WAF 101

Question 1

What benefits does WAF provide?

Answer 1

Web app security using layered rulesets enhanced with AI (machine-learning)

Analytics into new attacks (gain visibility into attacks, detect trends)

Protect against zero-day vulnerabilities using managed rulesets.

Defense against known attack types

Block credential stuffing and account takeover

Prevent data exfiltration

Advanced rate limiting (stops abusive traffic that can crash applications or APIs)

Question 2

What is another word for “attacks”

Answer 2

Exploits

Question 3

Some types of cyberattacks that WAF can protect from:

Answer 3

Cross-site scripting (XSS)
SQL Injection
Denial of service attacks (Rate Limiting) / (Layer 7)
Web scraping (Rate Limiting) / (Layer 7)
Brute Force (Rate Limiting) / (Layer 7)

Question 4

How WAF works

Answer 4

The Cloudflare WAF inspects all traffic incoming to an application or website and blocks undesirable traffic based on rulesets.

Question 5

What are basic concerns for customers needing WAF?

Answer 5

Businesses are concerned about the next unknown type of attack
Securing a multi-cloud environment
Reduce burden on IT teams

Question 6

Why is securing a multi-cloud environment a concern for customers looking for a WAF vendor?

Answer 6

WAF apps cannot protect multiple apps in different environments AND a cloud provider cannot protect apps that exist outside of their cloud.

Question 7

Explain the 3 main steps an internet request goes through WAF before entering customer’s network?

Answer 7

1) Traffic goes through Layer 7 DDoS protection
2) Traffic is scanned for known threats and possible new threats identified (through AI) on the entire Cloudflare network (new threats are given attack scores that can be applied to “rules”. CF Engineers are looking for & testing new exploits and update the ruleset for the entire network daily.
3 Traffic is scanned to apply customer’s custom rules (incl Rate Limiting)

if they have Advanced Bundle:
4) Exposed credential checks
5) Sensitive data prevention

Question 8

WAF Pitches

Answer 8

“Cloudflare has built a fully integrated application security portfolio for a strong application security posture that protects applications from attacks and exploits, keeps APIs secure, stops bots, and mitigates risk from 3rd party dependencies in browsers. “

OR

“Comprehensive and effective application security requires a portfolio of capabilities that work together to provide layered security, including WAF, DDoS, bot management, and API security. Our integrated analytics and unified dashboard make us well-positioned to earn expanded app security business. “

Question 9

How is CF WAF appealing to customers with little budget?

Answer 9

WAF Managed Rules are very appealing to customers with limited IT budgets, as they require very little configuration on the customer’s end.

Question 10

Value Prop for Industry Trend:

Every year, the number of new vulnerabilities being discovered and disclosed is increasing dramatically – and this upward trend shows no signs of slowing down

Answer 10

Value Prop: WAF rules continuously updated by our security teams for protection before patches or updates are available.

WAF machine learning models help identify and block attackers that try to evade our WAF rules in order to exploit vulnerabilities

Question 11

Value Prop for Industry Trend:

IT Teams have massive overhead

Answer 11

WAF Managed Rules are very appealing to customers with limited IT budgets, as they require very little configuration on the customer’s end.

Question 12

Value Prop for Industry Trend:

APIs are the fastest growing data type, growing more than twice as fast as web traffic.

Answer 12

API Gateway is our primary API security product, but Advanced Rate Limiting also focuses on API-centric use cases.

Advanced Rate Limiting can throttle unexpected and unexplained surge in API traffic from a trusted source.

APIs and applications.
Gartner recognized Cloudflare as a Leader in the 2022 Gartner Magic Quadrant for Web Application and API Protection (WAAP) report.

Question 13

Value Prop for Industry Trend:

Credential Stuffing

Answer 13

WAF monitors and blocks use of stolen/exposed credentials for account takeover.

Question 14

What is WAF?

Answer 14

A Web Application Firewall (WAF) is a key defense used to protect internet apps. A WAF blocks malicious and undesirable traffic to an application or website.

Attacks that take advantage of these vulnerabilities are called “exploits.”

Question 15

What is Layer 7 of OSI Model?

Answer 15

“Layer 7” refers to the Application Layer of the OSI model.

Question 16

What is Rate Limiting?

Answer 16

its main function is to spot swells of abusive traffic, above and beyond what is normal, and block that traffic for a period of time to prevent web apps or APIs from being overwhelmed.

It does so by protecting website URLs and API endpoints from requests that exceed defined thresholds. Website and API visitors hitting defined request thresholds can trigger custom responses, such as mitigating actions (challenges or CAPTCHAS), response codes (Error 401 - Unauthorized), timeouts, and blocking.

Examples of this are like DDoS attacks, web scraping, and brute force attacks.

Question 17

Is Advanced Rate Limiting is integrated with WAF?

Answer 17

Yes

Question 18

6 WAF Use Cases (AKA reasons people need WAF)

Answer 18

Protect against zero day vulnerabilities

Stop known attacks

Prevent data exfiltration

Fight state-sponsored threats

Block credential stuffing and account takeover

Gain unparalleled visibility into attacks

Question 19

How does WAF protect against Zero Day vulnerabilities?

Answer 19

CF Engineers are consistently identifying new threats and updating rulesets.

WAF Machine learning identifies new threats without a specific rule in place to protect against a potential threat yet unidentified.

Also using the managed custom rulesets customers can create

Question 20

What types of attacks does Advanced Rate Limiting protects against? (There are 4 listed on other side)

Answer 20

DDoS Attacks

Brute-force login attempts

web scraping

Any types of abuse targeting APIs and applications i.e. API traffic surges

Question 21

What is WAF Machine Learning?

Answer 21

Machine learning identifies evasions targeting zero-day vulnerabilities even without a specific rule in place. Every request is given an attack score that can be used in rules to block, log, or challenge requests.

Machine learning runs on all of our customers’ traffic to their apps, providing improved detection of attacks and identification of new evasion techniques before a human researcher can. This works together with WAF managed rulesets.

Question 22

How is Magic FIREWALL different from standard WAF?

Answer 22

Magic FIREWALL protects on the network level of OSI model (Layer 3).

Magic Firewall is focused on filtering traffic coming into our customers’ networks, while WAF filters traffic incoming to our customers’ web applications.

Question 23

What is formula for creating a tailored sense of urgency?

Answer 23

Market level urgency + account level urgency =

Opportunity

Question 24

What two factors make up account level urgency?

Answer 24

Business driver (business strategic goal)

AND

Urgency trigger (Impetus for adopting new product)

Question 25

Name 5 examples of Security & IT Triggers

Answer 25

New leadership (CIO, CISO, etc.)

Major initiative / investment – (e.g. cloud migration, OWASP Top 10 project, bring-your-own-device policy

Web attack, such as credential stuffing or data breach

Attack on competitor or other organization in industry

Security / IT audit identifies gaps

Question 26

Name 5 examples of Business Urgency Triggers

Answer 26

Surge in popularity of the business / a web property

Improve security posture to deal with rising corporate insurance premiums

Budget reduction / efficiency increase initiatives

New regulation or compliance frameworks

Disruptions in supply chain (such as hardware and appliance availability)

Question 27

Who are Target Buyers?

Answer 27

Economic Buyer

Champion

Practitioner

Question 28

Examples of Economic Buyer & what they do

Answer 28

C-Level (CEO, CIO, CFO, CTO, CISO)

Contact who provides final sign off in the buying process

Question 29

Economic Buyer: What keeps them up at night?

Answer 29

Worries about spending money with the wrong AppSec vendor

Concerns that a vendor ultimately might not make their company successful

Question 30

Economic Buyer: What do they need?

Answer 30

Convincing them they are getting security that will let their company grow/succeed

Getting sufficient value (ROI)

They’ll want a green light from practitioners

Question 31

Examples of Champion & what they do

Answer 31

Example titles:
VP InfoSec / CISO
Security directors
IT security managers

Security/IT contact who pushes for Cloudflare internally

Their teams are charged with solving the security issues we can quickly help address

Question 32

Champion: What keeps them up at night?

Answer 32

Going to bat for the wrong vendor/solution

Losing face in their organization

Question 33

Champion: What they need?

Answer 33

Reassurance they are making the right choice (analyst reports, data from a POC, etc)

Support in displacing competition internally

Great post-sales success to ensure quick wins

Question 34

Examples of Practitioner & what they do

Answer 34

Example titles:
IT security manager
AppSec / App manager
IT / infrastructure manager
Core role in buying process

Security contact who will evaluate/POC our products

Will verify our solutions are sufficiently secure and usable for the company

Question 35

What keeps Champions up all night?

Answer 35

Attacks derailing the business that go unmitigated

Burnout/fatigue from too many products to manage

Question 36

What do Champions need?

Answer 36

A strong demo/POC that meets their particular demands and maps to their challenges

To see strong product reviews from peers in the space.

Question 37

Why do eCommerce sites need WAF?

Answer 37

Need to better fight off bots targeting sites and content (especially inventory hoarding, credential stuffing/account takeover, and web scraping attacks)

Protect web visitors from client-side attacks

Protect against a data breach and comply with privacy regulations by securing sensitive customer data (including PII such as financial data)

Question 38

Why do Banks & financial Services need WAF?

Answer 38

Online banking portals are under constant bot attacks trying to get into user accounts

Rise of open banking and open finance startups creates pressure to evolve to compete or be left behind – APIs are more crucial than ever

Keeping pace with constantly evolving data privacy/security regulations affecting industry (PCI v4, GLBA, FCRA, and more)

Question 39

Why do Gaming sites need WAF?

Answer 39

Demand for high performance and low latency

Game servers that are deployed across public, private, and hybrid cloud multi-cloud environments

Need for interoperability, flexibility, and scalability in architecture as business needs dictate

Lax authentication measures that make gaming an easier target than many other industries

Question 40

Why do Healthcare need WAF?

Answer 40

Acceleration of digital transformation (many healthcare organizations are trying to replace outdated IT)

Telehealth, data-driven personalized medicine, cloud migration, modern R&D using advanced analytics and AI, remote clinical trials, intelligent supply chains

Rising volume and sophistication of cyberattacks, especially by foreign state-sponsored actors

Increasing privacy concerns and regulatory requirements, including HIPAA

Question 41

Why do Media sites need WAF?

Answer 41

Increased number of average touchpoints with a consumer, including streaming platforms, apps, and more

Need for fast, reliable, immersive, and personalized experiences – latency issues such as those caused by volumetric attacks will mean a customer just moves on to the next platform

Varied sources of media content result in complex supply chains