Interview with Shay Rapaport, Co-founder of Fireblade

Fireblade, an innovation driven cloud security startup has come a long way over the last twelve months. They offer a next-generation behavioral WAF, DDoS Mitigation, and protection against Bots and Scrapers. Fireblade is not a CDN selling directly to end-users, but works with CDNs, ISPs and Service Providers that are interested in licensing their cool technology, or white-labeling it.  Recently, Fireblade reached a major milestone, in a partnership win with CDNetworks, one of the largest CDNs in the world. The partnership validates the Fireblade security stack, and speaks volumes of Fireblade’s ingenuity in mitigating attacks. A big thanks to Shay Rapaport for the interview and wisdom.

The cloud website security space is heating up, new vendors appear more and more often and the veteran ones are becoming huge players. What sets Fireblade apart from the rest?  There are many things we do differently, and arguably better than most others, but if I have to pick two, these would be the behavioral, centralistic approach to web application security and the flexibility to work with channel partners. With the behavioral security, we can identify and block attacks without necessarily knowing the attack vector and vulnerability, only because the user is acting “strange”.

We blocked a few hundreds of Shellshock attacks weeks before the attack was published and patches have been updated on web application firewalls. We were not even aware of that until the attack got its publicity and we checked back our logs to see if such signatures were blocked. Regarding our options for partners, what makes us unique is that we are absolutely software focused and not an infrastructure player.

We’ve developed our product in such a way that the main wisdom of it and all of its management layers are centralized in a cloud center. The proxies themselves, or Service Nodes, as we refer to them, are rather thin and simplistic and can be deployed nearly anywhere in any format. Distributed clouds, a single datacenter, multi-tenant or single tenant, white labelled or not, with different feature sets and plans, all with complete visibility and control for each of our partners.

Compare, for example, between two such partners we have. One is a huge CDN and the other is a DDoS scrubbing center. The CDN needed our software to be deployed in many data-centers, with multi-tenant instances serving their customers in conjunction across PoPs and a centralistic layer of management, configuration and decision making.

Now, the scrubbing center wished to install in a single data-center, but to have a different IP space and different infrastructure per each customer. Each wanted their own feature sets and complete white-labeling. Both got it all out of the box. I don’t know any other vendor that could do that.

The Fireblade WAF is a behavioral based WAF, but what does that exactly mean, because most security products on the market today say they are behavioral based, machine learning, and self learning?  Web Application Firewalls were originally invented as layer 7 signature inspection appliances, pretty much like old anti-virus software. This approach makes them difficult to manage, prone to false positives and ineffective against new (“zero day”) attacks.

Our core assumption is that legitimate users and attackers have very different behaviors. So, while Fireblade uses and updates a list of signatures, it’s main security engine calculates and predicts users’ risks by looking at their whole sessions, their interactions with the website, their histories and so on. If they do things that look very different from normal users or if they have a known history of violations, they are more likely to be sanctioned or blocked.

This approach covers many attacks without necessarily predicting their exact signatures, and at the same time abstains the high rate of false positives that many consider as the number one problem with today’s WAFs.

Is your WAF built in-house completely or is some of it based on ModSecurity?  We are not using ModSecurity at all. We have a lot of respect to this veteran open-source solution but we preferred to take our own approach and do things differently. Also, at the time we began developing our proxy software, ModSecurity was still not available for NGiNX, on which our proxies are based.

If its a custom WAF, why is it better than ModSecurity?  First of all, I believe ModSecurity still has a lot to improve to be well adapted to NGiNX and the way this server works. Regardless of that, ModSecurity’s open-source rule-set yields to way too may false-positives and that’s a price most websites will not pay for better security. The bottom line is that you can get relatively good results with ModSecurity, but you’ll have to know how to program and configure it and to some extent you need to be a geek.

Even then, I think we will produce better results, especially against complex or distributed attacks and with less false-positives, and it will all be automated. I think this makes us valuable to website owners and surely much more appealing to channel partners who prefer to sell a product rather than operate a machine.

Is Fireblade a CDN that provides DDoS Mitigation and WAF? Fireblade is not an infrastructure player at all. We focus on software side of things; the security, the user-interface, the management layers, the agility of the product and the wisdom of our centralized cloud. We sell that to partners that have an infrastructure and withing weeks they become competitive players in the space of web application security.

With CDNetworks we have an agreement that allows us to sell our services bundled to their CDN platfrom. This means that we can actually sell security over a global, first tier CDN with more than 130 PoPs, including DDoS mitigation capabilities. It is more the vast majority of our competition can offer. And yet, we do not have our own infrastructure.

Do you sell direct to end users or do you work strictly through the Channel? Currently we focus our efforts on channels, especially large vendors that wish to license or software. These can be security vendors, players in the hosting space and its ecosystem, such as DNS and SSL providers and others companies that have commercial relationships with many websites.

Why did CDNetworks select the Fireblade WAF and what does this partnership signify?  You will have to ask them, but I think mostly they liked our approach to security, our very cool user interface and finally the way the solution could be easly adapted to address all their needs, both as a CDN and as a partner. With many other web application security solutions out there, my guess is that any company, them included, would have to spend too much time and resources to integrate the solution, to orchestrate the provisioning to customers and to create the management layers that are required for such an operation. I assume that the fact we had all of these played a part in the decision. And you know what, we are also nice guys.

Digiprove sealCopyright secured by Digiprove © 2015