Sergey Petrenko: ‘The security of the state’s critical infrastructure depends on the transition to Russian software’

A professor of Innopolis University about the case of import substitution in security solutions

Now import substitution in information security is one of the priority areas of the state politics — the security of Russia’s critical information infrastructure significantly depends on this, says Professor of Innopolis University Sergey Petrenko. Therefore the Development of the Industry and Enhancement of Its Competitiveness state programme that confirms import substitution plans for every type of the industry until 2024 has been implemented since 15 April 2014. In a column for Realnoe Vremya, the experts reflects on import substitution in security solutions putting web application firewalls (WAF) as an example.

The Ministry of Digital Development, Communications and Mass Media of Russia has kept the Unified Register of Russian Programmes for Electronic Computers and Databases, which was created according to Article 12.1 of Federal Law as of 27 July 2006 No. 149-FL On Information, Information Technologies and Protection of Information, since 2016. The main objective of the creation of his register is to expand the use of Russian programmes for electronic computers and databases, confirmation of their origin from the Russian Federation as well as providing their rights holders with state support measures. So the developers who registered their product in the register are exempt of 20% VAT, while when companies buy Russian software, the state compensates for 50% of financial expenses. As of late June 2022, more than 13,000 programmes from over 4,000 rights holders, including cybersecurity products, were registered in the given register.

Here it is necessary to note that the Federal Service of Technical and Export Control as well as the Russian Security Service regulate issues in technical information protection. For instance, the federal service determines information protection classes, develops recommendations and requirements for protection of data from unauthorised access and control of undocumented feature (implants), certifies security engineering tools in information systems. The Russian federal service also keeps a state register of certified information protection tools of the Russian Federal Service of Technical and Export Control No. ROSS RU.0001.01БИ00.

In 2022, the Russian State Duma has developed a package of bills to increase and reinforce import substitution, set up the Russian industry. Nowadays the following list of legislative acts on import substitution is relevant:

  • The establishment of the priority of Russian software included to the special register on state procurement. Federal Law No. 188-FL as of 29.06.2015.
  • The establishment of the priority of Russian commodities over imported ones when making purchases via a tender, auction or other ways. Decree No. 925 as of 16.09.2016.
  • The imposition of the ban on state procurement of foreign industrial products. Decree No. 616 as of 30.04.2020.
  • Obliging clients to buy Russian commodities in mandatory minimum amount. The amount depends on the type of the commodity. Decree No. 214 as of 03.12.2020.
  • Having a simplified scheme of state procurement of medical equipment — via an electronic request of rates. Decree of the Russian Government No. 297 as of 06.03.2022.
  • Making changes to some legislative acts envisaging support measures for Russian businesses and citizens. Federal Law No. 46-FL as of 08.03.2022. In particular the law introduced a moratorium on scheduled inspections of small and mid-sized businesses in 2022, on scheduled inspections of certified IT organisations until 2024, companies are given a chance to change terms of contracts and so on.
  • An increase of the share of public funding of grants on the creation of Russian analogues of components in different industrial sectors. Decree No. 522 as of 31.03.2022.

On 1 May 2022, there was issued a decree of the Russian president No. 250 On Additional Measures to Provide Information Security of the Russian Federation, according to which there is made a series of organisational and technical requirement such as the ban on state agencies, public companies and critical information infrastructure subjects from using information protection tools made in unfriendly countries or those controlled by them from 2025. The main risks include: the refusal of Western vendors from supporting information security products and providing cybersecurity services, partial or full disconnection of protection functions, annulations of licences and agreements, nonzero probability of using destructive implants or instrument bugs and so on.

In the current situation, IT or information security managers of Russian companies and organisations can be recommended to elaborate a strategy of switching to Russian, functionally mature cybersecurity solutions. For instance, let’s consider the possible import substitution strategy in web application firewalls (L7 WAF).

What is Web Application Firewall?

In the early 2020s, information system integration diagrams using the HyperText Transfer Protocol (HTTP) as transport confidently occupied the leading position in different apps de facto. An intermittently share of distributed apps created with the use of microservice architecture, standardisation and mass introduction of message exchange protocols based on XML and JSON using the HTTP at transport layer, the ongoing increase of the level of computers available to process a message (both for the sender and receiver) and network infrastructure bandwidth, which allowed using the HTTO as transport despite high costs of its coding/decoding and high-redundant representation in network transmission compared to other transport protocols.

In fact, during this process, the HTPP experienced qualitative changes and nowadays performs two qualitatively different functions: the delivery of different content from the server to the client in an asymmetric diagram and almost symmetric message exchange protocol between two equal members of information communication. This situation led to the appearance of a new point of possible control over computing processes developers of information protection system didn’t fail to use. As a result, a new technology and a corresponding class of software products appear — web application firewall.

