We were recently honored to have Eric Ogren of the Ogren Group dig into what he calls our “adaptive approach” to web application security.
Ogren spends a good portion of his report analyzing the differences between traditional Web Application Firewalls (WAF) and Distil Networks. According to Ogren, “Web Application Firewalls (WAF) are great for mitigating known vulnerabilities within legacy cloud applications, but a far more effective approach is for organizations to start the cloud application connection with confidence that a legit business partner is at the other end.” In other words, block the bad guys before they ever interact with your origin servers.
Ogren goes on to explain that “Web Application Firewalls tend to be IP-address based in protecting web sites against vulnerabilities, cross site scripting, and SQL injection attacks. However, a WAF does not typically profile connecting browsers for signs of automated processes. Of course, the greater threat to WAFs are application scanners and attention to the security development lifecycle to treat vulnerabilities as product defects (i.e. fix the code and there is not much for a WAF to do). Still, WAF vendors see the threat and Imperva and F5 both have partial anti-bot solutions.”
After doing a deep dive on our technology and speaking to one of our customers at length, Ogren hits on a number of key findings about the Distil Networks solution:
Deploy with minimal side-effects on the cloud application. It sounds like common sense, but competitors are cited for the burdens placed on cloud application development teams. We believe that the cloud application should focus on secure business logic and should be oblivious to anti-bot security.
Allow benevolent bots to do their jobs. Not all bots are evil. Google, for instance, utilizes automated bots to search sites and construct an appropriate ranking. The ability for a first time user to find the cloud application and see a proper rating is hugely important for the business. While blocking unauthorized bots is the compelling reason to purchase an anti-bot capability, the solution must provide for exceptions to allow benevolent bots access.
Permit the business to optionally query users before passing to the cloud application. Some organizations may still desire a CAPTCHA query and response as an incremental level of anti-bot protection. While we believe this is a minor consideration, we do concede the need to abide by corporate CAPTCHA policies or to present a common look and feel to corporate applications.
Gift IT with the flexibility to decide what to do with detected bots. In many cases, IT will choose to block all unauthorized bot activity. However the fear of false positives, such as blocking a new search engine, may lead to IT making decisions based on learned browsing history expressed as an anti-bot security score.
- Offer the customer a choice of an on-premise appliance or a cloud defense service. We are talking about securing cloud applications so we believe the future of Distil Networks lies with its cloud-based anti-bot security service. Organizations more comfortable owning, managing, and controlling their security architecture may opt for the on-prem appliance.
In Ogren’s SWOT Analysis, he goes on to explain that:
“Distil Networks automatically filters out bot traffic in front of cloud applications without requiring software modifications to web sites or cloud interfaces. This is huge. Web app firewalls look to virtually patch vulnerabilities and inhibit dangerous cross site scripting and SQL injection attacks; anti-fraud capabilities often insert logic into the transaction stream; but none of these answers the simple questions of "Is this visitor a person or a bot?" and "Is this an authorized bot like a search engine or an unauthorized bot looking to cause trouble?". This is a unique view of integrating security with an organization's business that will serve Distil Networks well.”
About the Author
Eric Ogren is principal analyst of the Ogren Group, an independent industry analyst firm concentrating on cyber-security. Eric’s background features over 20 years of executive management contributions for security vendors such as RSA and OKENA, as well as security industry analyst experiences. Ogren holds a B.S. degree in mathematics from the University of Massachusetts and an M.S. degree in Computer Science from Boston University. Eric can be reached by sending mail to firstname.lastname@example.orgMore Content by Eric Ogren