Radware Ltd. (RDWR) Earnings Call Transcript & Summary

[Audio Gap] will discuss the future trends in network and application security and also look ahead to 2024 and beyond. There is a lot of development in terms of cybersecurity especially with the artificial intelligence, ChatGPT, et cetera. So we'll take a look at how that impacts cybersecurity, both positively and negatively. [Operator Instructions] So let's begin. There is never a dull moment in cybersecurity. The attackers and the defenders are constantly playing a game of cat and mouse. That also means that the landscape in cybersecurity is constantly changing. And specifically, when it comes to application security. Application protection in general is a complex domain because the web applications are at the heart of business. This means that apart from securing apps themselves, the application protection also should consider business impacts, the way applications are developed and deployed. And cloud computing is another domain, especially if you're deploying applications in a multi-cloud environment, the domain experience of the security staff, the shortages of skills whether using managed services, et cetera, come into play as well. One of the key trends that we've seen in 2022 and continue to see it in 2023 is the rapid rise of new sophisticated attack vectors. Specifically, API attacks, client-side attacks and bot attacks and these bots are almost human like they can bypass many of the capture type of security that we typically employ. Now such sophisticated attacks can impact organizations of any size and in any vertical. And that is demonstrated by the examples that we put here. The first one is the API attack for T-Mobile. It's one of the top mobile providers in the U.S. and probably worldwide. And it ended up exposing data of almost 37 million users, a huge number. The second one is a client-side attack. This is a video game distribution platform with 120 million active users monthly. Now that was a client-side attack. The third one that we have here is a very well-known apparel brand. So -- and that got impacted using a bot attack. So the reality is that such advanced attacks can target any application and even high profile and very well-protected organization -- well-known organization, such as these are vulnerable. And specifically, you are vulnerable if you don't have the right tools and people in place. So in order to illustrate the security perimeter of an application and the changes that have taken place in a modern application. Let's take a look at a modern supply chain attack, such as the one that is used here in formjacking attacks. First, the attacker breaches a third-party library or a plug-in and inserts malicious code in their supposedly legitimate code. Second, the third-party libraries is invoked via web application. So many of us actually use third-party applications in our web development as well. The web application can't or does not scan the library code, it's assumed to be vetted code. Now running from within this third-party library, the malicious code is run directly on the end client, okay? So this is, let's say, you're accessing a website, got in an HTML page, that HTML page then calls in multiple different codes in different environments. And one of them could be a third-party code, which is infected, right? So the attacker is now using that malicious code to exfiltrate data directly from the client. So this is a very common situation where the exploitation is occurring on the third-party vendor. The application owner is not responsible for developing that code. The attack itself occurs on the client, that's outside the reach of the application and the data belongs to the client, right? So -- but overall, the liability is of the application and the application owner. So this raises an important question. If the exploit and the breach occurs outside of the web application. What is the security perimeter of the web application. And of course, the correct way to addressing some of this is to run some of this kind of code in a sandbox. So it's -- and the thing is that typically, you would deploy either your code, fix your code to force any kind of flaws, but here, you don't have control over the code. You would deploy a traditional web application firewall or web application API protection, on-prem or in the cloud or wherever the application is, however there's multiple pieces. So you can't just protect it by deploying a traditional web application firewall in this case. So let's look at 2024. So there is a shift in the threat landscape. And we've seen that as part of 2023 itself to late 2023 and moving on to 2024. So let's take a look at how that's going to impact application protection. So there is a shift in the threat landscape as the apps have become distributed, so have the attacks. They're now multivector and multilayered from DDoS to scrapping to formjacking as we just saw to injection and almost human-like bot attacks. So the new generative API -- or AI -- sorry, not an API, but AI-based tools will add another layer of sophistication to this. Both for automated tools to attack but also tools for protection, right? The motivations have changed as well and the target now is squarely on the applications, specifically in many verticals. And the verticals that we see quite often are healthcare, finance, power and of course, as usual, government. Anywhere you have -- if you have to score -- settle political scores or if you have financial or personal information that can be -- that can lead to some financial gain, those are specifically the verticals that are targeted. So as we see Russia's invasion of Ukraine in Feb 2022, initiated a new era of cyberwar. In response to the cyber aggression against Ukraine, the Ukraine established an IT army of Ukraine. Now they were recruiting Western hackers, volunteering to conduct attacks against Russian targets. Now initially, these aggressions were limited to just these 2 parties in the conflict, but soon extend it to additional