Instrumented Systems Developing a Resilient Web Defense
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Developing a
Sustainable Safety
Resilient Web Defense
Instrumented Systems
Why it is critical for organizations in Southeast Asia
to adopt a holistic security strategy to protect
against web application attacks
A Frost & Sullivan Asia-Pacific Growth Insight
A Frost &commissioned
Whitepaper Sullivan White
by Paper
Penta Security Systems
Business Implications of
Table of Contents Data Breaches and
Web Defacement
03 Business Implications of Data Breaches and Web Defacement
03 Impact of Data Breaches and Web Defacement
04 Importance of Web Application Security in Reducing the Risk of Data Breaches
05 Web Application Attack Trends in Southeast Asia
05 Understanding the Top Five Web Application Attack Types
07 Notable Data Breaches and Web Defacement Attacks in Southeast Asia
08 WAF Adoption Situation Analysis in Southeast Asia
08 Customer Buying Behavior Analysis: A Compliance-driven Approach
09 Snapshot of the WAF Landscape in Singapore, Malaysia, Thailand, Indonesia, the Impact of Data Breaches and Web Defacement
Philippines, and Vietnam
10 Singapore
Major Across the globe, including the Asia-Pacific, 1. Loss of brand and reputation
10 Malaysia the frequency and volume of cyber security Data breach or web defacement activities
11 Thailand
consequences incidents such as data breaches and web can impact the brand name and reputation
11 Indonesia such as damage to defacement continue to rise to of a company. The incidents also place the
11 Philippines company unprecedented levels. Almost all industries IT function under scrutiny and can adversely
are potential targets including retail, affect customer trust, creating negative
11 Vietnam reputation, financial services, IT, public sector, critical media coverage for the firm. Partners doing
12 From Reactive Prevention to Proactive Detection interruption to infrastructure, manufacturing, and other business with the firm could also suffer from
business services. Major consequences such as loss of business, further impacting the firm’s
13 Key Considerations for WAF Selection
operations, and
damage to company reputation, interruption
to business operations, and legal exposure
ability to attract talent, suppliers, and
investors.
13 Consideration 1: Form Factor
14 Consideration 2: Level of Security Protection
legal exposure can can negatively impact an organization’s
15 Consideration 3: Operation Effectiveness and Total Cost of Ownership (TCO) negatively impact bottom line, placing cyber security at the top Thus, it is essential for companies to
of the company agenda. maintain their security posture by investing
15 Other Considerations: Adoption, Security Ecosystem, and Local Support an organization's in technologies, processes, and people. By
bottom line, Security breaches can also lead to declines having the right security posture, a
16 The Last Word placing cyber in share value and market position, as well
as increase the risk exposure of other
company can safeguard its reputation by
quickly responding to any data breach.
16 Moving Beyond Compliance to Business Enabler: Web Application Security as a security at the top participants along the company value chain
Strategic Imperative for the Digital Economy
of the company such as its suppliers, partners, and 2. Financial losses and drop in share
17 Envisioning the Future: Web Application Security for the Internet of Things
agenda. customers. In addition, the need for value
organizations to adopt targeted cyber A company succumbing to web defacement
18 About Penta Security Systems security strategies and tools is now more
important than ever with increased
or a data breach is bound to face financial
losses, bringing down its shareholder value
18 Company Overview
19 Global WAF Market Performance regulatory oversight requiring mandatory and profitability, and hampering future
data breach incident reporting, not to business opportunities. Apart from
20 Global WAF Appliance Market Performance
mention the likelihood of heavy fines. negatively impacting existing partners and
21 WAF Solutions Market Performance in Asia-Pacific suppliers, other functions such as sales,
The section below examines several critical marketing, and IT are likely to suffer as well.
22 About Frost & Sullivan consequences of data breach and web
defacement activities.
23 Appendix
02 Developing a Resilient Web Defense | Frost & Sullivan Whitepaper Developing a Resilient Web Defense | Frost & Sullivan Whitepaper 03
Web Application Attack
Trends In Southeast Asia
3. Penalties and fines
Globally, many countries are putting in place
strict regulations to minimize the risk of data Importance of Web Understanding the Top Five Web Application Attack Types
breaches. New legislation in a growing
number of countries requires organizations Application Security in
compromised by a data breach to report the 1. Overview of the top web application attacks in Southeast Asia
incident and potentially be subject to hefty Reducing the Risk of This section explores web
fines and penalties, escalating financial application attack trends in Detections by Web Attack Rule, Southeast Asia, 2016
costs further. Investigations show that a Data Breaches major Southeast Asian
14.2%
company’s failure to comply with stipulated countries.
regulatory procedures could lead to severe Organizations failing to secure their web applications face
penalties and even force the resignation of multitude data risks and threats including information theft
Stealth Commanding
the company CEO. (e.g., passwords, customer information), damage to client
relationships, revoked licenses, and potential legal
Web application firewalls
(WAFs) were used to 0.3%
19.8%
One notable example is the European repercussions. Web application security becomes even detect the five most Directory Traversal
Union's General Data Protection Regulation more crucial given that stakeholders provide personal data common types of web
(GDPR) which can impose a fine of EUR20
million on companies for non-compliance.
Organizations based in Southeast Asian
for decision-making at various levels of the business. application attacks.
