Hi everyone, my name is Osman Çelik. I'm a Research Analyst at KuppingerCole for around like two years already and This is gonna be a webinar around WAF solutions in the current market landscape For some of you maybe you have noticed that we released a leadership compass around web application firewalls one and a half months ago I worked around this report for around half a year. Maybe a bit less than that.
Maybe I was working since November and then we brought a couple of vendors together and as usual we evaluated them and then we also tried to see where the market is aside from the vendors and In this webinar, I will try to share our insights with you guys About the market about where the vendors are and where the market is heading to and I will also provide a couple of recommendations for those who are interested Couple of housekeeping rules you don't need to control your audio the slides and the recording will be shared with you in a couple of days and We will have a Q&A session at the end of the webinar.
Speaking of the Q&A I'm thinking of having five minutes around that for the Q&A and In total we are gonna share 30 minutes together. So 25 to 5 minutes you can Think of that kind of split So let's talk about the agenda of today a bit First of all, we're gonna start with the overview of the valve markets and How is it?
What is changing in the market and what are the drivers of these changes and Most importantly how this market is actually transitioning to something new something In this market called Bob web application and API protection solutions Some vendors used to call it start calling it next-gen WAF, but we will see Later on we are gonna talk about what are the basic and advanced capabilities for WAF solutions and Then we are gonna see the vendors we have evaluated in this research and I will share with you guys. What are the common challenges I found out about them?
Just please note that none of those challenges are associated with one specific vendor But these are the challenges that I figured out that This is This is a certain solution.
And so this is a certain challenge that the most of the vendor should overcome So it is more like a general approach rather than specific one and then later on I will provide you some recommendation and strategies for your future investments how to become future proof as you say and In the last section we are gonna share with you guys how our leadership compass methodology is how do we contact research and I will also give you a couple of some glimpse of our Leadership compass in this webinar in our presentation.
So let's start with some market highlights Yeah recently we've seen that the attack types are like changing and then they are The length cyber security landscape is actually constantly changing duty most of the time AI recently but if we think about For example, Oh us top 10 vulnerabilities and threats. They are being constantly updated and When you think of for example incidents like look for J.
They're at our door all the time and The valve solutions are around or more than a decade right and So what you have to do is you have to actually also constantly change your valve solution as well So it is a maturing market and You can see this is our research by the way that we are expecting about market to reach around 10 billion US dollar by 2026 so It is growing slightly and We are expecting to see some advanced features in this market Advanced web capabilities, let's say and some of the vendors are already fulfilling those needs but still when we think about the generative AI and the use of the cyber criminals Virtualizing machine learning and then they are attacking our systems We need to still think about some new technologies to implement in our web solutions and well web application API protection solutions are this is the reason why they are next-generation WAF as We as we understood while doing the research because In the traditional WAF, we didn't really care about the API security.
But now We see that most vendors are actually Labeling themselves as a valve solution not as a WAF anymore Then let's ask this question to ourselves then what is WAF I'm sure that some of you already know it But for those who doesn't know it It is basically The next generation of right. Sorry one second. I Have a problem with my mouse wheel today, please bear with me So what is the future and why is it future because API is almost everywhere now?
and it is integrated to our All of our IT environment and it's also critical to our web infrastructure as well and not only protecting it but also discovering it is also really crucial and more important than ever and Bob is the one solution that is addressing this challenges together with other API security tools, but if you still need a web application firewall, so what is the Solution that you're looking for and one of the advantages of why a WAP is excelling is because WAP solutions are utilizing ML mechanisms and they for better protection or for better Detection of API threats and at the same time Securing APIs are also mandated by the regulatory compliances.
So this is also another reason you should consider them for future and As I already said most vendors are already offering API detection and protection along with their basic WAP capabilities And speaking of basic WAP, let's talk about what are them a bit So when I was doing this research I Was updating our previous report from 2022. One of my colleagues prepared it in the late 2022 if I'm not wrong.