targets, especially countries have begun -- and so they have become nation-state attacks, targeting anybody who's supporting Ukraine, for example. The pro-Russian activist groups, including NoName057, the Killnet cluster, the Anonymous Russia, the Passion Group and others started attacking targets in countries that were supporting Ukraine. More recently, groups such as Anonymous Sudan, Mysterious Team Bangladesh and others have joined. So it's not just limited to nation, state anymore. It's also religious groups that are launching cyber aggressions against targets who insult Muslims, for example. The targeted attack campaigns on applications in specific verticals are now the standard. The health care organizations are always the top target for hackers and cyber criminals because of the sensitive nature of the data that they have and the critical care they provide as well as many have been hacked and have paid ransomware. So that leads to more attacks. Now in Feb 2023, more than a dozen hospitals in the U.S. were targeted by Killnet, specifically their websites. And that led to breaches, leak of patient data -- there's a private patient data and also ransomware demands. The attack campaign themselves are also now becoming global. So they affect many verticals. They are now publicly announced on Telegram and the results of their attacks also posted. So they're no longer just purely the realm of Darknet. They are publicly available and open. So something new that we have seen are these disruptive Layer 7 DDoS attacks. They are different from the traditional DDoS attacks, which started with high-volume network-based flood attacks. And later, they evolve to more sophisticated multi-vector application level attacks that are now they are much harder to detect and mitigate. So this is a -- as seen -- as we've seen in a recent attack campaign, the attacks are leveraging multiple types and vectors of attacks as part of a single campaign. They combine both network and application layer vectors and leverage new tools to create sophisticated attacks that are much, much harder and almost nearly impossible to detect and mitigate with traditional methods. So DDoS protections that you have in place don't really matter because these attackers are using tools to generate new type of HTTPS floods, right? So basically, they are cloaked under SSL. We also refer to them as a web DDoS Tsunami attacks because they're not traditional DDoS attacks, they're Layer 7 web or HTTPS-based attacks. They're much more sophisticated, much more aggressive and higher in volume and throughput than what we've seen in the Layer 7 attacks in -- previously. And they use sophisticated evasion methodologies to bypass traditional application-based protection. Now as you know, in order to protect from these, you have to terminate the connections, right? It's so much harder to detect. Now it's complex to mitigate because they act at a Layer 7 meaning that most of the activities, especially inspecting the traffic must be done after you terminate the connection. So you terminate the HTTP connection, decrypt SSL and then inspect the content. It's expensive operation as well. So the attack mitigation process can only occur after the traffic is proxied and decrypted. And it's very expensive to process. And especially if you have a very busy website like a Costco or a Walmart or Amazon, for example, right? These are very connection-intensive operations and they operate at scale. So very, very expensive to mitigate as well. So as we've seen in the recent attack campaign, like I mentioned previously, the attackers are leveraging these new tools to create these sophisticated attacks that are almost impossible to mitigate with traditional methods. The web DDoS Tsunami attacks are sophisticated and aggressive. They are encrypted, like I mentioned, right? So you have to terminate the connection and decrypt before you can look at the request themselves, the request body. In this case, HTTP request body. They are using very sophisticated techniques. They appear to be legitimate. They randomized the HTTP headers and cookies. They impersonate popular third-party -- embedded third-party services. They spoof IP, all of that in order to evade detection, right? And so you have to use some accurate detection in order to do detection. You need some kind of behavior processing because they're not -- so they have multiple requests in a single connection. So it doesn't really look like a volume flood, which you can detect in a typical denial of service protections. So they're not volume-based only, right? And they are putting a lot of processing requirements on your back-end service to protect against these kind of attacks. What we've seen in these recent attack campaigns that are specifically web DDoS Tsunami type of attacks, that a typical standard protection solutions are not effective at all against these kind of attacks. And why are the standard protection is not effective against this type of attacks is because they're not equipped to detect and mitigate the application layer denial of service attacks, right? And detecting such attacks requires decryption. Looking -- and it's much deeper inspection of the Layer 7 headers in this case, HTTP headers. And because of spoofing and because of sophisticated evasion techniques, they would go and detect it by a network-based DDoS protection solution. The WAF on the other hand, which is geared for something like this, whether it's on-prem or cloud-based is an effective tool to protect against this kind of attack because it can either a load balancer, application delivery controller can decrypt and then you can use a web application firewall either built in, in the cloud or as a stand-alone service to then do a deeper inspection. However, it's not very effective in terms of the scale, especially if you have a website that's very compute-intensive, connection-intensive and doing a lot of transactions, this can really impact the time that it takes for you to fulfill a client