“Hey Kristine, our WAF says that we are under DDoS attack. Fortunately, it has blocked all the incoming traffic from Randomland,” – smirking Ralph said.

“Jesus. That’s our Big Sale Day in Randomland and your WAF just ruined it, again,” she shouted.

This Randomland scenario presents one of the many unfortunate everyday stories told in companies all across the globe. According to Ponemon Institute, companies are losing over $1.3 million to false positives every year, which also totals to over 20, 000 hours of dedicated manpower assigned for the job of dealing with these false positives.

While there is no doubt that digitalization- in every possible way- is the only way towards growth in near future, the question here is if we are really prepared with security logics. Over 15 years have passed since the first specialized app firewall was launched by AppShield, but still a large number of security service providers have failed to solve the false positive paradox. Till date, false positive remains the most notorious loophole in their application shielding mechanism.

What is False Positive?

It’s simply a false alarm caused by flaw in logic. Think of a watchman whose job is to keep suspicious individuals out of your property, but who instead denies access to your family members due to some misplaced understanding of what you told him. Wouldn’t that frustrate you to a level of firing that watchman? That’s exactly what you should do with a WAF loading false alarms.

If you dig into the technical aspect of the problem, WAF or a Web Application Firewall follows a set of rules to distinguish threats from real interaction with the server. It basically shields your application from anything malicious. Often due to a flawed logic or generic signature writing, WAF is unable to perform as it should, containing genuine interactions with the server.

Not a surprise that the repercussions of such false positives are many. The cost of fixing the issue is high, but it is nothing compared to the customers and leads lost during the process.

Why is false positive bad for your business?

Today, counter threat mechanisms including web application firewalls are not just any other paraphernalia to security, but is rather the foundation. It is a place around which every online business needs to create security. A powerful web application firewall has to be there.

Although most businesses understand this need, unfortunately they also accept false positive as a recurring part of the whole scenario. Here’s why it shouldn’t be that way.

  • Frequent false positive instances lead to loss of valuable traffic, and hence customers and leads. In fact, it goes a long way than that with ecommerce websites affecting Customer Life Time Value, Brand Reputation, and Conversion Optimization Results.
  • With in-house WAF deployment, the cost of rectifying flawed logic is often expensive.
  • It consumes several manpower hours to locate and understand false positive causes and ramifications, which is unquantifiable.
  • False positive risks are gradually shifting to heuristic technologies, posing paradoxical challenges.
  • Too many false positives also make the data so misleading and cumbersome, that figuring out real incidents and deriving conclusion out of them becomes an impossible task.

How to check for false positives? Is it really possible?

False Positives are generated by majority of the WAFs as a byproduct of generic core rule sets. This ends up being the old “80/20 rule” of security where you will instantly get coverage for about 80% of the problem.  The issue then moves towards the remaining 20%.  This is where, majority of the WAFs run into both false positives and false negatives, as there is no way to know exactly what web application is going to be run behind it. False positive issues begin at the root level of WAF deployment and often become just too complex to control. One rule is set to counter other and before you know there is a huge mess out of it.

How a WAF handles false-positives has everything to do with its accuracy and its abilities in blocking accurately your highest risks first.  Going back to the security guard analogy, if there is a known threat from a person who should not be allowed to enter your premises, some sort of identification like a photograph will help the watchman perform better. Of course, then there can be more advanced options like identification information, biometrics, and DNA fingerprinting. Additionally, WAF’s accuracy and efficiency has everything to do with its security effectiveness too. That’s precisely why we test, monitor and customize our WAF rule sets to great depths and keep IndusGuard WAF ahead of the curve and promise zero false positive. Right from the earlier stages of development, we knew that relying just on automated and ‘generic’ systems is not going to be enough. We rely on “24X7 assess and amend” approach as opposed to “rip and replace”. This tailor-made approach allows us to provide not just better, but smarter protection.

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.