Cross Site
Scripting
0.2%
Cyber attackers can easily detect if the network layer is not File Upload
countries collecting EU citizen data are also secure and if the applications have valuable data. To respond Data in this section is
subject to this penalty if a data breach to this growing threat, companies in fields such as financial sourced from the South-
occurs. services and healthcare need to comply with an increasing east Asia Web Application
number of regulations, like the Payment Card Industry Data Threat Trend (WATT)
Security Standard (PCI-DSS) and Health Insurance Report by Penta Security
4. Loss of intellectual property Portability and Accountability Act (HIPAA), or face high fines. Systems.
Theft of intellectual property, be it trade
secrets, R&D efforts or patents, from a data There are a wide variety of web threats hostile parties use to
65.6%
breach incident can weaken a firm’s attack systems and attempt to cripple critical infrastructure. The overall study examines SQL Injection
competitive advantage and position in the attack data in relation to
market. For example, leakage of a Threats include stealing customer data, like names, dates of the top five web application
company’s price list in highly competitive birth, telephone numbers, and email addresses, adding the attack techniques, based
industries could be detrimental to its website to a botnet of infected sites, and even hijacking or on the analysis of logs
Source: Southeast Asia Web Application Threat Trend (WATT) Report, Penta Security Systems
profitability, causing it to potentially lose out crashing the site. When a web defacement occurs, it creates collected from January 1 to
to competitors. unauthorized changes to the web appearance by replacing December 31, 2016. The
Based on the report findings, SQL Injection Stealth commanding attacks are intended to
the company logo, content or web pages. most prevalent types of
attacks had the highest occurrence in execute unauthorized code. By attaching a
5. Other intangible costs attacks in the region are
Southeast Asia, followed by Cross Site malicious server-side script to the input, an
Apart from tangible costs, a data breach can Given the increasing popularity of web applications, security SQL Injection, Cross Site
Scripting, Stealth Commanding, Directory attacker can execute the desired command
also have serious intangible effects. A should be a key priority in developing secure applications. Scripting, Stealth
Traversal, and File Upload. and obtain information. This attack is severe
hacker can steal sensitive company Web application security should be tested at every stage of Commanding, Directory
as the whole web server can be under the
information, install malware, carry out the software development lifecycle and integrated as a part Traversal, and File Upload.
SQL Injection is one of the most common hacker’s control. The attack can be
privilege escalation, and such acts, which of their overall security strategy. Companies need to have Definitions of each attack
types of web application attacks. Most prevented with the establishment of an input
will negatively impact business operations response teams in place and a designated Chief Information type can be found in the
successful SQL Injection attacks can cause value verification procedure or HTTP
in the long run. Small firms, in particular are Security Officer (CISO) who can prepare a crisis Appendix.
substantial information leakage (data request verification function in WAF.
at higher risk as they may not have management plan and manage the application security breach). The threat can then escalate to
protection in the form of insurance or needs of the business. exploits using the leaked information, such
appropriate strategies in place.
as performing fraudulent transactions using
stolen login credentials. Automated tools for
SQL Injection attacks can easily be found
online.
04 Developing a Resilient Web Defense | Frost & Sullivan Whitepaper Developing a Resilient Web Defense | Frost & Sullivan Whitepaper 05
2. Prevalence of web application attacks in Southeast Asian countries
Notable Data Breaches and
Detection of Web Attacks by Country, Southeast Asia, 2016
Web Defacement Attacks in Southeast Asia
100%
90%
80%
70%
60%
50%
40%
30%
20%
A report published In August 2016, a 22-year-old became the In addition, three databases belonging to
first person in Singapore to be convicted for medical practitioners comprising 81,309
by the Cyber committing a financial crime using hacking personal data records were also leaked.3
10% Security Agency of techniques. The hacker managed to infiltrate The breach was discovered in early October
0 Singapore stated several websites, stealing customers’ log-in 2017; however, sources reported that the
details to access their email, PayPal, and incident is likely to be related to a data
Cross Site SQL File Directory Stealth Total that there were Groupon accounts and perform fraudulent breach that occurred as early as 2014.4
Scripting Injection Upload Traversal Commanding Percentage nearly 1,800 purchases worth more than SGD70,000.
reports of website The sentence was a jail term of 28 months, Other than database leaks, the vulnerability
in violation of 20 offenses under the of web assets were exploited when hackers
Malaysia 38.7% 46.5% 49.2% 9.0% 29.2% 42.4% defacement cases Computer Misuse and Cybersecurity Act. took over 27 Malaysian websites in a web
Singapore 4.8% 36.8% 13.5% 88.7% 64.3% 34.5%
in 2016 alone, The criminal reportedly used hacking defacement attack during the 2017 SEA
which continues to software to execute SQL attacks on web Games. The case was seen as backlash
Philippines 49.0% 0.5% 0.6% 0.5% 0.3% 10.1% applications, stealing databases of informa- from Indonesian-based hacktivists in
be a prevalent tion containing usernames and passwords.1 response to a blunder in which their national
Indonesia 3.2% 11.3% 11.8% 0.1% 0.9% 8.2% threat to the online flag had been printed upside down in the
Vietnam 0.8% 4.1% 3.7% 0.2% 3.2% 3.3% presence of Injection techniques were also used to event’s official souvenir booklet.5
create defacements as a form of hacktivism
Thailand 1.5%
businesses in to share resentment against certain govern- In July 2017, a hacking group known as
3.5% 0.7% 21.3% 1.6% 2.0%
Singapore. ment agencies or businesses. A report 1937CN attacked two of Vietnam’s largest
Rest of SEA 0.1% 0.1% 0.1% 0.1% 0.1% 0.1% published by the Cyber Security Agency of airports as well as its local carrier Vietnam
Singapore stated that there were nearly Airlines. The hack attempt hijacked flight
1,800 reports of website defacement cases information screens and sound systems in
Source: Southeast Asia Web Application Threat Trend (WATT) Report, Penta Security Systems
in 2016 alone, which continues to be a the Hanoi and Ho Chi Minh City airports,
prevalent threat to the online presence of and also involved the dumping of about
businesses in Singapore.2 400,000 Vietnam Airlines passengers’
The exhibit above illustrates the different • The Philippines had the highest information online.6
types of web attacks infiltrating major percentage of Cross Site Scripting Malaysian telecommunication service
Southeast Asian countries. Malaysia and attacks (49.0%) in Southeast Asia, providers and mobile virtual network opera- The cyber attack on the Commission On
Singapore are hotspots for suspicious web recording an overall 10.1% and tors encountered a major breach that led to Elections (COMELEC) in the Philippines
activities, accounting for nearly 42.4% and ranking 3rd highest in the region. 46.2 million mobile subscribers’ personal has been one of the country’s largest
34.5% respectively of all attacks in • Indonesia, Vietnam, and Thailand data being compromised and leaked on an breaches. In April 2016, hackers infiltrated
Southeast Asia in 2016. accounted for 8.2%, 3.3%, and 1.5% online forum. The breach exposed subscrib- COMELEC’s database, defaced its website,
• File Upload and SQL Injection attacks of web application attacks ers’ home addresses, identity card numbers, and exposed 55 million voters’ personal
most frequently detected in Malaysia at respectively. and SIM card information. information and the names of the parties
• The rest of Southeast Asia, covering
49.2% and 46.5% respectively. they were supporting.7
• Directory Traversal attacks, which Cambodia, Brunei, Laos, and
mainly use automated tools, and Myanmar, accounted for 0.1% of the 1
Ronald Loh, “Hacker spent $70k using victims' e-mails, Paypal and Groupon accounts”, The New Paper, August 18, 2015, http://www.tnp.sg/.