request. So it's an expensive operation. So typically, the available mitigation techniques that you have without really impacting legitimate web traffic, it's very, very difficult to do. In June of 2023, so this year, just a few months back, Microsoft began tracking a denial of service activity, by the threat actor whom they called Storm-1359. After they had identified the threat, it was identified as a Layer 7 attack. And this brought many Office 365 applications down for many, many hours, right? So the DDoS protection that they had in place was not effective against this kind of attack, right? So the traditional DDoS -- and Microsoft operates at scale. So they have -- the outages really impact a lot of applications or Office 365 applications. So now that we've been through and we've seen the changing trends, what happened in 2022, 2023 and how it's impacting protections for applications and networks, let's look ahead and see what 2024 is going to bring. So we've all heard about OpenAI, ChatGPT, there's a lot of talk about artificial intelligence. There's Google Bard. All these new capabilities of open AI, Google Bard will start a new round of warfare, pretty much impacting both the attackers and their attack tools and the defenders and their protections. We've all heard about LLM or large language models. These are a subset of AI that help people interact with AI models. And it uses natural language processing. So it helps us to talk to them or interact with them in natural language. Now the AI-based tools will be able to craft automated and highly adaptive attacks and identify and drive Zero-Day vulnerabilities with AI botnets. Now it's not just negative side of the LLM or large language models, but AI tools and LLM will also help protect against some of these attacks as well, right? So we'll take a look at that in just a minute. So from the point of view of security practitioners, right, this impacts them. So what are the things that you will see in 2024 that will impact, right? So we are beginning to see a new type of denial of service. We call them web DDoS Tsunami, which is different from a traditional denial of service protections that help address some of these. They are more request based. They are cloaked, meaning under SSL and they use very, very sophisticated evasion techniques. And this will overwhelm your traditional web application firewall and especially if you're operating at scale. So as the customers migrate -- and so for these Web DDoS Tsunami, your traditional defenses like a denial of service protection will not apply because especially if they're rate based or volume based. As you migrate your applications to the public cloud, now the hackers are also focusing their attack vectors against public cloud infrastructure. So in this threat landscape, it's clear that our customers will need some kind of security to protect the security posture. So application security posture management, cloud infrastructure, entitlement management, cloud security posture management. So looking at how the storage and how the access to applications are delegated and given, right? So that's a very important piece. There is also the supply chain issue, right, in terms of LLM-integrated web applications. So we've seen hacking of third-party codes, which will now be driven by AI-based tools which can both probe, prompt and probe and figure out what the gaps are, what the holes are and then attack them. So using malicious AI. Those are -- so in order to protect some -- against something like that, you need real-time intelligence or near real-time intelligence. The solutions need to be intelligent and autonomous because with prompts, you'll get so many events that just finding the real issue in between all of these different events that are occurring needs to happen at an automatic scale. Humans can't process that kind of scale of events, right? So it needs to be some kind of analytics that can figure out what the issue is, stitch together a storyline across all of these different type of attack vectors and postures and logs and then give you something that you can act upon. As you can see from here, OWASP published the top 10 for large language model applications, right? So these are LLM assisted models. And if you can see, prompt injection is one of the first ones that they mentioned, but it's also very similar to what we had with APIs and applications and OWASP publishes top 10 for both of those. This is very, very similar, prompt injection, just like we had SQL injection and LDAP injection. We had insecure output handling, right? So if you're getting probed, your applications are getting probed and AI assisted, you need to make sure that the output is handled correctly. And WAFs actually used to do that by obfuscating responses, by not exposing the internal sources, et cetera, right? Training with data poisoning, so this is also used at nation-state level, denial of service, right? So basically probing to figure out denial of service and vulnerabilities, no forcing you by prompting to provide sensitive information, just like we used to probe for SQL tables, for example, right, to get PII information. So all of that, that we used to do before with just typical applications and APIs apply to LLM-assisted applications themselves. So moving forward in 2024 and beyond both attackers and the defenders will become much more powerful and autonomous. The generative AI and the large language models, LLM, will pose potential cybersecurity risk. And these could include phishing, deep fakes, voice-assisted deep fakes, new malware tools will certainly come online and they're like pay by the hour, automated hacking that's another area, data manipulation. So this is like we saw before, in OWASP, they mentioned data poisoning, right? So this is definitely something that will occur at a much larger scale and at nation-states level as well. And probing to bypass security measures to figure out weaknesses and then use some of these tools to bypass those measures. Now on the positive