We recently co-hosted a webinar with SANS Institute, Your Current Approaches to Threat Detection and Neutralization are Broken. During that webcast, experts from ThreatX and SANS addressed the current challenges inherent in protecting your web applications in today's complex hybrid cloud environments, and the common inefficiencies of some legacy WAF approaches.
This discussion sparked various questions, some of which we receive quite often. In case you missed it, we compiled the answers to the mosts frequently asked questions.
1. Outside of an annual PEN test, what is the best way to find vulnerabilities in an application environment?
PEN testing is always a great way to understand the current state of your application environment because it approaches it from the perspective of a hacker. Code reviews and vulnerability scanners are also useful.
While we always recommend security in layers, there are few challenges with the above security measures:
- The vulnerabilities identified can vary greatly based on the expertise of the vendors and the technologies being evaluated.
- The results are a static view of a single point in time. That said, the application environment is always in flux - attack vectors are constantly changing and evolving, and applications are constantly being upgraded and customized. This is especially difficult for companies with multiple legacy technologies that are managed across internal and external teams.
- Due to customizations and variations in the technologies deployed, there are often end points and vulnerabilities that a standard scanner or Pen test agency cannot find.
With a WAF like ThreatX, customers have 100% visibility to all suspicious traffic, and more importantly, to all endpoints being targeted. Our 24/7 Security Operations Center (SOC) proactively investigates suspicious behavior and works with our customer to address the vulnerabilities. This is especially valuable as the SOC sees similar attacks among our customer base and has expertise across virtually any application technology.
2. ThreatX mentions the use of a progressive profiling approach. How does that work? Is it staff intensive?
Nothing kills a security mandate faster than shutting down legitimate traffic (also known as false positives). As a result, we built a model that significantly minimizes false positives. Rather than blocking any suspicious action immediately and triggering a myriad of alerts, the ThreatX solution utilizes a combination of behavioral analysis and machine learning to detect suspicious activity, tag the entity, rank the risk for each action, and monitor the overall attack risk based on malicious intent and progression through the kill chain. This allows us to truly understand how each application should behave and trigger the appropriate response and notifications only for unusual behavior and high-priority threats.
The ThreatX SOC monitors the various boards for all application technologies (Joomla, WordPress, Microsoft, etc.) to keep up on the latest vulnerabilities and to ensure that our solution is properly working to pick up those vulnerabilities. The aforementioned approaches, coupled with our skilled SOC team, offers comprehensive protection that you can't find anywhere else.
3. Do you have any examples of how this solution can decipher suspicious vs. normal behavior from offshore development centers? (i.e. Insider attacks)
We are typically deployed in front of the application and monitor either the APIs or the HTTP traffic that flows to the application. That said, we can and should also be deployed on internal applications and watch for 401's or 403's. This allows us to monitor and detect suspicious behavior or unusual status codes and consistently monitor the top targets on which they occur. Forensically, our solution allows us to also pinpoint the tactics and techniques successful hackers are using and take steps to prevent similar attacks from taking place in the future.
4. How and when are blocking actions initiated with ThreatX? Do customers receive an alert? At what point in the monitoring process is blocking considered? And who makes the ultimate call?
There are multiple configurations within the application. By default, the application blocks an entity when its collective behavior reaches a threat score of 70. Anything above a 70 will block immediately. That said, this configuration can be customized by each customer.
Another default configuration of the solution is we initially block for 30-minutes and then unblock to see if the entity attempts another attack. Doing so allows us to gain further intelligence on the entities themselves. This configuration can also be customized by each customer. We have some customers who will blacklist an entity as soon as they have been blocked once, whereas others are comfortable continuing to gain intelligence on them.
5. Because this solution sits in front of the web applications and essentially acts as a proxy, how does the solution impact page load time?
The typical latencies you might expect are very low for our solution - 10 to 20 milliseconds at most. We are able to accomplish this due to our broad geographic footprint across North America, Europe, and Asia, as well as extensive use of compression and caching techniques. In addition, we offer the ability to deploy an on-prem sensor container, which can be deployed with the application to virtually eliminate latency for high bandwidth/highly-interactive applications.
6. What does the on-boarding process look like for the ThreatX solution? How long does ThreatX need to collect data before intelligent blocking can begin?
Typically, we recommend running a POC to start. Within two weeks, we have plenty of information to begin accurate blocking. During the POC the system will run in analytics mode (non-blocking), which will allow our customers to see how the ThreatX solution scores, monitors and ranks the various entities and attacks.
At the end of a two-week POC, we conduct a technical debrief with our customers to discuss this, down to the specific entities that would be blocked, behavior patterns we're seeing and other application vulnerabilities. It is at this point that most customers will switch into blocking mode.
7. How is ThreatX differentiated from solutions like Incapsula or Qualys?
These solutions are what we often refer to as "legacy" solutions. The majority of legacy solutions utilize a static rule or signature based approach. While they are great solutions for what they do, they only cover about 70% of exposed. This is primarily because static signatures are not flexible - they cannot change with differing behavior patterns. As a result, companies are forced to manual monitor application behavior and whitelist a fair number of the signatures just to reduce the number of false positives.
ThreatX, on the other hand, builds out dynamic behavior profiles for each application that then dictates the escalating and blocking actions. The system learns over time and is anything but static. We not only have the ability to detect the same behaviors that these legacy solutions pick up via signatures, but we do so intelligently and supplement the attack data with information about the techniques and targets that hackers are drawn to. This enables our customers to go beyond simply blocking the same attacks over and over, but to adapt their application environment to lower their risk profile.