Three Major Challenges Faced by WAF in the Banking Industry

Three Major Challenges Faced by WAF in the Banking Industry

março 11, 2024 | NSFOCUS

As the digital transformation is deepening, the banking industry is making efforts to build digital banks, open banks, and scenario-based financial business models. On one hand, banks are pushed to pay more attention to online operations and to enhance their openness. On the other hand, this raises higher standards for their security risk control.

As banks have numerous essential Web businesses, the construction of Web security cannot be overlooked. Web Application Firewall (WAF), being a security product that professionally protects against Web attacks, offers the banking industry security protection.

This article summarizes the challenges and solutions of applying WAF in a large bank with NSFOCUS WAF, in order to provide effective strategic support for the Web security protection of the banking industry.

Challenges Faced by Banks in Applying WAF

The challenges mainly involve the following aspects.

Deployment and Daily O&M in Multi-service Large Traffic Environment

In a multi-service and large-traffic environment, the deployment and daily maintenance of WAF face challenges such as complex deployment, performance bottlenecks, rule updates and fine-tuning, monitoring and alerts, and fault recovery. The WAF product must have the following capabilities:

  • It can protect against all types of OWASP TOP 10 security threats and provide 24/7 security protection;
  • The attack detection time needs to meet performance indicator requirements, and the detection model and alert-triggering reasons should be explainable.
  • WAF security protection strategies can be adjusted in a timely manner for false positives or newly reported vulnerabilities.
  • The WAF cluster needs to support various deployment methods, such as reverse proxy and transparent bridging, and can be centrally managed via a unified console that includes devices, websites, policies, etc.
  • The configuration between different devices must be consistent and can be verified.
  • The gray release capability is available for site (domain name) addition and security policy adjustment.

Automated Attack Protection and API Security

Attackers often use automated tools or scripts to probe Web applications for attacks. If vulnerabilities of Web sites are exploited by hackers, it will lead to security risks such as sensitive information leakage and data abuse. Meanwhile, attackers can use automated tools to crawl data in batches, leading to sensitive information leaks; maliciously abuse websites, mobile apps, and APIs via bots, executing various malicious actions that result in bandwidth consumption, server rate reduction, server paralysis, business interruption and other malicious events.

Challenge of 0-Day Vulnerabilities

0-day vulnerabilities refer to those that are not yet public, meaning attackers can bypass traditional security measures to attack target systems. Once an application has a 0-day vulnerability, attackers can exploit it to invade the system, gain sensitive information, manipulate the system, destroy data, and even use the system for other attacks. Besides, the presence of 0-day vulnerabilities also leads to decreased stability and reliability of software or systems.

Achievements of NSFOCUS WAF in Best Practices

NSFOCUS WAF played a vital role in protecting a large bank’s Web business and was recognized by the users.

Accurate and Comprehensive Protection

NSFOCUS WAF has accumulated extensive Web protection rules over more than 16 years. Combined with semantic analysis, intelligent analysis, and threat intelligence, it can comprehensively identify all kinds of Web attacks. Not only can it intercept known Web vulnerability attacks, but it also supports 0-day vulnerability attack defense, accurately identifying threats at an industry-leading level. NSFOCUS WAF can effectively protect against all kinds of Web attacks, such as distributed SQL injection, command execution, Web application vulnerability attack, directory traversal, Web plug-in vulnerability attacks, access control and sensitive information disclosure.

Significantly Improved Operational Efficiency

Previously, the bank required two staff members to monitor over 400 alerts per minute for investigation and analysis. After implementing NSFOCUS WAF security strategies and its intelligent engine and semantic analysis engine, the two staff members only need to review 20~50 alerts per minute due to centralized management and automated operations of WAF clusters, greatly improving operational efficiency.

0-Day Vulnerability Protection

Here is an example. The bank found that a large enterprise communications software had a 0-day vulnerability that allows attackers to access a specific URL to get sensitive information.

The interface of the large enterprise communication software XXX.com/cgi-bin/gateway/agentinfo can directly obtain sensitive information such as the software’s “secret” without authorization.

The vulnerability could lead to a hacker gaining access to the full amount of data for this large enterprise communications software, and an attacker can use the software application to send phishing files to the enterprise intranet. NSFOCUS WAF effectively blocked /cgi-bin.gateway/agentinfo, thereby preventing the 0-day vulnerability from being exploited and helping the bank to avoid risks of information leakage, reputational loss, and potential customer financial loss.

Thinking on Web Security Protection Practices

Based on the practical results of NSFOCUS WAF in large-scale bank security protection, we believe that to maximize the effectiveness of Web security, banks should focus on comprehensive protection and intelligent and efficient deployment and operation.

