing headlines, those within the community have also seen the unsettling rise in application-layer attacks,” said Rodney Joffe, Chairman of NISC and Senior Vice President and Fellow at Neustar. “Often unleashing destruction before they are even recognised, these attacks are equally as damaging, targeting specific vulnerabilities to cause a multitude of complications for those on the receiving end.”
“Due to their ‘under-the-radar’ nature, application-layer attacks are difficult to detect and therefore require a security posture that is always-on in order to be identified and mitigated. Only by providing protection across the entire network can organisations respond to the type of threats we are seeing today. For full-protection that doesn’t hinder business performance or add unnecessary complexities, organisations should opt for a cloud-based WAF, underpinned by curated, actionable threat data. Not only is this approach guaranteed to safeguard against the most common web threats, it also delivers visibility into application traffic, no matter where the applications themselves are hosted,” added Joffe.
Findings from the latest NISC research also highlighted a steep 12-point increase on the International Cyber Benchmarks Index year-on-year. Calculated based on the changing level of threat and impact of cyberattacks, the Index has maintained an upward trend since May 2017.