Stealth Commanding attacks detected total. 2
Irene Tham, “1,800 website defacements in Singapore in 2016 just tip of the iceberg: CSA”, The Straits Times, September 15, 2017, http://www.straitstimes.com/.
3
Vijandren, “46.2 million Malaysian mobile phone numbers leaked from 2014 data breach", Lowyat.net, October 30, 2017, https://www.lowyat.net.
in Singapore at 88.7% and 64.3%, 4
“Telco data leak involves data from 2014, says deputy minister”, The Malaysian Insight, December 12, 2017, https://www.themalaysianinsight.com.
5
Lee Kah Leng, “Indonesian hacker group defaces Malaysian websites following flag blunder”, The Star Online, August 21, 2017, https://www.thestar.com.my.
respectively. 6
Pierluigi Paganini, “China 1937CN Team hackers attack airports in Vietnam”, Security Affairs, July 31 2016, http://securityaffairs.co/.
7
Waqas, “Anonymous hacks Philippines Election Commission, leaks 55 million voter data”, HackRead, April 9 2016, https://www.hackread.com.
06 Developing a Resilient Web Defense | Frost & Sullivan Whitepaper Developing a Resilient Web Defense | Frost & Sullivan Whitepaper 07
WAF Adoption Situation While the adoption of WAF solutions contin-
ues to grow in Southeast Asia, it is largely
Many enterprises deploy WAF for auditing
purposes, setting it in monitoring or detec-
Analysis in Southeast Asia
reactive as many enterprises still adopt a tion mode since receiving too many false
compliance-driven and prevention-centric positive alerts generated from the WAF
approach. For example, enterprises could result in higher overheads and opera-
responding to regulatory requirements such tional costs for enterprises. This leads them
as PCI-DSS and local data protection acts. to turn off the prevention mode that can
block actual web attacks. The focus is more
Given the regulatory pressure, businesses on availability, service performance, and
in the region take a compliance-driven creating a hassle-free experience for
Customer Buying Behavior Analysis: approach to meeting their security require-
ments, particularly the banking, financial
customers. Southeast Asian enterprises do
not appear to prioritize corporate risk
A Compliance-driven Approach services and insurance (BFSI), e-com- management strategies, but mainly follow
merce, and retail sectors. For Southeast compliance requirements.
Asian countries, the motivation to comply
With rising Internet penetration, the oppor- Conventional security technologies such as with regulations is often for audit purposes
tunities for Southeast Asian enterprises to firewalls are no longer adequate to prevent and to avoid fines and penalties.
connect, engage, and sell to customers are these threats, requiring enterprises to adopt
tremendous. The need to interact with more advanced security technologies that Investment in WAF solutions to protect
customers to enhance business operations can provide protection capabilities at all reputation, intellectual property, and
via the web interface in a safe manner is network, application, and database levels. infrastructure is currently a lower priority
leading many businesses to pay consider- among enterprises in the region, likely due to
able attention to the security of their web To address this issue, a growing number of the shortage of skilled resources and exper-
systems. enterprises in the region are adopting WAF tise related to applications and security.
solutions, representing a robust CAGR of
The growing reliance on web applications 35.0% from 2013–2016.
as an essential business tool is making it a
prime target for cybercriminals. Hackers are
increasingly exploiting web application
The market saw tremendous uptake in
2016, growing by 44.0% year-on-year (YoY).