We should note that the control over the performance of computing processes according to their external exchange (network communication, file subsystem, divided objects in operating memory, etc.) is possible at different levels that are characterised for different depths of decoding of the observed information. For network exchange that historically has a clear system of communication levels, this is more illustrative:

  • a possible control of cooperating entities, their locations, characteristics of a private exchange channel in the global information net (fragmentation, prioritisation, etc.),
  • possible analysis of characteristics of stream at transport level,
  • a format and partial logical control of messages at representation and applied level.

With the transition to every next level, the number of parameters subjected to analysis, the complexity of rules qualitatively increases, which undoubtedly influences the cost of development and support of the solution but at the same time allows effectively opposing wider classes of unauthorised actions. So the control of invariants of logic of the computing process itself is the limit. However, in general expenses on the development of such a control system can be compared or excel the expenses on the development of a protected app (exclusions will be provided below).

Given this, the application level control (HTTP as transport and applied message exchange protocols) is evaluated by experts in application protection as the optimal ratio of the total purchase cost and maintenance of the means of protection to the range of controlled classes of unauthorised actions, which has led to a rapid development of WAF in the last five years.

According to Garner analytic company, Akamai, Imperva are WAF leaders, CloudFlare, F5, Fastly, Amazon Web Services, Barracuda are challengers, Fortinet, Microsoft are visionaries and Radware, ThreatX are niche players.

Information about the ability of WAF to detect and fight off some most spread attacks is given in the table.

attack class

ability

comment

Resource access setup errors: common case

No

Except for methods with creating behavioural profile

Resource access setup errors: private cases, for instance, directory constraint violation

Yes

Attacks on the subsystem of аутентификации, including exhaustive database search

Yes

Session hijacking

Yes

In case the client’s network characteristics change

Transmission of malicious content

Yes

Usually done with the help of external connected modules, i.e. anti-virus solutions

Addition of undocumented parameters to request

No

Except for methods with the creation of behavioural profile

Attacks of information representation level (parsers), including buffer overrun, deliberate transmission of big amounts of compressed information, loop in recursion of message analysis, etc.

Yes

Injection of commands and/or code (including SQL, JavaScript): common case

Partially

For well-known attack types

Injection of commands and/or code in call parameters

Yes

Requests containing signs of remote code-execution attacks

Yes

In most cases

Leak of information in replies

No

Except for methods with the creation of behavioural profile

Use of undocumented features, including in external components

Partially

For well-known types of attacks

Attacks on denial to service, specific for protected app, for instance, memory leak, incorrect parameter combinations

No

Attacks requiring repeated requests (automatic), including vulnerability scanners and fuzzy scanning

Yes

As the table reads, the most forecasted and successful performance of WAF is seen in the attacks that are linked with the specifics of an app to a lesser degree. For instance, all data protection market leaders successfully fight off the attacks listed by OWASP Top10 (2022). First of all, this fact is evidence of the maturity of this class of the information security system. Consequently, the main competitive fight in functional possibilities in WAF systems unfolds against the attacks using specific vulnerabilities of applied systems including:

  • vulnerability of used architecture
  • vulnerability of widely spread external libraries and/or components,
  • vulnerability of specific software.

The presence of this technology somehow shifts the process of the formation of the model of the protected app inside the expertise of the client’s company

Research on the creation of the means of information protection forming the computing process execution model in the observed external information exchange (the model of black box, grey box) has been done almost since the first years of the appearance of computer security as sector. Web Application Firewalls adopted this technology. Also, the rapid development stage of data of the information security system coincided with the period of qualitative changes in machine learning algorithms, which inevitably brought to the inclusion of behavioural algorithms almost in all WAF advanced products.

The use of machine learning algorithms somehow allowed solving an applied problem, which is the fact that amid a constant rise in the complexity of attacks and consequently the rules of their detection/combat, only quite a small part of organisations using information security systems can afford having employees with very focused specialisation. Putting an example of the intrusion detection systems (whose functions quite closely interlink with WAF functions), this can demonstrated by the fact that most companies almost don’t form them themselves despite very flexible possibilities of the rule building subsystem. So these are the most frequent application schemes:

  • Already when choosing a product, the company picks solutions with the biggest possible number of preinstalled rules/signatures (moreover, because of using different solutions of different coding algorithms of these rules, the quantitative comparison is not illustrative in fact), then turns off some of then when it detects false positives during the testing or product use. Here it is noteworthy that WAF producers creating fine-granularity signatures turn out de facto at an advantage in the situations when employees of the user company that are responsible for the rule subsystem management are turned off in case of false positive signatures as a whole instead of the due edition of predicates in them.
  • The initiation investigation of protected applications allowing creating quite an accurate fixed behavioural profile by employees of the company introducing it is purchased. The accuracy of the formed profile depends on the representation of materials (inbound and outbound data) and performance scenarios of apps provided by the client. The static character of the set of rules/signatures is the disadvantage of the approach, which starts to be expressed in the numbers of detections/false positives worsening with time. The speed of the process as a rule depends on the frequency of making changes to the protected app.
  • The client purchases the service of the signature model of detection as service. With obvious better quality characteristics, this approach is the most expensive for the consumer. Also, it can be used only if there are organisations providing services for the chosen WAF product on the market.

