X
August 26, 2024
Gazing into your security operations center (SOC) platform, what do you see?
It depends where you look. If you look at network traffic, your network detection and response (NDR) solution might spot data exfiltration, for example. How are those employee laptops? Your endpoint detection and response (EDR) solution shows it quarantined malware on George’s laptop (again).
Now look over at your application layer — your applications and application programming interfaces (APIs). Can you see what’s happening inside those apps?
The answer is likely “No.” You have extremely limited visibility. You see fog. You can’t squint hard enough to make out what attacks are happening.
“Unfortunately, the application layer is where a lot of the risk is,” according to Jeff Williams, Contrast Security founder and chief technology officer (CTO). “You know, you and I both trust everything that's valuable in our lives to software: finances, healthcare, elections, government, defense, everything. But we're really not doing very much to protect them.”
In a video interview with Information Security Media Group (ISMG) at Black Hat 2024, Williams explained the gap in cybersecurity visibility that’s causing app layer obscurity: “It is an application economy for sure, and there's a real gap,” he said. “Organizations have endpoint detection and response (EDR) products to protect endpoints, and cloud detection and response (CDR) to protect their clouds, but there's no application detection and response (ADR).”
The obscurity surrounding app behavior is why Contrast Security announced Application Detection and Response (ADR) at Black Hat 2024. ADR throws open the window into app/API behavior, shedding light onto what has been, up until now, invisible to the SOC.
Beyond providing pure visibility so security operations center (SOC) analysts can finally see what's happening in the app layer, ADR enables them to respond by blocking attacks.
Five takeaways on ADR’s paradigm-shifting new technology, from Williams’ discussion with ISMG:
Security teams have long relied on tools like EDR and NDR to monitor their IT infrastructure. These tools, however, often lack the ability to peer into the application layer, where much of the valuable data resides and where many critical vulnerabilities exist. Attackers are increasingly targeting these application-layer vulnerabilities to gain unauthorized access, steal data or disrupt operations.
“Security operations really don’t have very good visibility into the application layer,” Williams explained. “They see the endpoints, they see networks and infrastructure, cloud, but they don't really see much about what's happening inside applications” — the layer in which much of the risk resides.
ADR fills this gap by providing deep visibility into the application layer. ADR instruments the running application, which allows the technology to monitor and analyze the app’s behavior in real time, detecting and responding to otherwise invisible attacks.
Just as applications have evolved, so too have application attacks. Core, long-established vulnerabilities such as SQL injection persist, while attackers have refined their techniques to also target modern applications that are based on complex architectures — i.e., those that include APIs and microservices. One example: attackers are trying Java Naming and Directory Interface (JNDI) injection (the underlying attack involved in Log4Shell attacks) on all your systems, as well as on your custom code.
“[Application attacks have] evolved as applications have evolved,” Williams told ISMG. While the underlying vulnerabilities are fairly similar — unsafe deserialization, for example — “now they're in APIs, or … in more complex applications that have multiple tiers and back ends and so on.”
Williams stressed that detection today requires instrumenting the whole running application.
What’s a basketball got to do with
Application Security instrumentation?
Attackers aren’t stupid; they’ve figured out how complex apps have become, and they’ve adapted to the situation. “Now, they’re sending complex attacks into APIs and complex attack surfaces that you can't really see with a web application firewall [WAF] and exploiting applications where you see gaps in detection and response,” Williams went on.
It’s difficult to understand the behavior and potential vulnerabilities of today’s complex applications, which often have multiple tiers and backends. Attackers exploit that complexity, launching sophisticated attacks that bypass traditional security measures. ADR's ability to instrument and monitor the running application gives it the edge in detecting and responding to these evolving attack methods.
Gaining visibility into app/API behavior — which many organizations lack — is only the first step. Once you understand what's happening, then you can respond to it. That’s why blocking attacks is part of ADR.
“As part of ADR, we block attacks as well,” Williams said. “It's not just detection, it's detection and response to help stop some of those attacks.” In fact, observability and detection are only two out of this list of features:
ADR delivers multiple key benefits. Like other XDR types of tools, ADR generates telemetry about events and incidents happening within applications that it can send to a security information and event management (SIEM) solution via Syslog or other mechanisms. Contrast has integrations into SIEMS such as Splunk, which has a plug-in that enables ADR data to become part of the XDR ecosystem. The rich telemetry can also be fed into cloud-native application protection platforms (CNAPPs) and other systems.
Williams said that data about incidents — as in, real incidents, not just a blizzard of false positives or false negatives that waste analysts’ time — is probably the highest-value benefit customers will see: “Lots of tools can generate tons of events, like, ‘All this stuff happened,’ but most of it is sort of ‘Who cares?’ We want to get people focused on real incidents that demand immediate response,” Williams continued. ADR is unlike a WAF, which is triggered by anything that looks like an attack. Dealing with all the false alarms is “way too much,” Williams contended. “The real difference with ADR … is you don't have to see all these possible attacks.”
ADR will only report attacks that reach the vulnerabilities that they were targeting: For example, if you have a SQL attack that doesn't reach a SQL query, “it doesn't really matter,” Williams stressed. “We're trying to focus on that 1% that really matter.”
False positives + false negatives = real costs
Other benefits:
ADR generates what Contrast calls a security blueprint of every application. These blueprints show these things, Williams said:
A blueprint makes it far easier to secure the app layer. As Williams pointed out, you wouldn't try to do anything else in life without a blueprint. “You wouldn't build a house without a blueprint. It's fundamental to what we do,” he said.
On top of that blueprint, ADR’s behavioral analysis analyzes how routes behave in production, spotting anomalies. “We can see attacks very clearly because they're doing things that they shouldn't,” Williams said. “Things that should never happen in a running application.”
As threats evolve, ADR's role in cybersecurity will only grow. Integration with other security tools such as Splunk will provide a more holistic security view, as ADR detects unwanted behavior and reports it to your XDR or SIEM platform, giving back control over something that has been largely invisible.
ADR is a significant advancement in cybersecurity. It empowers organizations to detect and respond to attacks that would otherwise remain hidden, closing a critical gap in application visibility. As the threat landscape evolves, ADR is poised to become an indispensable tool for protecting critical web applications and the sensitive data they hold.
Are you ready to close the visibility gap and find out what your apps and APIs are really up to? Get in touch for a demo. Also, check out Williams’ white paper for a deep dive on ADR.
Read more:
Lisa Vaas is a content machine, having spent years churning out reporting and analysis on information security and other flavors of technology. She’s now keeping the content engines revved to help keep secure code flowing at Contrast Security.