Snapshot of the WAF Landscape in Singapore, Malaysia,
vulnerabilities, targeting web servers, The WAF market has almost doubled in two Thailand, Indonesia, the Philippines, and Vietnam
databases, and related web infrastructure to years, reflecting the importance of WAF
gain unauthorized access to privileged solutions for regional businesses in South-
information. east Asia. WAF Solutions Market: Demand Analysis by Country, Southeast Asia, 2016
4.2%
WAF Solutions Market: Revenue Forecast, Southeast Asia, 2014–2016
Revenue =
11.8%
Vietnam
USD24.7 Million
8.9%
30.0%
25.0% Thailand
24.7%
22.9%
Phillippines
CAGR:
20.0% 35%
Malaysia
15.0%
10.0%
13.5% 40.9%
Singapore
5.0%
0
2014 2016
11.3%
Indonesia
Source: Frost & Sullivan
Source: Frost & Sullivan Asia-Pacific Web Application Firewall Solutions Market, Forecast to 2021
08 Developing a Resilient Web Defense | Frost & Sullivan Whitepaper Developing a Resilient Web Defense | Frost & Sullivan Whitepaper 09
Major Adopters in Southeast Asia Rest of Emerging Southeast Asia
Thailand Philippines
The WAF market in Thailand recorded a moder- The WAF market in the Philippines recorded
Singapore Malaysia ate growth rate of 16.9% YoY with a revenue of slower growth in 2016 in comparison to the top
USD2.9 million in 2016. Among verticals, BFSI, markets in the region, contributing to only 8.9% of
In 2016, Singapore had the largest WAF In 2016, Malaysia accounted for 22.9% of service providers, and e-commerce were the top the overall regional market share. That stated,
market in Southeast Asia, recording 67.9% the WAF market, making it the second spenders, accounting for 30.7%, 19.5%, and market growth has been at a rapid pace in recent
YoY growth, the most robust among all largest in Southeast Asia. Investment in 16.3%, respectively. The government sector years. The overall market reported high
Southeast Asian countries. The govern- WAF solutions increased significantly by recorded a steady growth of 37.8% following the double-digit revenue growth of 49.9% YoY, antici-
ment, BFSI, service providers, and e-com- 24.9% in 2016. Similar to the deployment launch of its Digital Economy Policy and plan to pating to prevail as the country builds up its
merce are the strongest industry verticals trend in Singapore, the majority of enterpris- strengthen Internet security, boosting the adop- security posture.
for WAF adoption, representing a combined es in Malaysia opt for on-premises tion of application security among public sector
market share of 73.5% of the overall market. solutions, primarily driven by compliance agencies. The National Privacy Commission implemented
There has been significant adoption in other needs. BFSI, government, service provid- the Data Privacy Act of 2012, Section 28, “Guide-
verticals as well, including healthcare, ers, and e-commerce verticals were the top Demand is set to increase when the sector-spe- lines for Technical Security Measures”, stating the
media, and information technology/informa- spenders of WAF solutions in the country cific laws and regulatory notifications take effect need to implement safeguards to protect the
tion technology-enabled services (IT/ITES). with a market share of 29.8%, 24.2%, governing the security of personal data. The computer network from unauthorized access, as
13.3%, and 11.9%, respectively. sectors affected would include government agen- well as the need to perform regular monitoring
Despite more businesses in Singapore cies, telecommunications, BFSI, healthcare, breaches.13 These guidelines are likely to encour-
shifting to cloud services, on-premises Moving forward, with more stringent require- consumer credit and electronic payment age organizations to review their data protection
solutions remain prominent, contributing a ments for compliance and the e-commerce services. Organizations must apply for an strategy, primarily, web application online
higher share of revenue to the overall boom under the Digital Economy strategy, electronic payment license to explain how it can services.
market at 52.3% in 2016. However, adoption investment in WAF solutions is projected to protect users’ information before the license can
of virtualization, cloud, and IoT technologies accelerate in the forecast period. be granted, as regulated by the Royal Decree on Vietnam
are anticipated to expand as businesses in Electronics Payments.11
Singapore embrace new technologies to Organizations in Malaysia must ensure the Unlike other Southeast Asian countries, the
transform their operations. privacy and security of consumers’ personal Indonesia Vietnamese WAF market remained relatively
data and comply with the Personal Data nascent; attaining a revenue of US$1.0 million in
Under the Singapore Cybersecurity Bill, Protection Standards as governed by the In 2016, Indonesia was the second-fastest 2016, accounted for 4.2% of the regional market.
Cybersecurity Act 2018, organizations that Personal Data Protection Act of 2010. Willful growing WAF market in Southeast Asia, expand- WAF adoption in Vietnam is limited and mainly
are classified by the Commissioner as a non-compliance could subject the offender ing by 65.8% to attain a total revenue of USD2.8 compliance-driven due to the low attention on
Critical Information Infrastructure (CII) must to a fine of up to RM100,000 or imprison- million. The government, BFSI, IT/ITES as well application security.
furnish information on the design, configu- ment not exceeding two years or both.9 as online gaming, and entertainment sectors
ration, and security of the CII. The Commis- were the top spenders of WAF solutions, contrib- However, this is expected to change with increas-
sioner may issue a written directive for The capital market industry needs to comply uting 22.9%, 21.7%, and 20.8%, respectively. ing consumer awareness and legislation
action to be taken in relation to a cyber with the Guidelines on Management of strengthening personal data protection informa-
security threat, enforce compliance with a Cyber Risk by the Securities Commission Demand for WAF is expected to surge given its tion security. BFSI and government sectors are
code of practice or standard, or conduct an (SC) of Malaysia, while the BFSI sector role as a gatekeeper in protecting consumers’ the main adopters of these solutions due to their
audit on the owner(s) on their compliance must adhere to the Guidelines of Manage- personal data in light of the Ministry of Communi- need for compliance and protection of customer
with the act. ment of IT Environment (GPIS 1) issued by cation and Informatics’ introduction of the Protec- data. The Ministry of Information and Communi-
Bank Negara Malaysia.10 These guidelines tion of Personal Data in Electronic Systems cations released the Law on Network Information
If there is willful non-compliance by the serve as primary drivers for organizations in (MOCI Regulation) on December 1, 2016. Security (Law no: 86/2015/QH13) effective July 1,
owner, he/she will be found guilty of an Malaysia to adopt WAF as a primary tool to 2016.14
offense and be liable on conviction to a fine protect consumers’ personal data while The regulation requires organizations to adopt
not exceeding SGD100,000 or imprison- maintaining the availability of online agreements ensuring minimum service levels, The section on the protection of personal
ment for a term not exceeding two years.8 services. information security of IT services, and imple- information security in the network stresses the
The bill is expected to stimulate an increase mentation of internal communication security. need for organizations to adopt appropriate
in WAF adoption, especially for identified CII Failure in compliance could result in temporary managerial and technical measures to protect
companies in government, BFSI, aviation, dismissal of activities for an organization.12 personal data, and also requires them to take
healthcare, land transport, maritime, media, remedial and blocking measures as soon as
security and emergency, water, energy and there are identified incidents or risks.15 Failure to
info-communication sectors. do so may result in penalties imposed on the
organization or individual.
