1 IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY How runtime application security monitoring helps enterprises make smarter decisions on remediation
2 2 ABSTRACT Enterprises today rely on applications to run their businesses as never before. The security of those applications has never been more paramount. Consequently, major investments have been made in developing and implementing application vulnerability management programs. There is a lot of pressure on both the Builders those developing applications and features and the Defenders those in charge of ensuring application security. Business needs more features and more applications quickly. The use of agile development methodologies with fast release cycles makes it extremely difficult to scan all applications and remediate all vulnerabilities prior to release. This issue is compounded by the challenges of securing resources to remediate backlogs of vulnerabilities in legacy applications. The gap between vulnerable applications in production and secure, remediated applications introduces a vulnerable zone that leaves enterprises exposed. This paper will: Identify and examine the vulnerable zone Outline how vulnerability management programs are not in themselves capable of determining an enterprise s exposure to application threats Describe how vulnerability management programs, while valuable, are incapable, on their own, of determining enterprise exposure from applications Introduce a new monitoring technology that provides real-time application threat intelligence Discuss the actions that can be taken based on this intelligence to make existing security infrastructure and vulnerability management programs more effective
3 3 THE VULNERABLE ZONE For enterprise application development teams also known as the Builders the pressure is on to release early and release often to keep up with the reality of modern business means that. Agile development methodologies have become the norm in most industries and anything that slows down the release of new features and new applications is considered a major negative. Application releases have almost become a continuous process. This poses a problem for the information security teams the Defenders. Vulnerability management programs will typically use a combination of Static (SAST) and Dynamic (DAST) testing together with penetration testing, and often yield long lists of identified vulnerabilities. These programs are essentially sequential by nature and, the faster that applications are released, the more often they have to be scanned. Most importantly, Builder resources are required to complete remediation and, once again, the faster the release cycle the greater the lag to remediated code. Of course, ideally all of this would happen before the application goes to production but in many cases the pressure to deliver new features and applications results in a production release with un-scanned applications or with un-remediated vulnerabilities.
4 4 The gap that is introduced between released, un-remediated applications in production and those with all of identified vulnerabilities fully addressed can be characterized as the Vulnerable Zone. For larger enterprises with lots of applications, particularly those with a significant number of known-to-be-vulnerable legacy applications, the vulnerable zone can have a major impact on an enterprise s risk profile. Today, because there is simply no visibility into what attacks are actually hitting these applications when they are running in production, it is impossible to determine the true, actual impact of each vulnerability on the enterprise. This leaves security and application development executives with some serious questions to answer: Are the vulnerabilities actually being exploited? If the application was remediated, did the developers succeed in plugging all the holes? Did the application security testing tools and penetration testers find all the vulnerabilities in the application? How will I know if there is a zero day that my testing tools and penetration testers don t know about? Which applications should I prioritize for remediation? Proper application security monitoring should be able to provide the necessary intelligence to support answering all of these questions.
5 5 INTRODUCING APPLICATION SECURITY The concept of application performance monitoring (APM) using technologies from vendors such as New Relic and AppDynamics is well understood. What if it was possible to use the same monitoring approach -- not for application performance, but for application security attacks? Prevoty Application Security Monitoring (ASM) is a new capability designed to give enterprises: The ability to determine which applications are actually under attack in order to manage risk and prioritize remediation efforts and increase effectiveness of vulnerability management programs Accurate intelligence to enable an instant, effective response by proactively blocking IP addresses of bad actors without the risk of false positives Detailed information on all database queries issued by specific applications, allowing for detailed audit trails and supporting root cause analysis for data breaches An easy upgrade to runtime application self-protection (RASP) in order to automatically neutralize the identified attacks
6 6 Without requiring any changes to the application, plug-ins enable Prevoty to run inside the application itself. Prevoty-enabled applications are able to deliver unparalleled insights into what is happening in the application from a security perspective, including the Four W s of an attack: WHO IDENTIFY THE ORIGIN OF THE THREAT Includes IP address, session information (including User ID if available), cookie detail WHAT PROVIDE DETAILS OF THE NATURE OF THE THREAT Contents of the payload, payload intelligence WHERE WHERE THE EXPLOIT HAPPENED IN YOUR APPLICATIONS URL for web applications, stack trace for SQL queries WHEN WHEN DID THE ATTACK TAKE PLACE Timestamp (down to the nanosecond)
7 7 This intelligence is available in real-time for consumption by SIEM s such as Splunk, ArcSight, QRadar, etc. and can be used as a definitive source of information for root cause analysis (RCA).
8 8 HOW IT WORKS At a conceptual level, Prevoty ASM works as follows: Analyze Alert Plug-Ins Applications are instrumented to call the security engine via Plug-ins (no coding required) 2 At runtime, the application automatically sends payloads to the security engine via the Prevoty API 3 The security engine analyzes the incoming payload and determines whether it is malicious. The analysis is effected with no dependence on signatures, definitions or pattern matching 4 If the payload is malicious, alerts are issued to the Prevoty console plus any logs and SIEM s configured. Detailed information on who / what / where / when of the attack is included
9 9 MANAGING THE VULNERABLE ZONE Prevoty ASM can help answer the questions raised around improving the effectiveness of an enterprise vulnerability management program Are the vulnerabilities actually being exploited? Prevoty ASM accurately identifies those applications that are under attack and those that are not If the application was remediated, did the developers succeed in plugging all the holes? Prevoty ASM accurately identifies any exploited vulnerability by detailing the URL for web applications and a full stack trace for SQL injections Did the application security testing tools and penetration testers find all the vulnerabilities in the application? Any incident reported by Prevoty ASM is an actual exploit of a vulnerability, whether this was a known vulnerability or not Which applications should I prioritize for remediation? Knowing which applications are actually under attack is a great start. Evaluating risk based on the business-criticality of the application and the data it accesses allows for better decision-making With Prevoty ASM s application monitoring capabilities in place, it s simple and easy to upgrade services to add real-time application protection. Prevoty provides a scalable means to dramatically reduce vulnerability backlogs in legacy applications. It also gives Builders and Defenders the time to remediate the most critical applications on their own schedule without leaving the applications exposed.