side or the flip side, the same tools can be used for positive means, right? So that means pattern recognition because you have so much data, you can -- if you can stream and analyze that data, you can recognize patterns. You can also use that for anomaly detection, you can use data modeling and learn behaviors. So that's another very, very good and big area. You should look for behavioral-assisted tools that are built on both machine learning as well as LLM assist. And they can help you efficiently so because this is like we saw Web DDoS Tsunami, right? Most of the web application firewalls that have to look at and do a deep inspection would fail at scale and would increase your transaction time, right? So you need some kind of AI assess to be able to both model and analyze data and selectively decrypt certain type of transactions, right? So -- and that process needs to be automated. So autonomous and automation especially on the positive side of this will be assisted with LLM. So in 2024, the defenders will need to rethink the first line of defense, especially if you are a [indiscernible], a C-level executive whose job depends on securing your enterprise or your organization, you have to rethink how you do protect -- how you protect in the face of both these web DDoS Tsunami as well as AI-assisted attack tools that are going to become much more prevalent. So you have to have -- you need an AI-powered adaptive protections in place. So for the publicly-exposed assets, you'll need real-time or near real-time protections. And that's to ensure the availability of networks and applications in the face of request based Layer 7 attacks, so these under web DDoS Tsunami, AI-based bots and prompt injection for API-based attacks. The visibility in this case because you need to make sense and take action, right? So visibility needs to be much deeper and accurate, especially in terms of security posture for -- in production risks and also which needs to highlight account takeover TAMs and protect against the AI-driven prompt injections to identify and try to initiate DDoS type of attacks. So those are the areas that you need to look at in terms of defenses. Like the traditional DDoS attacks that were based on volume, the request based web DDoS Tsunami type of attacks require a very different kind of model. Because they're based on payloads and HTTP payloads, these attacks use sophisticated techniques, right, for evasion. So the traditional tools of web DDoS or DDoS protection is pretty much useless here because you have to, a, terminate the connection, decrypt the connection, decrypt the SSL, then look into a payload. So of course, your web application firewall would be useful here, but specially for a modern application, just deploying of WAF at one end doesn't cut it anymore, right? Plus it's expensive operations. So if you have to look at every transaction that's going to impact the client itself when you're legitimate traffic. So I mean these are targeted attacks and they can use botnets to attack and they can use many sophisticated techniques there that will be AI-assisted. So you have to do a payload analysis, but do you look at every transaction, that's a question that we need to answer. Now since apps are the lifeline of your business, you'll need AI-driven pattern recognition, anomaly detection, data modeling and learning from analyzed data. And you have to do that efficiently to be near real time. Now we've done this before for blind spots and Zero-Day and API discovery, like which ones of your API are unprotected. Maybe they are assisting the APIs that are exposed, but still not protected, right? So especially if you have security teams that are not trained on many domains and your applications are across domains, like on-prem as well as on AWS and Azure and GCP and others. So if you don't have the trained personnel to be able to figure out the storage, the entitlement aspects, things like that, right? So you have to have tools that actually help provide insight into any blind spots, any zero-day vulnerabilities, any exposed and vulnerable APIs. And then, of course, since most of the web -- or the delivery of these applications use CI/CD pipeline, continuous integration and continuous delivery, the learning and the protections that you apply using some AI-assisted tools need to be also continuous, right? You can't just deploy it one week and then wait another week to deploy it. The learning, the refinements need to be continuous as well. So many organizations are also rolling out Security Service Edge or Zero Trust architecture as well as part of implementing the Security Service Edge. The first part of the Security Service Edge. They should augment the benefits provided by the granular application access control in Zero Trust with cloud-based security for data for applications and the APIs in this case. The approach, so in this scenario, since you're going from a client making a request, it could be a malicious client, making a request to the back-end service and you have different tools for security posture management or entitlement management, cloud security threat detection or CTDR. So CIEM, SCSPM, you need also ASPM, which is application security posture management. Now you have load balancers and application delivery controllers upfront in front of these apps. There could be reverse proxies as well. So you are terminating those connections from the user, and then you can use that to provide a newer type of architectures to detect any kind of threat in the cloud. You can do a sample. If you have tools that allow you to do sampling and based on some AI-based analytics, you can take some of the transactions and detect that or process that in the cloud. Now cloud is a way of also providing protections against these client-side attacks that we see in terms of Magecart and formjacking. So this is a new type of service that can help you or WAAP as a service, Web Application and API Protection that can really augment your core API gateways, on-prem web