11
Tilleke & Gibbins, “Data Security and Cybercrime in Thailand” Feb 8, 2017, https://www.lexology.com.
12
DLA Piper, “Data Protection Laws of the World: Indonesia”, Jan 24, 2018, https://www.dlapiperdataprotection.com.
8
Cyber Security Agency of Singapore, “Cybersecurity Bill, Bill No. 2/2018”, Jan 8, 2018. https://www.csa.gov.sg/. 13
National Privacy Commission, “Implementing Rules and Regulations of the Data Privacy Act of 2012” August 24, 2016, https://privacy.gov.ph.
9
Jabatan Perlindungan Data Peribadi, “Laws of Malaysia, Act 709, Personal Data Protection Act 2010), June 10, 2010. http://www.pdp.gov.my/. 14
Ministry of Information and Communications, “Legal Documents: Law No. 86/2015/QH13”, accessed Feb 1, 2018, http://english.mic.gov.vn/.
10
Securities Commission Malaysia, “Guidelines on management of cyber risk”, Oct 31, 2016. https://www.sc.com.my/. 15
National Assembly, Socialist Republic of Vietnam “Law on Network Information Security”, Nov 19, 2015, http://english.mic.gov.vn/.
10 Developing a Resilient Web Defense | Frost & Sullivan Whitepaper Developing a Resilient Web Defense | Frost & Sullivan Whitepaper 11
From Reactive Prevention to Proactive Detection
Key Considerations
Forecast for WAF Market, Southeast Asia, 2015–2021
for WAF Selection
120% 44.0%
40.5% 40.1%
36.9%
100%
31.9%
80% 26.5%
60%
40%
20%
0 2015 2016 2017 2018 2019 2020 2021
Revenue (USD Mn) 17.1 24.7 34.7 48.6 66.5 87.8 111.0
Source: Frost & Sullivan Asia-Pacific Web Application Firewall Solutions Market, Forecast to 2021
The overall WAF solutions market in Southeast Asia is
projected to record robust momentum in the next five Web Application Firewall
(WAF) is a security
years with greater awareness about cyber security and technology, either hardware
There are different types Consideration 1: Form Factor Virtual appliances:
stricter regulatory policies. or software, placed in front of
of WAF solutions in the If a company migrates its application stacks
market featuring diverse A WAF can be in different form factors, to the cloud, the virtual appliance would be
the web server to protect
technologies and features. which include physical hardware applianc- suitable due to its strong scalability and
applications from attacks
With governments in the region increasing It is vital for organizations to be equipped WAFs are also available in es, virtual appliances, or cloud-based ease of configuration to adapt to changes
aimed at exploiting their
their focus on eGovernment, smart cities, with capabilities to detect and respond to various forms that can be services. Regardless of form factor, a WAF made to the application stack in the cloud
vulnerabilities. WAFs monitor,
and connected industries, the need for these advanced threats, which requires deployed in different can be deployed either inline with an environment. The virtual WAF is the ideal
filter or block data packets
privacy and data protection is more import- them to look beyond the traditional WAF modes to suit the unique application server or as a reverse proxy that option for businesses that want to deploy
traveling to and from a web
ant than ever. As the threat landscape features. goals, business needs, inspects both external HTTP/s request and the WAF close to the applications. However,
server by intercepting
evolves with increasing web application and priorities of an web servers’ responses, to detect and block a virtual appliance alone may not be able to
Hypertext Transfer Protocol
attacks, it is critical for all enterprises to Traditional WAF solutions are only capable organization. malicious traffic. Choosing the right form perform well when the whole infrastructure
(HTTP) requests, to identify
have an advanced WAF solution to protect of preventing and blocking known threats, factor can be a difficult task requiring the IT becomes more sophisticated, with changes
and block potential malicious
their web-based applications, either in the based on the preset rules and signa- Enterprises should team to have a good understanding of the in the applications and network functions.
requests from reaching the
traditional web or cloud environment. ture-based detection techniques (whitelist- consider the following scope and priorities of their organizations.
web server.
ing and blacklisting), which are unable to points in choosing a A hybrid model blending hardware and
As a result, businesses in the region are detect advanced and unknown threats, such suitable WAF: Physical appliances: virtual appliances would be a better solution
looking beyond compliance and prevention as low and slow DDoS attacks, and Companies that have huge application to help an organization deal with these
WAFs can protect
to invest in advanced threat detection capa- zero-day attacks. stacks and critical data in their data centers challenges. It would allow them to protect
applications from different
bilities as they recognize the vulnerabilities can consider the physical appliance as it applications beyond the traditional premises
threats such as Open Web
of conventional security tools in keeping the These require advanced detection features offers many advantages such as high without compromising performance.
Application Security Project
attacks away from their corporate networks. using signature-less detection techniques (OWASP) Top 10 risks, performance, low latency, high privacy, and
that can detect, learn, and adapt to the in-house ownership and management Cloud-based WAF:
application layer distributed
changes of advanced threats, and which are which can be crucial for forensics. On-prem- Cloud-based WAFs provide ease of deploy-
denial-of-service (DDoS),
particularly crucial for enterprises that have ises WAFs are also known to be more ment, high scalability, and flexibility of a
Cross Site Scripting (XSS),
critical applications and data to protect. flexible in deployment within the data center. subscription model, with minimum require-
and Structured Query
Configuration is possible in proxy mode or ments for network infrastructure changes,
Language (SQL) Injection,
inline mode, as well as other customizations and hassle-free management for security
among others, hence
that may be necessary when the WAF is teams.
protecting the databases
connected to these deployed within an enterprise with unique
applications to prevent a data web application processes.
breach.
