AWS re:Invent 2025 - Protecting web apps & APIs with AI and an as-a-Service approach (SEC210)

Protecting Web Apps and APIs with AI and "as-a-Service" Approach

Overview

• This presentation discusses how Checkpoint's CloudGuard Web Application Firewall (WF) leverages AI and a "as-a-Service" approach to provide comprehensive protection for modern web applications and APIs.
• Key topics covered include:
  • Checkpoint's unique AI-based approach to web application security
  • Flexible deployment and consumption models
  • Securing generative AI applications and APIs

AI-Based Web Application Security

• Checkpoint's CloudGuard WF uses a two-layer AI approach, rather than traditional signature-based or rule-based methods:
  • Layer 1 - Attack Indicator Analysis: An AI model trained on millions of legitimate and malicious HTTP traffic patterns to rapidly detect potential attack indicators.
  • Layer 2 - Contextual Analysis: An unsupervised AI model that learns the behavior of the specific application and user traffic to provide accurate, low false-positive protection.
• This approach eliminates the need for manual tuning and signature updates, providing "out-of-the-box" protection that adapts to the customer's environment.
• Checkpoint's open WF comparison project found their solution achieved a 99.4% detection rate with less than 1% false positives - significantly outperforming competitors.
• This AI-based approach also provides effective zero-day protection, as demonstrated by customers being protected from the Log4j vulnerability before it was publicly disclosed.

Deployment and Consumption Models

• Checkpoint offers CloudGuard WF as a fully managed "as-a-Service" solution, leveraging AWS infrastructure and services like CloudFront and Shield Advanced.
  • This allows for rapid deployment (under 15 minutes) and global scalability with PoPs in multiple regions.
• For customers requiring more control, CloudGuard WF is also available as a small, lightweight agent that can be deployed alongside applications in various environments:
  • Embedded in reverse proxies like NGINX or Kong
  • As a VM or container in environments like EKS, Fargate, or App Runner
• This flexibility allows customers to deploy security closer to their applications, improving reliability and performance.

Securing Generative AI Applications

• Protecting generative AI applications and APIs presents new challenges compared to traditional web applications:
  • In traditional apps, the user interaction is predefined, while generative AI allows for open-ended, natural language-based interactions.
  • The "executable" is now the language/prompts used to interact with the AI model, rather than code.
• Checkpoint's Lira solution, acquired as part of the CloudGuard WF, addresses these challenges:
  • Lira includes a pre-trained machine learning model to detect malicious prompts, supporting over 100 languages.
  • A second, context-aware model evaluates prompts based on user behavior, crowd behavior, and semantic understanding to minimize false positives.
  • Lira also provides capabilities like API discovery, schema enforcement, and shadow API detection to provide comprehensive visibility and protection for API-based generative AI applications.

Key Takeaways

• Checkpoint's AI-based approach to web application and API security provides high detection rates, low false positives, and effective zero-day protection without the need for manual tuning.
• Flexible deployment options allow customers to integrate security closer to their applications, improving reliability and performance.
• Lira, Checkpoint's solution for securing generative AI applications, addresses the unique challenges posed by open-ended, natural language-based interactions.
• Checkpoint's focus on innovation and partnership with AWS enables them to provide comprehensive, "as-a-Service" security solutions that adapt to the evolving threat landscape.

Technical Details

• Checkpoint's CloudGuard WF uses two layers of AI models:
  • Layer 1 - Attack Indicator Analysis: Trained on millions of HTTP traffic samples to detect potential attack indicators
  • Layer 2 - Contextual Analysis: Unsupervised model that learns application and user behavior to minimize false positives
• Lira, Checkpoint's solution for securing generative AI, includes:
  • Pre-trained machine learning model to detect malicious prompts in over 100 languages
  • Context-aware model that evaluates prompts based on user behavior, crowd behavior, and semantic understanding
  • API discovery, schema enforcement, and shadow API detection capabilities

Business Impact

• Enables organizations to securely adopt modern web applications and APIs, unlocking new business opportunities and customer experiences.
• Reduces the burden of manual security management and tuning, allowing security teams to focus on strategic initiatives.
• Provides effective protection against evolving threats, including zero-day vulnerabilities, without disrupting application performance or availability.
• Helps organizations extend their security posture to cover the unique challenges of generative AI applications and APIs.

Real-World Examples

• BBVA, a global financial institution, leveraged CloudGuard WF to protect legacy applications during their cloud migration process, without the need for extensive patching or monitoring.
  • This allowed BBVA to focus resources on modernizing their applications while maintaining robust security.
• Checkpoint's customers have reported detecting and preventing Log4j attacks in their environments before the vulnerability was publicly disclosed, thanks to the AI-based protection.
• One e-commerce customer was able to put CloudGuard WF in "prevent" mode with zero tuning and encountered only one false positive in two weeks, demonstrating the solution's effectiveness out-of-the-box.