application firewall and you can augment that for distributed modern applications. And you can use for the Zero Trust architecture, you can have client connectors that work with identity and access management or identity as a service tools, you have for the perimeter or the access type of services, you can have CASB or cloud access service brokers to streamline and make the WAN connections more efficient. You can use SD-WAN for those services. So this is a very -- it's a simplified architecture, but it gives you the tools that you can use to augment some of the denial of service protections that you have. And by doing so and sampling and detecting threats inside of HTTP or web transactions, you can actually address some of the web DDoS Tsunami. The analytics will help the AI-guided and AI-assisted or LLM-assisted analytics will help you detect and protect against some of these threats without really looking at every transaction. So before we move on to Q&A and take a look at the questions that you have submitted. [Operator Instructions] So let's just summarize what we went through. We were discussing the trends in application network security and what to expect in 2024 and beyond. So in 2024 and beyond, the AI will help create new attack tools, that's a given. It will be easy to write these new malicious attack programs, sophisticated phishing, which has already started using voice cloning. Hackers and probably nation states will use AI for data poisoning and basically use both hackers and nation states. We'll use these data sets to learn efficiencies, and we've seen that in the OWASP LLM guidance. But on the positive side, AI will also allow for new protections using AI to augment signatures quickly using machine learning and behaviors to train AI systems and to reduce the false positives, the improved security posture. We talked about CIEM, C-I-E-M, CSPM, CSPM -- ASPM, Application Security Posture Management and others. And of course, make some of these threats because of -- by analyzing these data sets to make it much more visible of what's going on as a storyboard. And AI-assisted tools will also analyze several variables there and when a user is attempting to log in, the device types, their configurations and then correlate them together like I mentioned, as a story. And of course, these AI-assisted tools, which go much further in terms of detecting anomalies. And identifying potential threats near real time. So the bottom line is we think your first line of defense, augment that security posture that you currently have because the existing tools won't cut it, right? So especially the denial of service doesn't really work against web DDoS Tsunami type of attacks. Your posture needs to change based on AI assist. So you have to fight AI tools with AI assist, right? And then definitely, the SSE and the Zero Trust architecture approach is the right one.

So let's take a look at some of the questions. So I see a few questions. The first one is how do we augment DDoS protections in the face of Layer 7 DDoS as you mentioned? You can analyze the behavior of network traffic over time. The AI assistant or LLM assisted DDoS protections can learn what is normal and identify deviations from that pattern. You can also use predictive analytics that can identify potential DDoS attacks before they happen. And then also, you can analyze the data and patterns and suggest whether it's a traditional denial of service protection or it is a web or web Tsunami type of DDoS attack. Since it's difficult to analyze every transaction without slowing down the traffic to your business applications, you might use analytics to sample patterns, right? So that's another way of augmenting your existing DDoS protection in the face of web DDoS Tsunami type of attacks. The next question I see is, will AI-assisted tools protect AI-based attack, protect against, I would say, AI-based attack tools. Ironically, AI itself can be potent tool to defend against AI threats. The machine learning algorithms can analyze a lot of very large data sets to identify anomalies and do that automatically. And you can detect potential security breaches in real time. The AI-driven threat detection systems can also recognize pattern behavior -- patterns of behavior. That is what you're looking for. And then that's something in such a large data set, a human analyst can miss. So you can use AI-assisted tools for pattern recognition, learning behavior. So those things that are out of the norm, you can use AI-assisted tools to do that. Another question that I see is what about defending against AI-assisted bots. That's a very good question. So bots have been defeated even in 2022, 2023 by almost human or the CAPTCHAs I meant to say, have been defeated by human-like bots even in 2022, 2023. The AI-powered bots take it to a next level. So you need proactive measures. One is continuous monitoring and detecting anomalies and patterns, bot activities in real time. That's very important. The other one is in terms of implementing mechanisms beyond what CAPTCHA offers today. So since CAPTCHA can be easily defeated, AI-assisted tools attack tools or bots, AI-powered bots so they'll definitely defeat them, right? So the behavioral analytics, behavior analysis to identify patterns definitely would be helpful in differentiating bots from real users. Now implementing -- there are new types of algorithms that go beyond what CAPTCHA offers today. And address all the limitations of CAPTCHA as well. That's another way of defending against AI-assisted bots. And another one is to implement methods to verify user authenticity. Now that is at the heart of all of this. If you can fingerprint, you can find out if the user or the connection is actually from a real user. That's what will prevent you from -- or your applications from bot-assisted or bot-powered or AI-assisted bots, that's what I meant. I don't see any other questions. So I hope you enjoyed the session and we hope to see you on another one of our webinars very soon. Thank you.