12 Developing a Resilient Web Defense | Frost & Sullivan Whitepaper Developing a Resilient Web Defense | Frost & Sullivan Whitepaper 13
Consideration 3: Operation Effectiveness and Total Cost of Ownership (TCO)
Regardless of form factor and how In this regard, organizations should consid-
advanced the WAF is, the ultimate goal of er an easy-to-deploy-and-maintain WAF
an organization when selecting a WAF is solution with strong support from the
the business impact it can bring. A good vendor.
WAF solution should not only enable enter-
prises to comply with regulations, protect Reducing the total cost of ownership
applications, and ensure data safety from (TCO): For large businesses with complex
cyber attacks, but it should also help application infrastructure, a high-end WAF
businesses save time and operational costs can provide the performance power and
in deployment, operation, and maintenance. features required for management. Small
and medium businesses (SMBs) or a
Simple and intuitive user interface: business with less critical applications, data,
For enterprises lacking sufficient internal and services may not need to invest in
resources and strong application security high-end WAFs with advanced features.
expertise, a WAF with simple-to-use,
Consideration 2: Level of Security Other than the standard features, WAFs intuitive controls and reporting features in Enterprises should consider a vendor that
Protection should also be able to perform advanced the dashboard or console can benefit the provides a line-up offering multiple price
detection and protection capabilities against security team. These features provide points, to find the most suitable WAF that
Protection against the most common application layer DDoS, zero-day attacks, detailed visibility on threat areas they matches their requirements. Complicated
threats: fraudulent transactions, cross-site request should focus on, helping them save time on configurations, lengthy deployment times,
Regardless of vendors and technologies, a forgery (CSRF), and automated threats, and remediating vulnerabilities and reducing or lackluster vendor support could affect
WAF should have key features and capabili- support other capabilities such as SSL operational costs. opportunity costs and create additional
ties, including protection against the Open visibility. operation overhead. The WAF selection
Web Application Security Project’s Ease of deployment, configuration, and factors ensure reduced TCO for the organi-
(OWASP) Top 10 most critical web applica- An intelligent WAF should have capabilities maintenance: The rapid changes and high zation in the overall context of risk manage-
tion security risks. Popular attacks include to perform full traffic package analysis service demands do not allow enterprises to ment and business impact.
SQL Injection, Cross Site Scripting, and leveraging different techniques such as take a long time in deploying a WAF.
DDoS, to name a few. using heuristics and semantics for detection Difficulties in configuration and maintaining
as these techniques enable the WAF to a WAF could also introduce security
The WAF should have the capability to recognize advanced threats without requir- misconfiguration risks for organizations.
detect common application exploits and ing signature updates while providing low
threats targeting known application vulnera- false positives. This is important for organi-
bilities. Businesses of all sizes need to look zations that need to maintain and protect
at these basic features when considering a applications beyond the traditional premises Other Considerations: Adoption, Security Ecosystem, and Local Support
WAF as they offer maximum security (servers or data centers), such as in the
protection against the most common threats cloud or when embedded in IoT devices. Enterprises should take into account other The ecosystem factor is also essential as
that organizations encounter while making factors, such as the vendor’s adoption rate applications are developed and used in
its management and handling efficient and Detailed logging and threat intelligence can in the regions of operation, its security different contexts and environments, requir-
easy to use. provide security teams with more visibility ecosystem, and ability to deliver reliable ing a more comprehensive approach to
into the application traffic traveling across support locally. protection in addition to the WAF solution.
Maximum threat protection with fast and environments, from public cloud to private
accurate advanced threat detection cloud and IoT devices. This information A vendor that provides a security portfolio The ability to deliver strong local support is
capabilities: helps them identify potential attacks and which extends beyond web application crucial, which can be done via a direct team
Enterprise-grade WAFs with advanced data breaches faster and more accurately, security, such as database security, can or through local partners. As WAF configu-
features are suitable for large businesses reducing the management overhead of offer a more comprehensive and integrated ration requires substantial knowledge and
that have a vast number of critical applica- security teams. approach to security. expertise in application security, businesses
tions, business services, and sensitive data need local support to understand the rapid
that need protection. changes in web applications, IT environ-
ments, and the widening threat landscape.
14 Developing a Resilient Web Defense | Frost & Sullivan Whitepaper Developing a Resilient Web Defense | Frost & Sullivan Whitepaper 15The Last Word
Moving Beyond Compliance to Envisioning the Future:
Business Enabler: Web Application Web Application Security
Security as a Strategic Imperative for the Internet of Things
for the Digital Economy
The growing adoption of IoT is creating a The entry points for threats that are bound
wave of ubiquitous connectivity, leading to to escalate in the future include insecure
Moving forward, most countries and As businesses, especially those in e-com- the availability of new possibilities such as web interfaces, applications with insufficient
businesses will need to comply with stricter merce evolve further, they need to protect connected cars, driverless trucks, smart authentication or authorization functionality,
digital regulations as more business opera- against financial fraud, identity theft, disrup- homes, connected gadgets (televisions, and insecure network services, among
tions are conducted on digital platforms tion of services, and exposure of sensitive thermostats, lights, door locks, and refriger- others. Today, electronics manufacturers are
requiring robust security measures. customer data. Vulnerable areas include ators), as well as sensors improving the looking to add features that can connect
weak input sanitization, broken authentica- efficiency of power generation, water, and their products to the Internet, often compro-
While complying with stricter regulations is tion and session management, and insuffi- transportation systems. mising the compatibility of the software and
a significant push factor by the authorities, cient monitoring and logging, among others. hardware. Hackers detecting any vulnerabil-
businesses may only do the minimum to Governments are increasingly adopting Despite the significant opportunities IoT ities in these products can remotely attack
meet the standards. It is vital for business digital practices and require solid web brings, the technology also raises several the set of interconnected devices from
leaders to understand the dire implications application security posture to protect security risks for businesses and consum- anywhere in the world.