10 10 SUMMARY The demands of modern business and its impact on application release cycles means that most enterprise are continuously dealing with a vulnerable zone. Builders and Defenders both want the same thing: to be able to continuously release secure applications. But it s not easy without visibility into what is actually happening to the production application portfolio. Prevoty s application security monitoring capability can identify the applications that are actually under attack, the nature of those attacks, where they originated from, and -- most important from a remediation standpoint -- the weak points in the applications that are being exploited. Using this intelligence to determine both the efficacy of vulnerability management programs and prioritize remediation efforts helps Builders and Defenders work more effectively together. A basic version Prevoty ASM is available as a cloud service free of charge. For details, to request access to the service, see a live demo, or simply get more information, please visit. PREVOTY: SECURE THE HEART OF YOUR BUSINESS
1 Cisco: Addressing the Full Attack Continuum A New Security Model for Before, During, and After an Attack 2 3 9 12 Issue 1 Welcome Addressing the Full Attack Continuum: A New Security Model for Before,
Continuous Cyber Situational Awareness Continuous monitoring of security controls and comprehensive cyber situational awareness represent the building blocks of proactive network security. A publication
White Paper Addressing the Full Attack Continuum: Before, During, and After an Attack It s Time for a New Security Model Today s threat landscape is nothing like that of just 10 years ago. Simple attacks
Enterprise Anti-Virus Protection APRIL - JUNE 2014 Dennis Technology Labs www.dennistechnologylabs.com Follow @DennisTechLabs on Twitter.com This report aims to compare the effectiveness of anti-malware
Symantec Control Compliance Suite Overview Addressing IT Risk and Compliance Challenges Only 1 in 8 best performing organizations feel their Information Security teams can effectively influence business
Web Scale IT in the Enterprise It all starts with the data Issue 1 2 Q&A With Claus Moldt, Former Global CIO for SalesForce.com and David Roth, CEO of AppFirst 6 From the Gartner Files: Building a Modern
Problem Management Contents Introduction Overview Goal of Problem Management Components of Problem Management Challenges to Effective Problem Management Difference between Problem and Incident Management
theguard! SmartChange Intelligent SAP change management think big, change SMART! theguard! SmartChange theguard! SmartChange takes an intelligent SAP change management approach. It provides maximum automation,
April 2013 Operational Intelligence: What It Is and Why You Need It Now Sponsored by Splunk Contents Introduction 1 What Is Operational Intelligence? 1 Trends Driving the Need for Operational Intelligence
white paper Public or Private Cloud: The Choice is Yours Current Cloudy Situation Facing Businesses There is no debate that most businesses are adopting cloud services at a rapid pace. In fact, a recent
Data protection Protecting personal data in online services: learning from the mistakes of others May 2014 Contents Introduction... 2 What the DPA says... 4 Software security updates... 5 Software security
10 Things Your Next Firewall Must Do Introduction Without question, your network is more complex than ever before. Your employees are accessing any application they want, using work or personal devices.
Is Connectivity A Human Right? For almost ten years, Facebook has been on a mission to make the world more open and connected. For us, that means the entire world not just the richest, most developed countries.
MOBILE FIRST ENTERPRISE 1 White Paper Mobile-first Enterprise: Easing the IT Burden 10 Requirements for Optimizing Your Network for Mobility 2 MOBILE FIRST ENTERPRISE Table of Contents Executive Summary
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
On Designing and Deploying Internet-Scale Services James Hamilton Windows Live Services Platform ABSTRACT The system-to-administrator ratio is commonly used as a rough metric to understand administrative
Problem: You ve been hacked! Now what? Solution: Proactive, automated incident response from inside the network Things To Do After You ve Been Hacked Tube web share It only takes one click to compromise
A Trend Micro Research Paper Suggestions to Help Companies with the Fight Against Targeted Attacks Jim Gogolinski Forward-Looking Threat Research Team Contents Introduction...3 Targeted Attacks...4 Defining
lights-out testing for end-to-end business process validation Contents Executive Summary...3 The Evolution of Testing...3 Lights-Out Testing Defined...4 Why Don t You Have It Already?...5 How Do You Get
SAP Solution in Detail SAP Solutions for Small Businesses and Midsize Companies SAP Crystal Solutions The Clear Path to Business Intelligence Table of Contents 3 Quick Facts 4 Optimize Decisions with SAP
Plug Into The Cloud with Oracle Database 12c ORACLE WHITE PAPER DECEMBER 2014 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,
A Websense White Paper ADVANCED PERSISTENT THREATS AND OTHER ADVANCED ATTACKS: THREAT ANALYSIS AND DEFENSE STRATEGIES FOR SMB, MID-SIZE, AND ENTERPRISE ORGANIZATIONS REV 2 ADVANCED PERSISTENT THREATS AND
White paper The future of Service Desks - vision Service Desks require strategic consideration and innovation to raise user productivity and to support business goals. Fujitsu has the experience and feedback
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
An Oracle White Paper June, 2013 Enterprise Manager 12c Cloud Control Executive Overview... 2 Introduction... 2 Business Application Performance Monitoring... 3 Business Application... 4 User Experience
Special Publication 800-125 Guide to Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Paul Hoffman NIST