Yes, and I was trying to see you know, what has changed in the market and it was surprising for me to see that some of the capabilities he labeled as advanced WAP has become a market standard at the moment and Now we can see the list of the core WAP capabilities we think that every vendor must have But that doesn't guarantee like this list doesn't guarantee that every vendor we I have analyzed provide this but this is what we think that every WAP solution solution should bring to the table at least So what are they?
Of course web application protection against known attacks like OWASP top 10 or sans25 Or DDoS protection for all these three layers three four and seven not only the Like I mean for both network and application layers advanced bot management CDN and web app acceleration and Really important integration to some certain solutions And this is why I highlighted this tree here because there are still some solutions lacking this feature They don't have any integration to thread intelligence in 2024 you have to be proactive and you need thread hunting some people working for you or you get those Intelligence from true third-party feeds.
So you have to integrate to them see him and ticketing for incident response and also for Responding to that text Also reporting yeah, you have you might understand everything going on but Your executive manager won't understand it So you need to also have some custom options custom reporting options so that everyone aligns every stakeholder alliance in your organization and very importantly You need to have a support After sale right and then you also need to have in this in this case I might I don't have to say that you need to have a community support But you need to have at least some knowledge center providing your documentations Possibly your trainings, but also support team Taking care of your Problems whenever you are in need All right, and let's a bit let's talk about a bit advanced backup capabilities, right?
Yeah, and then what to expect from them Yeah, I'm again gonna go back to the AI, you know, it's a buzzword anyway So everyone so but it is real.
It is also real that so so many Vaft solutions are now utilizing utilizing machine learning for detection and protection both for Both detection and all support threat hunting API discovery and protection as I said is becoming part of the Bob so you have to have it and You also ought to automate your bot management and Utilize ML if necessary Yeah, I've also seen a couple of solutions offering vulnerability detection and remediation and they're also integrating with vulnerability scanner tools this is really cool picture that I've seen some vendors are doing on top of that in terms of Identity and access management.
There are some solutions offering attack attack account takeover protection and fraud detection and in terms of Data protection. I have seen some solutions doing data masking DLP and Sometimes these are being mandated by the Regulations, right?
So you have to actually think about solution providing all of these Anyway, even if you don't need laughs, I mean who doesn't need but if you already have a bath solution not offering this But then you should maybe think about already Acquiring some advanced capabilities either through the integrations or choosing an app more advanced solution All right, so as I said, I was going through the the challenges of each vendor I have Analyzed, so I would like to highlight a couple of them here today with you so What are the main challenges I've noticed in this market in?
2024 Well, some of them are not New to us, but they are still around like for example I really I still see that some vendors are Having integration issues with third-party tools simply because they do not offer offer They do not provide you the the API protocol you need they do not have enough out-of-the-box integration solutions That will solve all your end your security problems and to end but here this challenge is around and I was going through you know, some And user websites to see you know, what are the main challenges people are And users are complaining about is that they find those both challenging Mechanisms are very boring and time-consuming There are a couple of solutions in the market that are bringing some innovative techniques mechanisms to that You will find it in our report which vendors they are and Proactive solutions are underutilized for signature creation.
This is something I noticed and I think That I can be on a judge on this.
I've worked on attack surface management the solutions last year So I know the importance of proactive solutions in the market attack surfaces surface management is just one of them but some solutions only a few are utilizing this Threat Intel if Threat Intel to trade signatures and I still think that there's a room for improvement here And yeah, they also they fail to leverage threat intelligence Some some solutions are still cloud provider dependent for example for DDoS mitigation For some some solutions are dependent for the for their cloud provider for their POP yeah, this this is still a challenge for most vendors and Yeah support for compliances has been always there right and it will be always there in the future and I see that so many vendors are lacking support for the regulatory compliance in different regions of the world and Yeah, they should they should take take this matter more seriously and Yeah for most of the solutions.
It's it's not something you need to have but market presence is concentrated in two regions Europe and North America well, but I can say that for example recently I'm working on NDR and then I even see like I even so when there's focusing on West and East Africa that was really unique for me. So it will be interesting to also see it in this market All right Now that we discussed about the challenges, so let's do some checklist For the future.
