Making a FUS out of…WAPP?
If you follow A10 (thank you if you do), you may have noticed we acquired something new earlier this year: ThreatX by A10 Networks. Some people call it a CWAAP, some call it a CNAPP, others call it a WAAPi…we call it a WAPP – web application protection platform. Why? Because it’s forward-looking, and it sets the stage for how we’ll Futurize, Unite, and Simplify (FUS) the protection of your application ecosystem.
The Problem with Old Approaches
Traditional approaches to securing web applications have relied heavily on static, regex-based defenses that simply don’t keep up with modern threats. Network firewalls, as an example, became insufficient on their own because they struggled to examine encrypted traffic. If attacks were envelopes with hidden messages inside, network firewalls could only look at the outside of the envelopes. A next-gen firewall might be able to do a better job taking context into account, but it’s still limited to examining the outside of the envelope. The message inside, however, couldn’t be examined. Similarly, without decryption, more advanced attacks that targeted Layer 7 were invisible to such security devices. Even when the web application firewall was introduced, it was incredibly resource-intensive, and because the programming used in the application layer is much more flexible, it was much easier to disguise malicious attacks as normal traffic.
Meanwhile, attackers evolved:
- Advanced application attacks, from obfuscated or fragmented payloads to diverse injection techniques, exploit the complexity of the application layer. This puts pressure on existing WAFs to evolve with more adaptive detection and mitigation.
- Application-layer DDoS became a new vector that is cheaper and easier to execute than massive network floods, often using “slow-and-low” techniques to quietly overwhelm systems. Attackers no longer need to invest heavy capital to build an infrastructure large enough to execute hyper-volumetric DDoS attacks.
- Proliferation of APIs opened a rich attack surface. They directly connect back-end systems and often integrate across organizations. This makes them prime targets for business logic attacks that mimic legitimate behavior while exploiting subtle flaws.
- Bots now account for nearly half of all internet traffic. Their techniques have advanced in complexity and scale. For example, instead of brute-force logins, attackers increasingly use credential stuffing–leveraging stolen credentials across multiple apps to break in at scale.
Because of these changes, the attack surface has grown, the complexity of attacks has advanced, but defenses haven’t always been able to keep pace.
Static Approaches are a Thing of the Past
In the past, defenses were mostly signature-based and would require heavier tuning. These static approaches worked when threats were simpler in nature and lower in volume. But today, applications are the backbone of the digital economy. Sensitive data pass through, business transactions are carried out, and a large amount of customer trust is placed in the uptime of these applications. Signature-based detection and manual tuning are no longer enough. Their mean-time-to-detect, accuracy, and flexibility are too low to counter the evolving threat landscape.
The Current “Best-of-breed” Trend
Modern defenses leverage AI and ML to power their algorithms that allow for some form of context-based detection, which can greatly improve precision. Additionally, to counter the plethora of new attack vectors, defenses have adopted a “best-of-breed” trend. Organizations put together multiple point solutions “a la carte style: one vendor for bots, another for APIs, another for WAF, another for L7 DDoS, and then try to glue them together. The result is less than desired. The cost of acquiring all these different products is high. Plus, there will be a ton of technical debt, overhead cost, and inefficiencies from these siloed products (such as false positives). Organizations end up with too many products, unsure of what to do with all the information generated.
Some vendors attempt to solve this by stitching the products together on their end, and then selling this stitched-up Frankenstein as a “bundled solution,” with a “brain in the middle” that aggregates data from multiple tools. This doesn’t fix the problem of the siloed products working on their own vectors without communication. It still generates countless false positives that need to be sifted through. The burden of this task will still be pushed to the organization’s security team.
The Future: Working Together by Design
The future isn’t about buying more best-of-breed tools or putting more pressure on the SIEM to perform correlation across countless vectors, it’s about developing a true platform, “shifting left” within this approach. This platform should have protection capabilities that are natively integrated, working together by design rather than patched together after the fact. Let’s use basketball as an example (I always do): putting Luka Doncic and LeBron James on the same team sounds great, in theory. They’re both superstars, but they need the ball in similar ways and overlap in roles. As a result, the whole can end up being less than the sum of the parts. Now, let’s talk about Steph Curry and Draymond Green. On paper, they may not look as dominant, but together, they complement each other perfectly. They use the ball in different ways, cover each other’s weaknesses, and amplify their strengths. That’s the difference between a “collection of talent” (stitched up best-in-breed) and a cohesive team, a WAPP unified platform.
How We FUS (Futurize, Unite, Simplify)
What if I told you the future solution is here today? We’re building the future now. ThreatX by A10 Networks unites protection across API, web, bot, and DDoS into a unified platform, making it a web application protection platform. Here’s how:
- Futurize: ThreatX leverages advanced AI, behavioral learning, and risk-based profiling to stay ahead of attackers. For example, if attacker B1A5 executes a suspicious API request, ThreatX adjusts its risk score dynamically. If B1A5 later attempts bot-like behavior, the decision engine takes that prior context into account, continually refining its understanding and defenses, and acts accordingly.
- Unite: Instead of siloed defenses, ThreatX correlates activity across attack vectors and uses the information cohesively to adjust detection and mitigation strategies. By implementing entity-based and transaction-based tracking, a holistic picture of attackers and attacks is created.
- Simplify: Deployment takes only minutes to hours, rather than weeks to months. Instead of buying a WAF, then tacking on API protection, and then layering on bot and DDoS defense, ThreatX delivers protection in a unified platform. To complement the AI-enhanced machinery, ThreatX also includes a managed SOC, adding the crucial human element, since some things can’t be replaced by AI alone.
WAPP: A Unified Platform
The world doesn’t need more siloed tools. It needs a web application protection platform like ThreatX by A10 Networks. ThreatX isn’t just about replacing outdated, static defenses — it’s about changing the way we think about application protection altogether. We’re not the “dream team” of disconnected stars. We’re the 2017-2018 Golden State Warriors: a system where every component works together, making the whole greater than the sum of its parts. Now that is a truly unified platform, and something worth making a FUS out of.
