SECURITY INFLUENCERS BLOG

Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management

START FREE TRIAL

Getting Left of Boom: Using FireEye and Contrast Together

Left_of_Boom

The term "Left of Boom" is a military term used to describe the time before the explosion of an improvised explosive device (IED), aka a roadside bomb. Made popular by Pulitzer-Prize winning author Rick Atkinson, the military term left of boom can explain where focusing our cybersecurity efforts can maximize limited budgets and under-staffed security teams. After all, the sooner you find insecure code in the software development life cycle, the less time and money you throw down the proverbial rabbit hole playing catch up with the latest vulnerability and zero-day attack.

Let's be honest here. Sometimes when it comes to going boom, we just don't know that a boom has happened. It took 18 days for Target to fix its breach that claimed the jobs of their Chief Information Officer and CEO. Craft retailer Michael's was under an attack for nine months before they realized it, and it took a month after the breach announcement to fix the problem. Even credit card skimmers at gas stations have a period of time where the enterprise simply doesn't realize they are under attack. That's why it's useful to have your security puzzle pieces working in a coordinated effort.


2014_Verizon_Data_Breach_Incident_Report_95_Country_map

Verizon's 2014 Data Breach Investigations Report concluded that 92% of analyzed incidents could be described by nine basic patterns, namely: cyber-espionage, DOS attacks, crimeware, web application attacks, insider misuse, miscellaneous errors, physical theft and loss, and payment card skimmers. And after studying 1,367 data breaches and 63,437 security incidents in 95 countries they came to the conclusion that, basically, everyone is vulnerable. That's where FireEye and Contrast come into play.

Every organization needs defenses against malware and application attacks. But these are two very different animals.  Let's start with malware...

MALWARE
Malware targets typical products, like Adobe Reader, Windows, Mac OS, Microsoft Office, and all the rest. Phishing, attachments, and malicious links are still threats even after a decade of information security training. The reason they work is that everyone uses roughly the same products in their enterprise.

So FireEye created a hypothetical detonation chamber to test if something is malicious, and if it is, they alert you to it so you know. As we sound the death knell for "signature" based security, this new approach for malware seems to be promising.  But unfortunately, it provides zero protection for *custom* applications -- the ones that you code yourself -- because they can't know what an attack looks like or how to detonate it.

APPLICATION ATTACKS
So what can we do about attacks on your custom applications? FireEye can't help here because the attack is custom to your application code. The DBIR found that these attacks are the most common cause for breaches, so defending this aspect of your enterprise is critical. And the best way to p
rotect your applications is to make sure that the code behind your application is as secure as it can be.

Recent advances in the software development life cycle means more code is getting committed at a faster rate. Agile and DevOps have cultivated and reapportioned buzzwords like scrum to advance their methods in timely, well-organized fashion. Because perfect is the enemy of good, moving quickly through build cycles can produce large amounts of code, and software development advances forward as a result. This is a good thing, but it comes at a cost: security.

Are you using out-of-date libraries? Do you have XSS errors lurking in your code? Do you have input validation issues? Are there authentication issues? Knowing these things is the first step to protecting yourself by fixing the vulnerable issues in the code. Once you know about vulnerabilities, you can fix them. Contrast Assess is an interactive application security testing (IAST) tool that shows you your application vulnerabilities. It helps you get and stay secure.

The bottom line: different tools specialize in different areas, and if you get the right tools in the right places, they can act as a bulwark
against intruders and attackers. 

If you can prevent attackers from exploiting vulnerabilities by writing secure code the first time around, you won't have to worry about application attacks. Detecting, triaging, and fixing vulnerabilities in custom web applications and web services is what Contrast excels at.  And because Contrast Assess runs in real time and can easily scale to your entire application portfolio, you won't have constant bottlenecks in your development process.

Having FireEye in place to stop malware and Contrast to defend your applications won't solve all of your security puzzles, but will cover a substantial portion of your enterprise attack surface.

So how do you define security success? Ted Schlein encourages this definition of success, "I have been in the security business for three decades and it only gets worse...I don't think it is a battle you win. You hope to get to a draw, so [attackers] move on to somewhere else." We think it's a success if you have strong defenses in place for your biggest security risks that are effective, affordable, and manageable. That should be enough to drive attackers elsewhere.

 

About FireEye:
FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 2,200 customers across more than 60 countries, including over 130 of the Fortune 500.

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

SUBSCRIBE TO THE BLOG