Yeah, what should you expect from an advanced WAF solution? Let's say in the upcoming years or if you are planning to acquire one What you should be aware of yeah in your organization is a dynamic one, right?
Probably and then you need to have a scalable and flexible deployment option Depending on how many users you have how much business resources you have and you need how much you need you need to spend and You need to you need to have something that is utilizing AI and machine learning for all support you know saving up from the business resources not only for the technological technological Advancements but also for the business resources and time management, right?
We have lots of AI Powered attacks going on so you need to have something protecting against sophisticated attacks as As I have already mentioned and highlighted a WAP is the new direction for the most vendors and to be honest If I am to write this report in a couple of years this report will probably no longer be named LC WAF, but it will be LC WAF instead Because this is where the market is going for you guys who are still using Traditional WAF solutions be aware Yeah, your solution need to support a wide range of API protocols because we have lots of solutions from different vendors So they have to integrate at some point if they are not orchestrating.
Well, then you are in great danger, man And If you're if your organization needs some custom security policies You should also talk to your vendor about that if they can provide it or not in some cases vendors Provide an outline For your security policies and they create their WAF around it Yeah, very few but if you research it, you're gonna find some solutions providing tailored Solutions for your needs and then very last but not least Compliance support it is gonna be around and I think it's gonna be even more Strict in the upcoming years and there will be even new regulations coming after the generative AI's widespread use so it will be everywhere and I think that even some WAF solutions will implement the Generative AI in their solution.
So you have to comply to even more regulations All right So We have five more minutes and I would like to share with you guys. How do we do the leadership compass research and Our methodology in a nutshell. I'm not gonna bore you with that. But at the end you're gonna see your results. So I'm sure you are interested in that more than everything So, let me quickly tell you guys how do we do this Leadership compasses.
So we research right we start with the research and then we identify vendors we create a list of them and then we get into touch with them and then they give their confirmation to their participation to our Leadership compass sometimes.
I'm just making up this numbers, by the way we have We are contacting to 40 vendors and only 15 of them gives their Consent to participation and then What happens next is that after they give their consent we send them a questionnaire These questionnaires consists of some standard and technical questions in this in the in the WAF's case There were all like 500 to 600 questions.
I know that some of you are afraid Afraid to answer those questionnaires when when you see it, but it is really the The point where we can actually get this the little detail and then make one vendor Getting this score that they rightfully deserved and then we start writing the papers based on the questionnaire and the briefings we have them we have one hour of briefings with them and Which constitutes some presentation and some demonstration of their platform if they have and then we After we are done with the writing period we send them those Sections that are relevant to them and then they checked and then they give us feedback Sometimes when we are lucky they said you did an amazing job We don't want to change anything and sometimes they complain it happens and we are also making mistakes and sometimes we are using outdated information or if there is a let's say Challenge they actually patch it or they overcome it in couple of months in this time period that I am writing the period the leadership compass and Then I get the feedback if they have any and then I update the report and then finally if you publish it So it is actually like four to six months of Process and It takes a lot of communication between us my colleagues and the vendors we are working with So I'm gonna show you a couple of when I'm gonna show you the Evaluation of vendors that are participated.
Let's start with the participated vendors as I said, this is this is gonna be just a slide around who participated Amazon Web Services cloudflare f5 Fortunet's Fortra in perwa rock face Curator laps right there replace you Bika and wall arm those 12 vendors Participated gave their consent to our Leadership compass And what happens When a vendor participates, right?
Only if my mouse works, I'm sorry So Regardless of the solution in every LC we have nine Dimensions These are security functionality integration Interoperability usability These are more in the technical side and for more innovation market ecosystem and financial strength Do you remember I told you that we have two sections in the questionnaire one has standard questions and One has technical questions.
