As the demands of both modern applications and complex threat landscapes have continued to increase, many organizations have been forced to adopt an ever-growing list of new, specialized security tools in an attempt to keep pace. This often includes a mixture of WAFs, anti-bot tools, DDoS prevention, behavioral and analytics tools, intelligence feeds, and more. However, a fractured approach to security is rarely effective and almost never efficient.
For security teams, this has translated into being inundated with alerts and data from multiple security tools, in addition to countless hours analyzing and assimilating data, all in order to drive to actionable conclusions. Too often, it feels like the security team works for security products instead of the tools working for the team.
The good news is that AppSec continues to mature and this trend is starting to change. In much the same way that UTMs and Next-Gen firewalls consolidated network security tools, a new breed of application security is emerging that brings a unified approach to AppSec.
To this end, a true AppSec security platform should address the security of an application while also being able to ensure a high-quality experience for end users. Likewise, a platform should address the full gamut of threats facing modern apps - from traditional injection attacks, to malicious bots, attacks against APIs, and the many types of DDoS attacks. And lastly it should be able to do all of the above no matter whether the application is cloud-based, hybrid, mobile, or built on a monolithic or microservice architecture.
ThreatX provides a new AppSec platform that delivers on these requirements and allows organizations to be both more secure and more operationally efficient. We will introduce a few of these topics in this article, but if you are interested in a more in-depth analysis, we recommend reading the paper Implementing a Full Spectrum Approach to AppSec available here.
Ready For All Types of Threats
In the past, it was relatively easy to compartmentalize threats into separate boxes. The WAF addressed OWASP Top 10 threats, anti-bot tools dealt with automated attacks on various login pages, API gateways controlled access to APIs, and DDoS tools fought off volumetric attacks. However, these lines have become increasingly blurred over time.
- Reconnaissance and exploitation are heavily automated and bots are used throughout many phases of attacks.
- APIs face all the same injection attacks and techniques as the web front and variety of newer specialized attacks.
- DDoS attacks can target the application layer and cause serious impact with just a fraction of the traffic of a traditional volumetric attack.
Security teams need to be prepared for all of these threats, and they should expect them to overlap. Using a fractured set of security tools can actually work against the security team by making it harder to see the full context and the relationship between the many techniques and phases of an attack. An integrated approach not only sees all of these threats, but it can bring together these multiple perspectives to deliver something that is greater than the sum of its parts.
To see these many types of threats, a solution will need to bring together many complimentary styles of detection. This can include behavioral profiling of the application, attacker profiling, attacker fingerprinting and tracking, attacker deception, shared intelligence, analytics and much more. Each perspective can excel in certain situations, but more importantly they can all contribute context to a full understanding of a threat.
In some cases this could be done by combining multiple detection models into an overall picture of risk. For example, application profiling could detect anomalous intensity or user behavior on the application, while attacker profiling could identify that a node is a bot and not a real human user. While each detection may not be actionable on their own, the combined perspectives could deliver a high-confidence detection that can be automatically blocked.
Likewise, context can evolve over time. Some detection techniques may specialize in detecting reconnaissance, while others excel in detecting attacks or evasion attempts. Being able to retain the internal context and see the progression of events lets the platform drive too fast, confident conclusions without relying on aggregating logs and data in slow analytics and SIEM tools.
Bringing Together Availability, Performance, and Security
Applications are ultimately all about serving users, and even the most secure application will be doomed to failure if it isn’t reliable or fails to meet the needs of end users. A next-gen AppSec platform can play a major role in ensuring availability and performance, and once again, provide organizations with an opportunity to consolidate and simplify their approach to their applications.
An AppSec platform can play a vital role in accessibility and user experience in two main ways. First, the solution should be able to defend against the many styles of DDoS attacks. Secondly, integrated content delivery network services can optimize the delivery of content and handle spikes in traffic. Combining these capabilities with the many threat detection and prevention capabilities discussed earlier, allows organizations to have a highly coordinated and holistic approach to delivering their applications.
The global footprint of a quality CDN allows organizations to distribute and serve users with content directly from edge servers. This naturally reduces the overall latency for an end user while also taking pressure off of critical origin servers. Likewise, an integrated CDN helps applications adapt to changes in traffic demands such as when rolling out new applications or dealing with sporadic high-load events.
However, in the case of DDoS attacks, those spikes in traffic can be the work of coordinated attackers. DDoS can come in many forms. Large-scale volumetric attacks can attempt to overwhelm the application with connections or bandwidth requests. On the other hand, attacks at the application level may use less traffic but target expensive functions or queries to drag down the performance of the application. Addressing both of these types of DDoS can require different types of intelligence and enforcement in different locations. For example, volumetric attacks might be best addressed in the cloud, while Layer 7 attacks may require behavioral analysis and enforcement at the WAF layer.
This once again brings home the power of bringing critical AppSec functions together in a unified platform. As technology teams we don’t get to know why types of problems are around the corner and where they will arise. We don’t get to know where attackers will attack and what techniques they will use. A unified approach to security and performance ensures that we have the broadest possible context and can adapt to almost any situation with the right technology. Instead of trying to coordinate multiple tools and silos of data, teams can focus on their real goal - delivering safe, reliable experiences for users and the organization. If you would like to learn more about the power and benefits of a unified approach to AppSec, check out our new whitepaper, Implementing a Full Spectrum Approach to AppSec available here.