Report: Massive Number of Internet Exposed Assets Still Lack WAF Protection
An analysis of more than 500,000 internet-exposed assets belonging to Global 2000 companies published today by CyCognito, a provider of an exposure management platform, finds that more than half of cloud assets (52%) and nearly two-thirds of non-cloud assets (66%) lack web application firewall (WAF) protection.
More troubling still, 40% of the assets in cloud environments that collected personally identifiable information (PII) and 63% of the non-cloud assets collecting PII data had no WAF coverage.
Igal Zeifman, vice president of marketing for CyCognito, said while most organizations at this point have licensed a WAF, they are not being consistently used to protect applications exposed to the internet. In fact, the CyCognito analysis finds that, on average, large enterprises have deployed 12 different WAFs. The issue is that, given the sprawling mix of technologies managed by separate teams, there is a lot of inconsistency when it comes to deploying WAFs.
It’s not clear to what extent budget limitations might be constraining WAF deployments versus simply a general lack of visibility into which IT assets might have been accessible from the internet over the years by different IT teams, noted Zeifman. In many instances, applications are still deployed without the cybersecurity team ever being notified, or they may have been added to the IT portfolio following a merger or acquisition. Some organizations may also be assuming that network firewalls are also protecting their web applications to a greater degree than they actually do. Others may not have ready access to the skills and expertise required to deploy a WAF in the first place.
Regardless of the reason, it’s clear that a lot more assets are vulnerable to attack than most organizations fully appreciate, said Zeifman.
Unfortunately, it’s usually not until an organization is victimized or there is some leadership change that organizations become more proactive about ensuring WAFs are both deployed, properly configured and maintained, he added.
The challenge, of course, is that even when cybersecurity teams become aware of assets that should be protected by a WAF, existing resources are not unlimited. Even as the overall size of the cybersecurity budget continues to increase, there are many competing priorities. The Futurum Group is projecting that the cybersecurity market will grow at a compound annual growth rate (CAGR) of 11.6% from 2024 to 2029 to reach $287.6 billion in revenue as investments are spread across multiple classes of technologies and solutions. Application security is forecasted to grow at a faster pace from $8.6 billion in 2024 to $16.68 billion by 2029, representing a 14.2% CAGR, but as a percentage of the overall cybersecurity budget, it remains comparatively small.
In the meantime, cybersecurity teams should assume that adversaries, if they are not already, will soon be making extensive use of artificial intelligence (AI) to discover poorly protected assets and create a means to exploit those weaknesses more easily than ever. As such, it’s not so much a question of whether assets that lack WAF protection will be attacked so much as it is how soon.
