X
In cybersecurity, ADR stands for application detection and response. ADR provides security teams with a powerful tool to defend custom and self-hosted third-party applications against exploits. It leverages software instrumentation to directly observe the behavior of web applications and application programming interfaces (APIs) at runtime, continuously monitoring the applications for behavioral anomalies. The ADR tool not only provides real-time visibility into malicious activity at the application layer, but it also provides compensating controls that prevent attempts to exploit existing vulnerabilities. It’s an “inside-out” approach that establishes highly accurate visibility and protection, especially when integrated with the security operations center (SOC).
Modern SOCs rely on telemetry and analytics from a variety of “detection and response” solutions to gain visibility into emerging attacks across a vast threat landscape. Typical detect and response stacks focus on:
These solutions have proven invaluable in the escalating fight against increasingly sophisticated adversaries, but an important visibility gap remains: applications.
Today’s security analysts are not armed with the visibility they need to reliably see what’s happening within web applications and APIs. Because of that, threat actors are increasingly gaining access through applications, where they are able to gain access to their targets without raising alarms.
In order to see and stop modern application attacks, security operations (SecOps) teams need a new level of visibility and control. They need to extend their reach beyond the traditional network and endpoint, into the applications themselves.
Organizations can use ADR in myriad ways to secure applications from attacks:
ADR empowers SecOps teams with the visibility and control they need in order to detect, respond and block attacks targeting web applications and APIs at runtime. By instrumenting applications with a lightweight agent, ADR sensors observe application behavior from inside the application, including the actual routes where data enter and leave the application at runtime.
This unique internal perspective allows the ADR tool to analyze data flows and raise alerts for any attempted or successful exploits in real time, identifying the likes of path traversal, unsafe deserialization, SQL/NoSQL injection and many more classes of exploits as they happen. Observing behavior at runtime also ensures highly accurate results, which means SecOps teams spend less time chasing false positives.
By taking advantage of its position within a running application, ADR can not only detect attacks, it can also block them entirely. When ADR identifies unsafe application behavior, it can be configured by policy to throw a server exception, which interrupts the exploit before it can execute and effectively blocks the attack. Unlike many legacy signature-based protection tools, ADR’s analytics are focused on detecting dangerous behaviors, which means it can often detect and block zero-day attacks long before the underlying vulnerabilities are disclosed publicly.
When a SOC analyst receives a security alert, the real work begins. Typically, analysts leverage Security Incident and Event Management (SIEM), Extended Detection and Response (XDR), and Security Orchestration, Automation, and Response (SOAR) platforms to triage and investigate alerts to ensure the incident is well understood, and that a response can be planned and executed to mitigate the threat. ADR empowers analysts with execution context from deep within the application, helping them to more quickly pinpoint and understand application-layer attacks.
ADR also provides analysts with comprehensive playbooks to guide them through the containment and remediation process. The context and guidance provided by ADR not only helps analysts respond quickly and efficiently, it also helps developers and AppSec teams to fix the underlying application vulnerabilities with less hassle.
Security operations centers (SOCs) often have a number of tools in place to protect their environments and infrastructure. However, these other solutions typically lack adequate coverage for applications and APIs.
Many organizations deploy Web Application Firewalls (WAFs) to protect applications in production. WAFs protect against common web attacks such as distributed denial of service (DDoS) attacks and certain cross-site scripting attacks. They also reduce load off your application servers by blocking network traffic of simple and common web application attacks.
However, WAFs rely on static signatures or known patterns to identify threats: two methods that sophisticated attackers can evade. WAFs also generate a high number of false positives and alerts that aren’t clearly actionable.
In comparison, Contrast ADR provides deep visibility into the application layer, allowing you to detect and block attacks at their source before they can cause damage or spread throughout your environment. ADR is designed to minimize false positives and provide actionable insights, enabling you to focus on the most critical threats.
As the name suggests, Endpoint Detection and Response (EDR) monitors and protects endpoints (e.g., desktops, laptops or servers). EDR detects suspicious activity and investigates incidents at the operating system and network level. Additionally, EDR provides response capabilities to contain and remediate threats on the operating system level.
Typically with EDR, SOC teams would have no way to know if code inside the application is manipulated. And, EDR can miss attacks that occur entirely within the application layer. As a result, SOC teams may have to wait until an application is compromised before EDR detects the threat.
In comparison, with the deep visibility into application behavior and data flows provided by Contrast ADR, your teams can identify anomalies and potential threats that may have bypassed traditional security tools. ADR real-time threat detection and response capabilities enhance the overall security architecture by providing a crucial layer of protection against sophisticated attacks. ADR enhances proactive threat detection capabilities, so the SOC can finally identify and mitigate application-layer attacks.
Not all ADR solutions function in the same manner. Contrast ADR instruments applications, while other ADR solutions in the market leverage Extended Berkeley Packet Filter (eBPF) technology. Here are some of the main pros and cons of each option:
Contrast Security is the world’s leader in Runtime Application Security, embedding code analysis and attack prevention directly into software. Contrast Application Detection and Response (ADR) empowers defenders with the observability and control they need in order to detect, respond and block threats that target custom applications and APIs, delivering it in a manner that’s tightly integrated with existing security operations tools and workflows.
Contrast ADR is built on the Contrast Runtime Security Platform, which enables developers, AppSec teams and SecOps teams to better protect and defend their applications against the ever-evolving threat landscape. Contrast’s patented security instrumentation delivers integrated and comprehensive security observability that brings accurate assessment and continuous protection of an entire application portfolio.
Learn more about Contrast ADR email adr@contrastsecurity.com