It is not exactly like a split but standard questions are mostly Evaluating what you see these dimensions innovation market ecosystem and financial strength and the technical questions are Most of the time shaping what you see here security functionality how they integrate with other solutions. How are they deployed? How what is the user experience etc their dashboards? So out of these nine dimensions We create this spider charts. I know it might sound a bit complicated, but this is Actually a WAF vendor. This is one of their scores.
I'm not going to share the Vendors name but out of these nine dimensions. I create eight critical Evaluation criteria for this market DDoS protection WAF basics WAF intelligence both management API protection web performance enhancements centralized management and reporting Admin and DevOps support.
So those nine dimensions affect this eight Criteria and at the end we get this spider charts out of those 600 questions that I was talking about And as I said, this is actually a one of the vendors I'm not gonna share its name but this is an example And Also out of these nine dimensions and this questionnaire. We also create Leadership matrixes which I'm gonna share only one of them with you.
So we have four different leadership Matrixes the product leadership is the functionality and completeness of product vision the second one is about market leadership and where their customers are if their ecosystem is strong enough innovation is as the name states how innovative they are and overall leadership is the combined view of those three and Yeah, I'm going to share with you guys the overall leadership of this market So as you see we have three categories leaders challengers and followers Starting from the the leaders f5 and impera is the leading one Radware AWS cloudflare propays unfortunate is following them in the leader Category and in the second category in the challenger category.
We have wall arm Fortra Reblaze curator labs and ubica as I said, this is just the overall leadership matrix we have Sorry, we have Three more Leadership matrixes and I'm not going to share them with you guys, but if you're interested you can go to our website and check my Leadership compass around web application firewalls. So you're gonna have access to all the spider charts and Also to all the matrixes.
This is the only Matrix, I'm sharing with you guys as I said oral leadership So I am two minutes ahead of my time plan so I'm expecting to receive some questions Hopefully so in this Three minutes, I'm gonna try to answer them.
Let's see the most watered ones Okay, the first one how can organization ensure seamless integration of cloud solutions with their existing security infrastructure well Integration is done through Several methods right and you like from my Understanding that many vendors are lacking the necessary API protocols support for them and I think that also it is also up to the vendors. There's torque third-party vendors Infrastructure, but if you have some Soft solutions.
I think that's gonna be much easier And then your web should integrate with them and I think if the WAF solution provider here WAF vendor can solve it Then the rest is just up to the API protocols They need to support some some sort of new API protocols around like for example webhooks many vendors Forget supporting such protocols You Okay, that's a another question Being Of Alan Rogers asked like what is the market read? What is the market's reason for geographic coverage being restricted?
Well, this is not this is not something specific to above solution, it's just that I think that Regulate regulated regions markets are more prone to use Publication firewalls for example, there were some Vendors, but they are small enough and they only operate operate in some certain regions of the world I think that like for example, we have seen many vendors from India, but they were not qualified enough to be Examined in our paper, but I'm sure they have some presence in India same for countries Same goes for countries like Russia and China They actually I'm sure they have their solutions.
But after the Russia Ukraine war we have seen some Russian vendors actually Investing in the Eastern Europe.
That's what I noticed when I was doing my research so we don't really have that much information, but the vendors are mostly from Middle East Europe and North Africa North America, sorry, and the market's presence is strong in these three regions mostly Last question should be around how modern how the modern web solutions address these evolving security threats as I said, you know From my point of view the the most emerging threats are coming from AI and Web solutions are utilizing Machine learning algorithms.
They have different machine learning unsupervised supervised algorithms to detect bot attacks, for example, or they use machine learning for Like for for the for the scanning of the deep deep path and the Data shared there. So the threat intelligence is also stepping up.
They go one They go they they also do some in that market also, there are some technological enhancements, so you just need to Make sure that your threat Intel is catching up with your Existing environment and your existing IT solutions All right, let's see I think that that should be it for we are yeah, it's been 31 minute and Let me just take a look if there is an interesting question Yeah, I think that should be it from my side If you are interested, please read the full report at leadership compass Vav and if you have any questions, please contact me here.
You can see my email and Thank you very much guys have a good day