of inadequate web application security (as against fraudulent use of digital payment ers. With a vast number of connected devic-
discussed in Section 1), and how invest- systems, data theft, misuse of data and es, IoT is particularly vulnerable to security In light of these risks, it is necessary for
ments in creating a defense-in-depth hacking of digital wallets. attacks both virtually and physically. For manufacturers to properly test systems and
approach is a business enabler rather than instance, with interconnected devices, data adopt the needed level of security mecha-
a cost center. Superior web application Organizations therefore need to know that gets collected can be hacked easily and nisms to protect IoT-connected devices.
security could potentially become a differen- where and how to protect their digital assets misused. Web application security, therefore, should
tiator in the digital economy, allowing online. One recommendation is to seek be the primary consideration for IoT to
businesses to gain a competitive advantage advice from qualified security consultants to Criminals can hack into Internet-controlled succeed in this space.
with a stronger cyber posture, building trust help decide the best form factor and level of automobile devices such as horns, engine,
with consumers in protecting their confiden- security protection required, followed by an brakes, and dashboard displays, potentially
tial data from cyber attacks. evaluation of security efficacy and total cost causing severe accidents. With so many
of ownership before making an informed interconnected devices generating personal
decision about the right WAF solution and and financial information, cybercriminals
related security tools. also have ample opportunity to disrupt
operations.
16 Developing a Resilient Web Defense | Frost & Sullivan Whitepaper Developing a Resilient Web Defense | Frost & Sullivan Whitepaper 17About Penta Global WAF Market Performance
Security Systems
1.8% 11.4%
Others
2.8% Competitor I
Competitor H
3.1% 26.0%
Competitor A
Competitor G
3.7%
Competitor F
4.3% Total WAF Market:
Revenue Percentage,
Competitor E
Global, 2016
5.3%
Penta Security
Systems
19.8%
7.0% Competitor B
Competitor D
14.7%
Competitor C
Company Overview
Source: Frost & Sullivan Global Web Application Firewall Market Analysis, Forecast to 2021
Penta Security Systems is a global provider Penta Security Systems offers IoT-specific The global WAF market is populated by a and availability assurance (DDoS mitiga- Penta Security
of application security solutions based in safeguards such as AutoCrypt for complete few well-established participants and tion), plus advanced security capabilities
Seoul, South Korea. The company offers a protection of connected cars, using PKI for emerging players, according to Frost & such as API protection and bot manage- Systems ranks
wide range of web, data, and authentication authentication of endpoints (AutoCrypt PKI) Sullivan analysis. The top three vendors ment and security. Additionally, the services among the top five
security solutions including WAF, data and encryption to secure communications control the majority of the WAF market market segment is seeing an increase in in the global WAF
encryption solutions, and single sign-on (AutoCrypt V2X). AutoCrypt AFW is a share, offering WAF appliances, WAF competition as vendors that have tradition-
(SSO). specialized firewall for connected car modules for ADCs, and cloud-based WAF ally offered on-premises solutions are now solutions market,
systems that uses logic-based analysis services. also introducing cloud services. consolidating its
Penta Security Systems offers multiple WAF instead of signatures to detect and block market leadership
options to help protect customers’ applica- threats and unwanted activities. In the appliance market segment, Competi- Penta Security Systems ranks among the
tions across data centers, cloud infrastruc- tor A and Competitor C are the two leading top five in the global WAF solutions market, in the Asia-Pacific.
ture, and virtual environments. WAPPLES is vendors. In particular, Competitor A is one of consolidating its market leadership in the
a comprehensive WAF solution available as the most highly-regarded vendors in the Asia-Pacific. Penta Security Systems
either a physical appliance or virtual market based on its reliable product perfor- primarily focuses on the South Korea
appliance (WAPPLES-SA). WAPPLES uses mance, continued product development, market, while also serving customers in
a proprietary logic operation detection and years of experience in the WAF market. Thailand, Malaysia, Singapore, and Japan,
engine known as Contents Classification among others. The company also has a
and Evaluation Processing (COCEP™) that In the services market segment, Competitor small presence in North America, with a
uses semantic and heuristic analysis B emerged as the leading vendor, followed sales office in Texas.
techniques to detect and block known and by Competitor A. Competitor B’s success is
unknown threats. The solution uses a the result of a strong value proposition of
logic-based analysis engine to deliver low integrated CDN optimization, WAF security,
false positive rates and prevent data
leakage.
