DevOps, Cloud, and Next-Gen WAF

When web application firewall vendors can’t meet your needs, what do you do? Well here is what the founders of Signal Sciences did when they couldn’t find the right solution for Etsy.

In an effort to find out what is new in the Web Application Firewall (WAF) space, Brilliance Security Magazine spoke with Zane Lackey, CSO and one of the co-founders of Signal Sciences.

If you go back in time four and a half years or so you will find Zane Lackey, Nick Galbreath, and Andrew Peterson working at Etsy on the engineering side of the house.   Etsy was one of the pioneers in the DevOps and cloud shift that is now affecting many organizations.  Zane was the CIS0 where he built and ran Etsy’s security program from the ground up.  Some of their major challenges stemmed from the fact that the industry’s legacy web app firewall providers were not keeping up with the current DevOps and cloud methodologies.  “Over the last eight years or so risk has shifted out to the endpoint side of things and up to the application space. That is where customer data has shifted and where risk has gone as well. We found that we needed to defend those applications in a significantly different way but the vendors in that space were only providing legacy WAF solutions that neither met flexible development needs nor provided useful attack data,” Zane said.

When they couldn’t find what they needed in the marketplace they simply build their own solution in-house.

The trio realized that the powerhouses of the day in the WAF space were serving a compliance-driven market. “They were typically physical appliances that customers would put in their data centers to defend applications that were being developed in a very slow waterfall model,” explained Zane.

The approaches that Etsy was using to defend their web applications in a DevOps and cloud world were starting to get noticed and soon they found themselves explaining what they were doing for many of their peers. They found that others in the industry, like them, needed this type of solution.

He said, “At first we thought it was just other startups that were doing DevOps and cloud but then over the course of our tenure at Etsy we saw the largest enterprises on the planet were asking us to come in and talk with their development teams to explain the lessons we had learned because they recognized that they were going through that same journey.“

The guys soon realized that this void in available solutions created a significant opportunity for them and thus they created Signal Sciences.

“If you remember what Palo Alto Networks did for the legacy firewall market in the late 90s or early 2000‘s or what Crowdstrike or Cylance did for the legacy antivirus space; well, this is what we are doing to the legacy WAF space.  It is what the market is calling Next-Gen WAF.“

Zane believes that it was their time at Etsy trying to build an in-house solution to defend their pioneering DevOps and Cloud model that position them perfectly to fill this void.

They couldn’t be more thrilled with the traction that they are getting in the market today.  “We are deployed across systems with our customers where we defend 150 billion production requests per week. To give you a sense of scale; very large consumer website will typically do about 5 billion requests per month. Even though we are a newer technology people are using us to defend their most critical customer-facing large-scale applications.“

Zane claims that in a world where legacy WAFs only make it into “any kind of blocking mode about 10% to 15% of the time.” at Signal Sciences “over 95% of our customers have us in full automated blocking mode.“

To give us an idea of what Signal Sciences does differently, specifically their Network Learning Exchange (NLX), Zane explained, “Because we are a SaaS service our customers deploy a really lightweight agent that talks to our SaaS backend in a highly performant and privacy conserving way.  Because we’re that SaaS service, we get a profound network effect where every customer can benefit from every other customer.

This is not a unique idea. We are not the first ones to say we are a SaaS service so we get a network effect. What is unique about it is that in the past there were so many false positives associated with the technology, to even think of a network effect would just be ludicrous because the only thing worse than all the false positive you got out of your legacy WAF was compounding that with everybody else’ false positives. So, even though the idea isn’t as new, the actual execution in this space is fundamentally game-changing.

The problem is that in the ways applications and web applications have become more and more feature rich, correspondingly, the ways to attack them have become much broader. Because those products [legacy WAFs] really only focused on one particular space, that was all they were able to cover.”

He goes on to explain about their Power Rules, “So we’re able to provide these Power Rules to our customers so they can get coverage over all of the different ways in which hackers now try to abuse web applications or APIs. As a customer you don’t need eight different point solutions to try and put in place, one for one bit of the problem, another for another bit of the problem – you can actually use Signal Sciences Power Rules component to get coverage over all of these different pieces, which means you have less work to do because you only have to deploy one technology but you’re still able to get that broad coverage.”

He concludes, “Another part of this is about making it so that not just security people can use the technology. This is another side of the Power Rules that we are really excited about. Historically security technologies have only been built to be used by security people. The problem is, because of the rise of DevOps and cloud the velocity is just increasing so much there is no way for security to scale. The only way in which security scales is having a security technology that is directly useable by the development team and the DevOps team themselves. They can use the Power Rules to say, we’re launching a new API server or we’re launching a new web application and they [those teams] can use that through our dashboards in a way to get coverage over the application functionalities they are exposing or the new sign-in flow that they’re creating. It’s built in a way that is not just a brand new spiffy language that they need to learn or some sort of complexity, but a nice developer and DevOp focused GUI that they can actually make use of very tangibly.”

Founded in 2014, Signal Sciences is headquartered in Culver City, CA.  They have about 100 employees which is up from 32 employees in 2016.

Steven Bowcut, CPP, PSP is the Editor-in-Chief for Brilliance Security Magazine