WAF and DDoS Protection comes to Adobe Experience Manager as a Cloud Service

Web application firewalls (WAFs) have become an important cybersecurity tool, yet they can be challenging to deploy and maintain. The release of WAF and DDoS Protection brings powerful and intelligent traffic filtering and distributed denial of service (DDoS) mitigation to Adobe Experience Manager as a Cloud Service. In this article, we’ll cover recent trends in cybersecurity, an overview of WAF technology, benefits of WAF and DDoS Protection, WAF best practices, and when you might need a WAF.

Cybersecurity background

Cyberattacks grow in relation to the available attack surface. More exposed applications and services mean more potential avenues of attack, so it’s no surprise that threats have continued their exponential growth. And according to Verizon’s 2023 Data Breach Investigations Report, web applications are the most likely attack vector.

The nature of threat actors is also changing, with more threats from groups linked to organized crime. According to McKinsey & Company’s Cybersecurity Trends Report, bad actors are leveraging rapid advancements in artificial intelligence and machine learning to craft targeted phishing attacks and are expanding the volume and impact of DDoS attacks.

These criminal activities are leading to a 15% increase in cybercrime-related expenses, plus the cost of fines, ransoms, and downtime related to successful breaches or extortion schemes. Facing this surge in threats to their business, organizations are turning to trusted technology partners to embed security tooling in their solutions.

WAF background

WAFs sit in front of servers and applications to protect them from malicious and fraudulent traffic — zero-day exploits, account impersonation and takeover, bots, API abuse, code injection, and DDoS attacks. The primary purpose of a WAF is to identify and block malicious traffic before it reaches the web application.

WAFs perform this by analyzing incoming requests, referencing them against predefined rules, behaviors, and identities. Managing those rules can be complicated — defining and configuring all the necessary logic, catching the bad traffic without affecting the good traffic from actual customers, all without slowing things down.

WAF rules typically fit into a few categories — such as allow and deny listings and pattern matching. Crafting these rules for optimal effectiveness requires a specialized technical skillset and an understanding of the organization’s risk profile, a combination that can be hard to find in the competitive market for experienced security personnel.

WAF and DDoS Protection

With the release of WAF and DDoS Protection, powerful and intelligent traffic filtering is available in Adobe Experience Manager as a Cloud Service. Adobe customers and partners care deeply about the integrity, availability, and confidentiality of their applications and data. With WAF and DDoS Protection, teams can deliver high impact personalized experiences with the latest advances in security.

The new WAF features scalable protection, rapid time to value, and comprehensive security tools.

• Scalable protection comes from smart traffic filtering based on anonymized attack data, intelligent inspection to identify malicious payloads, and shared threat intelligence.
• Rapid time to value allows teams to promptly block malicious traffic and attacks with out-of-the-box WAF rules.
• Comprehensive security tools include OWASP Top 10 coverage, DDoS and Bot protection, account takeover protection, rate limiting, API protection, and more.

The implementation of WAF and DDoS Protection is designed to be simple and can be performed in Cloud Manager. Adobe Experience Manager’s WAF filter rules examine each payload for malicious potential by evaluating both the context and what would happen if the request was executed. The intelligent inspection capability makes very accurate attack detections with few false positives, generating both better security and lower operating costs.

WAF best practices

As organizations review implementing a WAF, here are five security considerations to ensure success:

1. No security product will detect or prevent all possible threats or attacks. WAFs are not a substitute for appropriate security controls on web applications and APIs.
2. To prevent inadvertently blocking legitimate requests, test and validate WAF traffic filtering rules prior to deploying them to production.
3. Even with features like intelligent inspection, it is possible that some requests are mistakenly marked as bad traffic and thus blocked.
4. Over time, monitor the performance of your WAF filtering and adjust rules as needed to address changes in web applications, APIs, and traffic patterns.
5. WAFs only inspect HTTP and HTTPS requests and do not evaluate Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) traffic. Other services like content delivery networks (CDNs) can provide additional layers of defense.

Do I need a web application firewall (WAF)?

Implementing a WAF is part of a comprehensive approach to web application security, along with other practices such as secure coding, regular security assessments, and software patching. Whether you need a WAF depends on various factors, including the nature of your web applications, the level of sensitivity of the data they handle, and your overall cybersecurity strategy.

WAF and DDoS Protection is an excellent choice for organizations that want to focus on orchestrating and delivering impactful personalized experiences without spending as much time as before on securing their content management architecture. If you would like to learn more about WAF and DDoS Protection, contact your account manager today.

https://business.adobe.com/fragments/resources/cards/thank-you-collections/aem