In all the enumerated cases, updates of signature bases aren’t considered fighting off new schemes of attacks and vulnerability that became well0known after launching a product, which is in most developers considered as services on the basic technical maintenance of the purchased product with an annual subscription.

Only quite a small part of organisations using information security systems can afford having employees with a very focused specialisation. Photo: realnoevremya.ru

Going back to the qualitatively new approach to solving the described problem offered by machine learning, it is necessary to note that the presence of this technology somehow shifts the process of the formation of the model of the protected app inside the expertise of the client’s company by replacing services of external highly skilled staff and in many cases increasing the speed of adaptation of this model to changes in the protected product. The hard-to-predict level of false positives and gradually appearing research on methods of bypassing machine learning algorithms based on the specifics of their architecture.

In general the development of methods of bypassing rules and models of WAF isn’t something specific only for modules based on machine learning. A wide range of ways of elimination of attacks from the detection rules of WAF started to form almost simultaneously with the process of creation of this type of information security system. The approach of hiding the malicious code from signature anti-viruses that were already used earlier were used for these purposes. Like before, the main principle is to look for differences in the execution of message processing standards (for instance, decoding the level of representation and applied level) between WAF and the attacked app. The goal is to transform the malicious vector in a way that the attacked app considers it like the original (that’s to say, the target vulnerability would be realised), while the application-level fire wall couldn’t form its key attributes in the process of vector processing.

For instance, the introduction of special symbols, firewalls (often repeated), rarely used symbol code agreements and the knowledge of the specifics of the decoding process by certain libraries used by the attacked app is widely used at presentation layer. This aspect makes one to pay attention to the speed of the producer’s reaction to the data on new ways of bypassing filtration created by plotters and (in the case of having SLA in the availability of the protected service) to the organisation of the application-level firewall providing the lowest idle time of the production environment.

Given the above-described situation with almost equal basic possibilities of WAF solutions, it is necessary to single out the following characteristics that remain specific for some products and can have a key impact on their choice depending on requirements for the protection process:

  • granularity of preinstalled signatures/rules;
  • signature update scheme offered by the producer (and its cost policy);
  • algorithms of detection of repeated (automatic) activities including the fuzzy choice of parameters of the attack’s vector;
  • the principle of the performance of algorithms of shaping a behavioural profile of the protected app, including the model learning scheme;
  • the scheme of using the trained model to the production environment;
  • the possibilities (granularity, quick response) of making changes to the used model to turn off false positives detected in the production environment;
  • the timely issue of critical updates of the product in case of detecting ways of filtration bypassing;
  • the possibility of updating components of the solution with the shortest shutdown of the production environment;
  • the scheme of connection to the inspected flow, including the information exchange diagram (detection of correlations between interactions) if apps are protected with the network load balancing;
  • the possibility of integration with external services, including anti-virus solutions;
  • data loss prevention systems (DLP);
  • reputational services;
  • security information and event management systems (SIEM).

Is import substitution of WAF possible?

In the current geopolitical situation, directors of Russian security services are recommended to pay attention to the best Russian import substitutions solutions of WAF:

  • Positive Technologies WAF+ PT NAD (Network Attack Discovery);
  • UserGate Firewall with the intrusion detection and prevention subsystem (certificate of the Federal Service of Technical and Export Control types A, B, D, 4 Class IDS);
  • SolidWall intelligent web application firewall.

So SolidWall, for example, is a classic integrated network firewall for web apps including:

  • signature analysis module;
  • behaviour model of the protected app based on machine learning algorithms module;
  • automated attack detection module;
  • module of detection of attacks on identification, authentication and authorisation of members of information exchange.

The set of basic functions contains:

  • validation of protocols, including termination of TLS traffic;
  • analysis of data of popular frameworks;
  • opposition of OWASP Top10 attacks;
  • control of sessions of web app users;
  • creation of the behavioural model of the protected app.

The solution is compatible with both the most popular scheme of connection to the information traffic (based on reverse proxy) and analysis of mirror traffic providing zero impact on the transmitted data in the analysis in the second option. Routing nodes keep the balance of the network load in Active-Passive and Active-Active schemes, while the solution itself allows integration with a wide range of expanded configuration of protected apps, including with selected installation of analysis modules. Without doubt, such a flexibility of architecture is impossible without the module of centralised management of installed components and a single workplace of the complex’s operator.

Sergey Petrenko

Подписывайтесь на телеграм-канал, группу «ВКонтакте» и страницу в «Одноклассниках» «Реального времени». Ежедневные видео на Rutube, «Дзене» и Youtube.

Reference

The author’s opinion does not necessarily coincide with the position of Realnoe Vremya’s editorial board.

Tatarstan