Precise and Comprehensive Web protection

 (1) Configuring Protection Rules

WAF rules are a set of rules specifically designed to detect and block Web attacks. These rules analyze HTTP/ HTTPS requests to identify and stop potential attacking behaviors. WAF rules can match specific attack patterns, malicious software behaviors or abnormal requests to protect the security of Web applications. NSFOCUS WAF can protect against the OWASP TOP 10 Web security risks. Attack frequency-based protection policies can improve operational efficiency in Web security protection.

(2) Semantic Analysis Protection

Using more refined models for semantic analysis can recognize whether the payload satisfies the syntax specification of the target language. Compared with the rule engine, the false positive rate of semantic analysis is very low. For the detection of annotation bypass in the rule engine, NSFOCUS WAF semantic engine can perfectly handle different meanings caused by different annotation styles, eliminating the problem that traditional detection methods are difficult to process. In terms of attack identification, NSFOCUS WAF semantic engine estimates the execution risk level of the statement through a threat model after lexical and syntax analysis, gives a confidence value, and then intercepts according to the preset alarm threshold, which can reduce the false positive rate to 0.2%.

(3) Adopting Attack and Defense Drill Templates

NSFOCUS WAF has formulated a special policy template for attack and defense exercises by combining years of experience in near-real attack and defense exercises with the identification and verification of a large number of Web attacks. The template contains high-frequency and high-risk rules while reducing the false alarm rate. It has passed many practical tests.

(4) API Security and Bot Protection Capabilities

In response to increasingly complicated malicious bot attacks and API security risks, NSFOCUS WAF adds Bot and API Security solutions to the original Web security from the dual perspectives of security defense and enterprise service development to ensure the Web application security, business security and data security of enterprise users, and help customers transform security capabilities into actual business values.

In terms of dynamic bot protection, NSFOCUS WAF accurately achieves bot flow identification and interception to prevent crawlers, vulnerability scanning,  taking advantage of loopholes to obtain maximum benefits or freebies and other attacks from automated tools. The protection means it uses include human-machine identification, token authentication, script configuration, submitted data obfuscation, page element confusion and whitelisting.

In terms of API application protection, NSFOCUS WAF can automatically identify business APIs based on baseline traffic, help customers organize API assets, identify infected APIs,  prevent customer losses from injection attacks or overflow attacks through API inspection, and defend against various known and unknown threats caused by API asset vulnerabilities.

Intelligent and Efficient Deployment and Operation

(1) Reverse Proxy Cluster Deployment

Due to their wide business coverage, large commercial banks have a large number of sites to protect. In this case, the large bank had more than 300 sites to protect. The bank has deployed nearly 200 WAF devices to detect and protect massive financial services and ensure the security of various web services.

In this case, the reverse proxy resource pooling deployment can be adopted. For new services, there is no need to replace with a new device, and capacity expansion in the WAF resource pool can meet the requirements. NSFOCUS WAF realizes Web security and efficient management through service stability detection and centralized policy management. Through the cooperation of F5 devices and WAF, it is ensured that the real source IP address will not be changed when WAF forwards traffic.

(2) Centralized Management

NSFOCUS WAF products can be centrally managed through a centralized management platform.

The centralized management platform provides hybrid management, policy centralized management, business stability monitoring and automatic operation and maintenance.

  • Hybrid management: In view of the large number and miscellaneous deployment modes of WAF devices, the centralized management platform can realize only one management node to solve the problem of multiple user controls, reduce costs, and increase efficiency.
  • Centralized policy management: The centralized management platform supports one-click distribution policy configuration to solve the problem of configuring multiple WAF devices one by one. If you want to make a policy change for more than 200 WAF devices, it takes more than 4 hours to configure them one by one. With centralized management, the configuration policy can be issued with one click, and all work will be done in 1 hour. At the same time, it solves the problem of manual error-prone configuration, which greatly saves operation and maintenance costs. In addition, it supports entering policy change operations in advance through automated scripts, conducts grey box testing in advance, and applies change of time by one click to ensure that changes are completed quickly and accurately at night.
  • Service stability monitoring: The centralized management platform supports real-time monitoring of WAF device health, including WAF disk and traffic conditions, log processing rate, disk usage distribution, service status, data access conditions, data storage, basic services, application container conditions, dashboard, WAF vulnerability identification, etc. Once a WAF is malfunctioned, it will be quickly located and the traffic will be switched.
  • Automated operations: NSFOCUS WAF produces a rapid-release tool according to customer requirements and in combination with the unified alarm format specification. At the same time, it connects with the customer’s situation awareness platform through a fully open API interface to realize full-scenario and flexible automatic operation and maintenance. It provides scenario-based playbooks that are encapsulated and called through automated scripts to achieve integrated operations.

Click the following links to read more about NSFOCUS WAF:

NSFOCUS WAF In Analyst Reports:

NSFOCUS WAF Capabilities and Solutions: