IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

Transcription

1 IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY How runtime application security monitoring helps enterprises make smarter decisions on remediation

2 2 ABSTRACT Enterprises today rely on applications to run their businesses as never before. The security of those applications has never been more paramount. Consequently, major investments have been made in developing and implementing application vulnerability management programs. There is a lot of pressure on both the Builders those developing applications and features and the Defenders those in charge of ensuring application security. Business needs more features and more applications quickly. The use of agile development methodologies with fast release cycles makes it extremely difficult to scan all applications and remediate all vulnerabilities prior to release. This issue is compounded by the challenges of securing resources to remediate backlogs of vulnerabilities in legacy applications. The gap between vulnerable applications in production and secure, remediated applications introduces a vulnerable zone that leaves enterprises exposed. This paper will: Identify and examine the vulnerable zone Outline how vulnerability management programs are not in themselves capable of determining an enterprise s exposure to application threats Describe how vulnerability management programs, while valuable, are incapable, on their own, of determining enterprise exposure from applications Introduce a new monitoring technology that provides real-time application threat intelligence Discuss the actions that can be taken based on this intelligence to make existing security infrastructure and vulnerability management programs more effective

3 3 THE VULNERABLE ZONE For enterprise application development teams also known as the Builders the pressure is on to release early and release often to keep up with the reality of modern business means that. Agile development methodologies have become the norm in most industries and anything that slows down the release of new features and new applications is considered a major negative. Application releases have almost become a continuous process. This poses a problem for the information security teams the Defenders. Vulnerability management programs will typically use a combination of Static (SAST) and Dynamic (DAST) testing together with penetration testing, and often yield long lists of identified vulnerabilities. These programs are essentially sequential by nature and, the faster that applications are released, the more often they have to be scanned. Most importantly, Builder resources are required to complete remediation and, once again, the faster the release cycle the greater the lag to remediated code. Of course, ideally all of this would happen before the application goes to production but in many cases the pressure to deliver new features and applications results in a production release with un-scanned applications or with un-remediated vulnerabilities.

4 4 The gap that is introduced between released, un-remediated applications in production and those with all of identified vulnerabilities fully addressed can be characterized as the Vulnerable Zone. For larger enterprises with lots of applications, particularly those with a significant number of known-to-be-vulnerable legacy applications, the vulnerable zone can have a major impact on an enterprise s risk profile. Today, because there is simply no visibility into what attacks are actually hitting these applications when they are running in production, it is impossible to determine the true, actual impact of each vulnerability on the enterprise. This leaves security and application development executives with some serious questions to answer: Are the vulnerabilities actually being exploited? If the application was remediated, did the developers succeed in plugging all the holes? Did the application security testing tools and penetration testers find all the vulnerabilities in the application? How will I know if there is a zero day that my testing tools and penetration testers don t know about? Which applications should I prioritize for remediation? Proper application security monitoring should be able to provide the necessary intelligence to support answering all of these questions.

5 5 INTRODUCING APPLICATION SECURITY The concept of application performance monitoring (APM) using technologies from vendors such as New Relic and AppDynamics is well understood. What if it was possible to use the same monitoring approach -- not for application performance, but for application security attacks? Prevoty Application Security Monitoring (ASM) is a new capability designed to give enterprises: The ability to determine which applications are actually under attack in order to manage risk and prioritize remediation efforts and increase effectiveness of vulnerability management programs Accurate intelligence to enable an instant, effective response by proactively blocking IP addresses of bad actors without the risk of false positives Detailed information on all database queries issued by specific applications, allowing for detailed audit trails and supporting root cause analysis for data breaches An easy upgrade to runtime application self-protection (RASP) in order to automatically neutralize the identified attacks

6 6 Without requiring any changes to the application, plug-ins enable Prevoty to run inside the application itself. Prevoty-enabled applications are able to deliver unparalleled insights into what is happening in the application from a security perspective, including the Four W s of an attack: WHO IDENTIFY THE ORIGIN OF THE THREAT Includes IP address, session information (including User ID if available), cookie detail WHAT PROVIDE DETAILS OF THE NATURE OF THE THREAT Contents of the payload, payload intelligence WHERE WHERE THE EXPLOIT HAPPENED IN YOUR APPLICATIONS URL for web applications, stack trace for SQL queries WHEN WHEN DID THE ATTACK TAKE PLACE Timestamp (down to the nanosecond)

7 7 This intelligence is available in real-time for consumption by SIEM s such as Splunk, ArcSight, QRadar, etc. and can be used as a definitive source of information for root cause analysis (RCA).

8 8 HOW IT WORKS At a conceptual level, Prevoty ASM works as follows: Analyze Alert Plug-Ins Applications are instrumented to call the security engine via Plug-ins (no coding required) 2 At runtime, the application automatically sends payloads to the security engine via the Prevoty API 3 The security engine analyzes the incoming payload and determines whether it is malicious. The analysis is effected with no dependence on signatures, definitions or pattern matching 4 If the payload is malicious, alerts are issued to the Prevoty console plus any logs and SIEM s configured. Detailed information on who / what / where / when of the attack is included

9 9 MANAGING THE VULNERABLE ZONE Prevoty ASM can help answer the questions raised around improving the effectiveness of an enterprise vulnerability management program Are the vulnerabilities actually being exploited? Prevoty ASM accurately identifies those applications that are under attack and those that are not If the application was remediated, did the developers succeed in plugging all the holes? Prevoty ASM accurately identifies any exploited vulnerability by detailing the URL for web applications and a full stack trace for SQL injections Did the application security testing tools and penetration testers find all the vulnerabilities in the application? Any incident reported by Prevoty ASM is an actual exploit of a vulnerability, whether this was a known vulnerability or not Which applications should I prioritize for remediation? Knowing which applications are actually under attack is a great start. Evaluating risk based on the business-criticality of the application and the data it accesses allows for better decision-making With Prevoty ASM s application monitoring capabilities in place, it s simple and easy to upgrade services to add real-time application protection. Prevoty provides a scalable means to dramatically reduce vulnerability backlogs in legacy applications. It also gives Builders and Defenders the time to remediate the most critical applications on their own schedule without leaving the applications exposed.

10 10 SUMMARY The demands of modern business and its impact on application release cycles means that most enterprise are continuously dealing with a vulnerable zone. Builders and Defenders both want the same thing: to be able to continuously release secure applications. But it s not easy without visibility into what is actually happening to the production application portfolio. Prevoty s application security monitoring capability can identify the applications that are actually under attack, the nature of those attacks, where they originated from, and -- most important from a remediation standpoint -- the weak points in the applications that are being exploited. Using this intelligence to determine both the efficacy of vulnerability management programs and prioritize remediation efforts helps Builders and Defenders work more effectively together. A basic version Prevoty ASM is available as a cloud service free of charge. For details, to request access to the service, see a live demo, or simply get more information, please visit. PREVOTY: SECURE THE HEART OF YOUR BUSINESS