Today we announced CQ appFirewall, the second security module for our Application Security Platform that leverages CQAI, our patented AI-powered analytics engine, to prevent data loss and compromise brought on by vulnerabilities exposed in your web, mobile, API-based applications. CQ appFirewall is not a WAF in the traditional sense. Yes, it has the necessary features to address OWASP Top 10 and PCI DSS Section 6.6 requirements – those are table stakes features.
CQ appFirewall is founded upon our previous efforts to use intelligence and machine learning to help organizations stop automated business logic abuse – commonly known as malicious bot attacks – with CQ botDefense. Business logic abuse is a massive problem for many customers particularly those in financial services, retail, and social media. It’s made more difficult because the attacks appear to be legitimate login attempts, account registrations, or shopping purchases. This meant we needed to be able to distinguish between machine and human-generated transactions hitting ALL of your public facing web, mobile and API-based applications – not just web, or mobile – all three types. To accomplish this herculean effort, we approached the problem with three design principles in mind –
- Understand all of the transactions hitting your public facing applications WITHOUT requiring any application modification or SDK updates.
- Design the product with cloud-centric application development methodologies in mind to ensure that security can be “baked” into your iterative application development process.
- Utilize leading edge software components and technologies like Docker Containers, Kubernetes, and Kafka to create a modular architecture that scales as needed, and can be deployed quickly, in literally any environment.
The result of our design and development efforts is our Application Security Platform (ASP) which is founded upon CQAI, a patented machine-learning analytics engine that fully understands all of the transactions hitting your public facing applications. CQAI is deployed out of band and focused specifically on distinguishing between machine and human intent to uncover automated business logic abuse and prevent it through CQ botDefense, our initial security module. In some customer environments, we are analyzing billions of transactions per day, blocking as much as 90% of them due to their malicious nature.
Cequence ASP is typically deployed in front of all other application security elements, on the front lines so to speak. CQAI sees everything hitting your public apps – even before your WAF does. Without diminishing the effort required to create a WAF, extending ASP into application firewalling, for all types of applications was easier than solving the problem of business logic abuse.
API-based applications account for a large portion of today’s web traffic and it is expected to continue to grow as organizations build feature-rich applications to interact with customers and partners. Unlike traditional Web Application Firewalls (WAFs) that are focused on protecting web applications, CQ appFirewall is designed to protect all applications alike web, mobile or API-based. As the development teams roll our new applications or update existing ones, Cequence ASP automatically detects and analyzes them, ensuring security does not inject delay into the deployment. – CQ appFirewall and CQ botDefense are all managed via CQ Insight, providing you with a single pane of glass for all application security.
Most enterprises are on their journey to the cloud, but they are in different phases of their journey. Some have totally embraced it while others are still running a good portion of their applications in data centers. CQ appFirewall is designed with cloud-native architecture grounds up to protect applications wherever they reside – data center, private cloud, public cloud or even a container cloud like Kubernetes. This allows our customers to move application security with the applications, without worrying about where they are running, easing their journey to the cloud.
WAFs cannot understand the applications well for two primary reasons –
- WAFs are signature based
- WAFs are deployed inline, which means they are unable to learn the application behavior because of the latency/delay it will inject into the user experience.
And that’s one reason why WAFs struggle to effectively protect against Zero-Day exploits. As the number of signatures increase, so too does the latency, which negatively impacts customer experience. In contrast, CQAI applies machine learning to understand normal application and user behaviors, building a positive security model to prevent Zero-Day exploits – without the need to apply and manage signatures. CQAI is deployed out-of-band, allowing it to continuously learn and adapt to application changes without impacting latency or customer experience. CQAI engine then feeds these behavioral profiles to CQ appFirewall to defend against vulnerability exploits in real time. This application-centric approach provides scalpel-like precision to prevent attacks without impacting users. The CQAI intelligence-based approach also ensures that customers don’t need to worry about overloaded WAF signature sets. CQ Insight provides visibility and builds confidence in the effectiveness of CQ appFirewall, without the need for constantly keeping up with the changing applications.
As the newest ASP security module, CQ appFirewall takes full advantage of the ongoing customer feedback, threat research and feature enhancements we have made over the past three years in CQAI and CQ botDefense. With the two security modules deployed together, sharing signals with each other, customers will reap an opportunity to consolidate application security in a single pane of glass, effectively achieving a “1+1 = 3” effect.
Want to learn more about CQ appFirewall? Read the data sheet today.