As travel picks up pace again in the US and the world, we are learning how to stay safe while we travel in the face of the ongoing pandemic. The first sparsely populated flights have given way to more booked versions as airlines and public health officials have modified practices to ensure that passengers remain secure.
But in the face of the traffic pressure at airports and growing demand to travel during more perilous times, it’s easy to wonder how to improve efficiency in the system without compromising on security.
The Transportation Screening Authority (TSA) was created in 2001 after the 9/11 attacks because a massive hole in the security system protecting air passengers in the US was exposed. At first, the screening process was far too slow, erring on the side of extreme caution with impossibly long lines and poor performance forcing a more optimized set of screening procedures to evolve.
But imagine if those initial calls for intensive screening of each and every passenger were still being answered. If every person in the air was being individually patted down and searched every time they traveled, no matter who they are.
Concerns such as performance, convenience, and ease of use compete but should never be compromised with the goal of total security, whether in air travel or load balancing applications online.
Today, application security is in the same dangerous stage as air travel used to be, with attacks happening often and losses skyrocketing. Yet the idea that businesses can simply deploy traditional WAFs to “search” all traffic and likely generate lots of false alarms is as faulty as the idea that we can simply slow down and search every passenger to get on the plane. Instead, businesses need a modern approach.
Traditionally, WAFs are deployed as hardware appliances. They lack visibility, they are difficult to use, and they suffer from poor performance. In fact, 90 percent of corporations state that WAFs are too complex per our own customer survey.
Proof that the traditional WAF model is broken comes from the actions of the businesses who need protection the most. Today, during peak traffic, companies often have to make the extreme choice to turn off web application security services at their most vulnerable just to stay functional online.
The TSA Analogy of The Optimized Security Pipeline
Avi monitors over 700 application performance metrics, delivering insights into applications, end-users, and infrastructure, all in real-time. These analytics power three core functions that reduce complexity and deliver enhanced web application security: the whitelist engine, the positive security engine, and the signature engine. Together, they comprise Avi’s optimized security pipeline.
The signature engine checks traffic against known vulnerabilities and attacks, a core method to detect attacks. However, by their nature, signature engines are compute-intensive and often the slowest part of the security pipeline. It’s ideal to minimize the amount of traffic passing through the signature engine.
The pipeline narrows the stream of traffic that relies on signatures with the Allow List (traffic known to be safe) and Positive Security (traffic the system has learned is safe). Avi creates Positive Security rules using machine learning. This reduces the overall burden on the signatures—and the burden on the entire system.
Avi with Cloud Services live updates triages the latest WAF threat feeds to an optimized security pipeline using the Positive Security model to maximize efficiency for resource-intensive operations.
Think about this the way you think about airport security. You don’t want TSA searching and patting down every single passenger and crew member, or no one’s going anywhere. Similarly, you don’t want total reliance on signatures, or the system will be too slow and resource-intensive.
TSA handles this in screening based on the idea of threat levels, and so does Avi.
The Allow List is for a select few who we know are safe and can immediately pass through—in our analogy here, perhaps pilots, cabin staff and pre-screened passengers. They don’t receive intensive screening, like a pat-down, nor do they even pass through the regular security line. They just rapidly move through to the gates.
The next level of security in the pipeline, Positive Security, is akin to regular TSA screening procedures. Anyone not on the Allow List heads to the regular screening line and follows standard security procedures.
Positive Security traffic can be much faster than signatures as it doesn’t have to check against the whole list. And this majority of normal traffic allows the TSA to hone its procedures and learn what’s normal and what’s not.
The learning capability of Avi’s positive security engine protects applications against not only known threats, but also against new, malicious behavior hackers engage in as they attempt to breach the system. The best way to defend the application is to understand normal, expected, healthy traffic and behavior at a deeper level. This enables the system to detect anomalies and reduce false positives itself—without waiting for some authority to identify known threats on a list.
In the case when traffic does present the need for more scrutiny, it triggers signature inspection, or in the TSA analogy, the individual screening and pat-down. This is for the portion of the unvalidated traffic that demands the level of attention and computational-intensive resources that signatures require. Through Avi PULSE live updates, WAF gets the latest threat feeds to keep the systems safe.
Over time, TSA understands what is considered low risk, and uses that as a benchmark to pass expected good behavior, just like Avi’s Positive Security engine does. This system along with application learning will model after good traffic and significantly reduce false positives as application traffic patterns are learnt.
The Right Approach to the Threat
The key to opening up safely today is letting travelers move securely while blocking the virus. Similarly, the more complex key to modern application security is identifying and blocking out attackers effectively without slowing down the entire system. This is the premise behind the optimized security pipeline and the right approach to threats facing modern distributed systems.
The time to take application security seriously is right now. Those 90 percent of corporations who feel that WAFs are too complex need a modern solution—and that’s not turning off web application security or sending all traffic through the same patdown scrutiny. Making either extreme choice would be like flying without any security at all or making everyone miss the flight.