18 Developing a Resilient Web Defense | Frost & Sullivan Whitepaper Developing a Resilient Web Defense | Frost & Sullivan Whitepaper 19Global WAF Appliance Market Performance WAF Solutions Market Performance in Asia-Pacific
2.8%
9.2%
Others
18.0%
Others
13.9%
Penta Security
Competitor G
2.1% Systems
4.5% 30.8% Competition K
Competitor F Competitor A
2.3% 10.7%
Competition J
4.6% Competitor A
Competitor E 3.1%
Competition I Total WAF Solutions Market:
6.0% WAF Applicance Segment:
Revenue Percentage, 3.9%
Revenue Percentage
Breakdown by Vendor,
Competitor D
Global, 2016 Competitor H Asia-Pacific, 2016
5.5%
8.1%
Competitor G
Penta Security
6.8% 10.0%
Systems Competitor F Competitor B
7.0%
11.2% 22.8% 9.1%
7.7%
Competitor E
Competitor C Competitor B Competitor C
Competitor D
Source: Frost & Sullivan Global Web Application Firewall Market Analysis, Forecast to 2021 Source: Frost & Sullivan Asia-Pacific Web Application Firewall Solutions Market, Forecast to 2021
Governments are The WAF application segment includes As the global WAF market relies on WAF Headquartered in South Korea, Penta Penta Security Systems is proactively Penta Security
virtual and physical appliances. WAF product performance and market expertise, Security Systems continues to maintain its forging partnerships with local cloud service
increasingly vendors offer a range of appliances from 50 Competitors A and B maintained their market leadership in the Asia-Pacific WAF providers in various Asia-Pacific countries. Systems plans to
adopting digital Mbps to high-end appliances capable of leadership positions because of their market with its next-generation WAF Apart from its strong presence in South expand its
practices and more than 40 Gbps throughput. effectiveness in protecting against OWASP solutions. Penta Security Systems plans to Korea, the company has a branch office and footprint to other
Top 10 threats and their low false positive expand its footprint to other Asia-Pacific partnerships with cloud service providers in
require solid web Large enterprises dominate the WAF rates. countries, alongside its focus in South Japan. Asia-Pacific
application application segment due to the high invest- Korea, with increasing demand for its countries,
security posture to ment cost requiring substantial IT budget In the global WAF appliance market, Penta on-premises and virtual software solutions. In 2016, Penta Security Systems teamed up alongside its focus
and willingness to pay for best-of breed Security has the 4th largest market share with a key managed security service provid-
protect against the security technologies. As a result, the globally. While Asia-Pacific remains its Frost & Sullivan analysis indicates increas- er in Singapore to penetrate further into the in South Korea,
fraudulent use of average price of WAF products is anticipat- primary revenue contributor, Penta Security ing market penetration in the Asia-Pacific Southeast Asian market. with increasing
digital payment ed to remain steady. The top eight vendors Systems' proven performance continues to WAF solutions market by Penta Security demand for its
in the WAF application segment are mostly strengthen its market share and revenues in Systems and Competitor C. Competitor A Its solutions’ capabilities are not only limited
systems, data theft, global WAF vendors. the other regions as well. emerged at the top for cloud-based WAF to signature matching, but also include its on-premises and
misuse of data, solutions, while Competitor B excelled in proprietary intelligent security engine. virtual software
and hacking of both application and cloud-based services. solutions.
digital wallets.
20 Developing a Resilient Web Defense | Frost & Sullivan Whitepaper Developing a Resilient Web Defense | Frost & Sullivan Whitepaper 21About Frost & Sullivan Appendix
We Accelerate Definition of Web Application Attacks
Growth Cross Site Scripting (XSS) Directory Traversal
An attack technique classified under the An attack technique aimed at accessing
Frost & Sullivan is a growth partnership company OWASP Top 10, where attackers inject files or directories outside of the attacker’s
focused on helping our clients achieve malicious script in input fields that get stored access privileges or areas that are not
transformational growth as they are impacted by an in the web application. This, in turn, gets available for public access. It is classified as
economic environment dominated by accelerating executed on the client side without the user “Broken Access Control” in the OWASP Top
change, driven by disruptive technologies, mega being aware when the website loads in their 10.
trends, and new business models. browser.
Stealth Commanding
The research practice conducts monitoring and SQL Injection An attack technique that obtains information
analyzing technical, economic, mega trends, An attack technique that exploits a database by injecting server-side script in an input
competitive, customer, best practices and emerging by injecting a query into vulnerable input field to execute malicious system
markets research into one system which supports the fields. By manipulating the input value of the commands in the server. It is classified
entire “growth cycle”, and enables clients to have a client with the execution of an unintended under the “Injection” category of the
complete picture of their industry, as well as how all SQL statement, SQL Injection can cause OWASP Top 10.
other industries are impacted by these factors. massive data leakage. It is classified under
the “Injection” category in the OWASP Top
10.
www.frost.com File Upload
An attack technique where the attacker is
able to upload a malicious file to gain
access to the application or system. This
For more information on the OWASP Top 10 2017
enables the attacker to take over the system
most critical web application security risks, go to
and remotely execute commands on the
https://www.owasp.org/index.php/Top_10-2017_Top_10.
server computer. It is classified under the
“Security Misconfiguration” category in the
OWASP Top 10.
22 Developing a Resilient Web Defense | Frost & Sullivan Whitepaper Developing a Resilient Web Defense | Frost & Sullivan Whitepaper 23We Accelerate Growth WWW.FROST.COM
Auckland Colombo London Paris Singapore
Bahrain Detroit Manhattan Pune Sophia Antipolis
Bangkok Dubai Mexico City Rockville Centre Sydney
Beijing Frankfurt Miami San Antonio Taipei
Bengaluru Iskandar, Johor Bahru Milan Sao Paulo Tel Aviv
Bogota Istanbul Mumbai Seoul Tokyo
Buenos Aires Jakarta Moscow Shanghai Toronto
Cape Town Kolkata New Delhi Shenzhen Warsaw
Chennai Kuala Lumpur Oxford Silicon Valley Washington D.C.
ABOUT FROST & SULLIVAN
Frost & Sullivan is a growth partnership company focused on helping our clients achieve transformational growth as they are
impacted by an economic environment dominated by accelerating change, driven by disruptive technologies, mega trends, and new
business models. The research practice conducts monitoring and analyzing technical, economic, mega trends, competitive, customer,
best practices and emerging markets research into one system which supports the entire “growth cycle”, which enables clients to
have a complete picture of their industry, as well as how all other industries are impacted by these factors.
Contact us: Start the discussion
To join our Growth Partnership, please visit www.frost.com
Copyright Notice
The contents of these pages are copyright © Frost & Sullivan. All rights reserved. Except with the prior written permission of Frost & Sullivan,
you may not (whether directly or indirectly) create a database in an electronic or other form by downloading and storing all or any part of
the content of this document. No part of this document may be copied or otherwise incorporated into, transmitted to, or stored in any other
website, electronic retrieval system, publication or other work in any form (whether hard copy, electronic or otherwise) without the prior written
permission of Frost & Sullivan.
Sustainable Safety Instrumented Systems | 4You can also read
