May 23, 2014

A couple of weeks back, we took a snapshot from our crowd sourced threat intelligence system, Community Defense, looking at the velocity of application attacks. For the sake of this blog, I will focus on findings from 5/8/2014. We found that there were 319,915 SQL Injection incidents that happened on that day from all over the world.

Web Server Defense In Depth Architecture

To better understand the meaning of this number, we will break down the flow of application traffic for a web application. Keep in mind, while some of these may be part of a cloud service, the following diagram shows the basic components regardless of where they are physically positioned.

FLOW

When a user requests a web page or data from the website, there are several common components on the traffic path that are able to decrypt and inspect the traffic and make a security decision in order to protect the web application and the data that resides in it from being hacked.

What does 320K SQL Injections mean?

After we have established the security minded flow of traffic to a web application, let’s look at it in an attack scenario. Each component along the way – NGFW, IPS, WAF (and maybe some other layers like caching in between) – has the ability to block an event when it detects an attack.

FLOWh

The Web Application Firewall (WAF) component is the component where we get our data from.

This means, that in order for us to see SQL Injection attacks, they have to pass through NGFWs and IPSs along the way which do not see that traffic as malicious, simply because that’s not what they are designed to do. These SQL Injection attacks were only blocked when they reached the WAF technology.

This breaks an unfortunately common misconception that NGFW and IPS technologies are able to properly deal with web application attacks such as SQL Injection and others.

Learn more about this topic:

  • Gartner report: “Web Application Firewalls Are Worth The Investment for Enterprises” , here
  • Our HII research paper: The Anatomy of SQL Injection Attack, here
  • Our article on IPS Visibility of application layer attacks, here
  • The cost of SQL Injection article, here
Share:
Share on LinkedIn

Posted by Barry Shteiman at 12:25:30 PM


Tags:

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.