January 8, 2021 Continent 8 Team

Continent 8: Cloud WAF – Protect against vulnerabilities

Continent 8’s latest product, the Cloud Web Application Firewall (WAF), is designed to protect against zero-day attacks with near zero false positives and has been developed in partnership with cyber-security experts, Fortinet. Jorge Morales, Sales Director at Continent 8, explains the significance of the Cloud WAF and sheds light on the company’s strategic expansion into Latin America.

What are the Cloud WAF’s main features?

There are three main components to the Cloud WAF: web application security, bot management and deception, and API protection.

Web Application Security

Web application security is needed for PCI compliance and other compliance needs. We worked with Fortinet on the Cloud WAF to help identify and protect against zero-day attacks. This requires a combination of different security controls so we have integrated positive and negative security policies to provide the best web application security we can. The Cloud WAF blocks threats in real time from code-based vulnerabilities without blocking legitimate users or generating false positives that can drive administrative overhead.

Web application security offers the ability to bring new features and enhancements to the market quickly in the knowledge they will meet standard security standards. It is also good in the Covid-19 world because there’s a lot of remote working and some applications are being pushed to the web. New applications are being bought off the shelf without taking much note of the security side of things so it’s a good way of enforcing standards. Additionally, the Cloud WAF can also block users based on location.

Bot Management and Deception

Bots are essentially automated analysis of websites. Malicious bots are the things that pose problems in our industry such as odds scraping. Bots can generate quite a lot of traffic and serving that traffic unnecessarily costs money as well as the issue of having your IP being used elsewhere.

However, there is a lot of legitimate bots such as search engine bots and chat bots that are welcomed by site owners as they increase search engine optimisation and index the web. Therefore, we need to be sure to identify good bots from bad ones. Bot deception builds a honeypot trap which essentially helps identify these bots as they come in. The Cloud WAF provides the tools to differentiate bots using biometrics alongside keyboard and mouse movement to identify a human interaction from automation.

API Protection

In an increasingly connected world, protection is about more than just client server interaction. APIs provide a standard in which applications talk to one another. As soon as you start to open up information, open up APIs on an application on a network and integrate with other partners (which is seen a lot in our industry), it opens up what we call the ‘attack surface area’. The more this is open, the more vulnerable one is. However, we recognise companies need to open up in order to benefit from the flexibility of integration.

APIs can work from anything – even between apps on a mobile phone which connect back to a server. With the Cloud WAF, we have hardened this API communication and can protect through a variety of different security code controls. We can even put in request limits to limit the interaction with the API and ensure it adheres to either custom or open API specific schema files. This works for both B2B and B2C companies and ensures security of integration.

How important is protecting against the vulnerabilities you refer to?

In our business ensuring one is protected against these types of vulnerabilities is critical. Any business with an online presence can be exploited and the more businesses align, the greater the aforementioned attack surface area. If you generate revenue from a website or mobile phone app, it is even more imperative you are protecting the infrastructure as best as possible. However, it is not all about protecting money.

If you are under attack, it can slow down your website and send you offline similar to a DDoS attack. You might not even notice you’re under attack and an attacker can gain access to the site, deface it by putting up their own content or simply replicating their website. Worse still, attackers can syphon off customer details, encrypt whole file servers and online estate then ask for a ransom to unencrypt and give the data back.

These types of events occur often. As well as the obvious questions of ‘can companies actually recover from this sort of breach? Can companies keep their reputation and customer loyalty after an event like this?’, you also have to take into consideration further remedial costs as attacked companies then need to ensure they’re hardened against a repeat attack. Not protecting oneself sufficiently has the potential to wipe businesses off the map and there’s been many high-profile cases we’ve all seen through the media testament to this.

What role did Fortinet play in the development process?

We wanted to expand our security portfolio and build upon the success of our DDoS services. We’re in a specialised industry and we’ve got colocation in specific locations relevant to the industry we serve. We wanted to get a solution that would fit into this mix. We recognise our customers are online businesses. Given this is where they make their money it is also their greatest asset to protect. We wanted to move further up the stack and offer security for web applications as well.

We originally intended to build Cloud WAF ourselves but quickly realised the platform is nothing without the signature detection algorithms offered by experienced specialised security firms. We scanned the market and found very few solutions that actually fit the bill. Most companies were looking for referrals or things of that nature but wouldn’t actually work with us to build the infrastructure. Fortinet have a public cloud offering which has proven successful in AWS and various other public clouds, so they offered to work with us to develop a similar solution we can deploy globally across our own estate. This was a key factor. We want our customers to benefit from the performance that can be gained by having the Cloud WAF hosting their infrastructure.

Now its deployed, we are working closely with Fortinet, relying on their expertise and over 40 labs whose research teams analyse security events. Like Continent 8, Fortinet have been established for over 20 years but they analyse 100 billion security events every day. If we were to build Cloud WAF ourselves, we just wouldn’t be able to match their expertise. Fortinet have been integral in the design and build of the Cloud WAF.

Are there any other products in production you can shed light on?

There are conversations open with Fortinet concerning various problems we want solving but there is nothing specific at the moment. In our secure family of products, we are looking to further expand capabilities into professional services and the managed service space – we will be publicising more about this in the new year. Furthermore, we are going to add native container support imminently to the public cloud and are developing partnerships with a number of hyperscale cloud providers.

In November, Continent 8 began its strategic expansion into the Latin American market with the launch of its cloud solution in Colombia. What is the rationale behind the expansion? Why now?

Continent 8 is committed to delivering service around the world, and Latin America is a new growing market that presents many opportunities for us. Future customers want a customised service for their needs, from an experienced IT company.

While UK iGaming Companies are dealing with Brexit, and US-based companies are going through state-by-state regulations, Latin America seems to be a much more approachable land of opportunities for iGaming business owners, and Continent 8 wants to be there to provide its knowledge and the best IT infrastructure.

With its 650 million inhabitants, and its unrivalled passion for sports, increasing mobile phone ownership, developing mobile-internet connectivity, combined with an ongoing movement for a more flexible online gambling regulatory framework are all proving that the Latin American iGaming market is definitely growing at a speedy rate.

What specific challenges do you expect the Latin American market to pose compared to those faced in the Americas, Europe and Asia?

Latin America is comprised of 20 countries and 13 dependencies, and it gets even more complicated when you include anglophone and Dutch-speaking countries. Each country has its own preferred languages, unique gambling and betting culture, and specific sets of laws for the gambling industry. Countries which are considered to be the most active countries for gambling in Latin America are Argentina, Mexico, Brazil, and Colombia.

For those looking to target customers in this region, it is important to make strategic decisions through elaborate research and an understanding of the diversity of the countries. That is why, before stepping into the Latin American market, it is crucial that you analyse key information such as the market sizes, rules and regulations, gambling interests, popular sports, technological advancement, and language variations.

Why begin in Colombia?

Colombia is considered the forerunner of the Latin American iGaming market. It is also the first Latin American country to approve a regulated online gambling market in late 2016, and it’s still the only fully regulated online gambling market in Latin America. Continent 8 will be able to deliver services to several countries from Colombia due to its strategic location in the region.

Source: G3 Magazine

Learn more about our Cloud WAF product

Read about our expansion into LATAM here