THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

Transcription

1 THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE How application threat intelligence can make existing enterprise security infrastructures smarter

2 THE BLIND SPOT IN THREAT INTELLIGENCE 2 ABSTRACT Search the web for a definition of threat intelligence and you ll find many different sources providing their own takes on what it means. Interestingly, as of the writing of this paper, the term does not yet have its own Wikipedia page. While perceptions on its definition may differ, there is no question that threat intelligence is one of the most important areas of security investment for enterprises. Thanks to the growth in cybersecurity attacks and increased exposure at the Board level due to high-profile hacks, it has never been more important to know the true status of your defenses. Still, there is a major blind spot in threat intelligence today. Enterprises have no visibility into what is actually happening with their applications in production. Analysis of network traffic does not provide any clues as to what the application will do with the data when it executes. Because of this lack of context, security operations teams either get no application data at all, or are flooded with false positives. Alarmingly, many successful attacks go undetected. This paper will: Introduce a coherent definition of the term threat intelligence Outline how a lack of application threat intelligence can hurt an enterprise Introduce a new monitoring technology that provides real-time application threat intelligence Discuss the actions that can be taken based on this intelligence to make existing security infrastructure more effective

3 THE BLIND SPOT IN THREAT INTELLIGENCE 3 APPLICATION THREAT INTELLIGENCE In an article entitled: Putting IT in Perspective: Threat Intelligence, Aberdeen Group VP and Research Fellow Derek Brink outlines four noteworthy attributes of threat intelligence: It comes from a qualified, trusted third-party source It provides insight into an active campaign, not just notice of a known threat, a known vulnerability, or a known compromise It provides the means to draw relevant insights into risk, in terms of both likelihood and business impact, for the specific context of our own organization It (often) includes options for additional help For the purposes of this paper, we will examine information security threat intelligence through this lens. Based on this definition, existing technologies provide intelligence in many threat areas, and major progress has been made in important disciplines such as endpoint threat detection, user behavior analytics (UBA), APT detection, phishing prevention, post-breach detection and the use of advanced deception techniques to identify active threats.

4 THE BLIND SPOT IN THREAT INTELLIGENCE 4 BUT WHAT ABOUT APPLICATIONS? Applications have become the number one attack vector for hackers, and the databases they use store the information that hackers value most. Yet there is scant, if any, intelligence available about what attacks are actually being seen when applications are in production. Dangerous application security threats such as cross-site scripting (XSS) and SQL injection (SQLi) are well understood. However, the inability to detect them in production applications is a major security blind spot.

5 THE BLIND SPOT IN THREAT INTELLIGENCE 5 INTRODUCING APPLICATION SECURITY MONITORING The concept of application performance monitoring (APM) using technologies from vendors such as New Relic and AppDynamics is well understood. What if it was possible to use the same monitoring approach -- not for application performance, but for security threats? Prevoty Application Security Monitoring (ASM) is a new capability that has been designed to give enterprises: The ability to determine which applications are actually under attack in order to manage risk and prioritize remediation efforts Ability to enable an instant, effective response by proactively blocking IP addresses of bad actors without the risk of false positives Detailed information on all database queries issued by specific applications, allowing for detailed audit trails and supporting root cause analysis for data breaches An easy upgrade to runtime application self-protection (RASP) in order to automatically neutralize the identified attacks

6 THE BLIND SPOT IN THREAT INTELLIGENCE 6 Without requiring any changes to the application, plug-ins enable Prevoty to run inside the application itself. Prevoty-enabled applications are able to deliver unparalleled insights into what is happening in the application from a security perspective, including the Four W s of an attack: WHO IDENTIFY THE ORIGIN OF THE THREAT Includes IP address, session information (including User ID if available), cookie detail WHAT PROVIDE DETAILS OF THE NATURE OF THE THREAT Contents of the payload, payload intelligence WHERE WHERE THE EXPLOIT HAPPENED IN YOUR APPLICATIONS URL for web applications, stack trace for SQL queries WHEN WHEN DID THE ATTACK TAKE PLACE Timestamp (down to the nanosecond)

7 THE BLIND SPOT IN THREAT INTELLIGENCE 7 This intelligence is available in real-time for consumption by SIEMs such as Splunk, ArcSight, QRadar, LogRhythm, etc. and can obviously be used as a definitive source of information for root cause analysis (RCA).

8 THE BLIND SPOT IN THREAT INTELLIGENCE 8 HOW IT WORKS At a conceptual level, Prevoty ASM works as follows: Analyze Alert Plug-Ins Applications are instrumented to call the security engine via Plug-ins (no coding required) 2 At runtime, the application automatically sends payloads to the security engine via the Prevoty API 3 The security engine analyzes the incoming payload and determines whether it is malicious. The analysis is effected with no dependence on signatures, definitions or pattern matching 4 If the payload is malicious, alerts are issued to the Prevoty console plus any logs and SIEM s configured. Detailed information on who / what / where / when of the attack is included

9 THE BLIND SPOT IN THREAT INTELLIGENCE 9 MAKING EXISTING SECURITY INFRASTRUCTURE SMARTER Network-based threat intelligence may never detect many of the application layer attacks at all, especially SQL injections and more sophisticated XSS attacks. Even if it does, because the detection is based on looking for known vulnerabilities (signatures, definitions, regular expressions, pattern matching, etc.), it can only say: This looks like it might be an attempt at XSS based on the fact that it looks like an attack pattern that we have seen before In many cases, the attack is simply allowed through and no active protection measures are ever taken because of the risk of false positives negatively impacting valid users. Since the Prevoty security engine is able to accurately determine the DNA of content and database queries without relying on signatures, definitions, patterns or behavioral analysis, Prevoty intelligence says: This was an XSS attack, or This was a SQL injection Therefore, taking the steps to block IP addresses of bad actors via NGFW s, IPS s or WAF s can be done without risking the negative business impact of false positives. PREVOTY ASM ALLOWS THE EXISTING SECURITY INFRASTRUCTURE TO ADD A LEVEL OF INTELLIGENCE ABOUT APPLICATIONS THAT HAS NOT BEEN POSSIBLE TO DATE.

10 THE BLIND SPOT IN THREAT INTELLIGENCE 10 SO DOES THIS QUALIFY AS TRUE THREAT INTELLIGENCE? Revisiting the definition used earlier in this paper, let s evaluate Prevoty ASM s capabilities: It comes from a qualified, trusted third-party source Prevoty is a leader in runtime application security and trusted by major enterprises around the world. However, the real source of the intelligence is an enterprise s own applications what could be trustworthy? It provides insight into an active campaign -- not just notice of a known threat, a known vulnerability, or a known compromise Applications can now alert in real-time when an attack is detected while the applications are running in production It provides the means to draw relevant insights into risk, in terms of both likelihood and business impact, for the specific context of our own organization Understanding which applications are actually under attack (and which are not!) together with the volume and nature of those attacks provides security, development and GRC leaders with relevant information to make smarter decisions on defense and remediation based on the business-criticality of the applications It (often) includes options for additional help The detailed intelligence delivered allows for active measures to be taken to block bad actors. Additionally, any applications instrumented for Prevoty monitoring can be easily upgraded to add Prevoty automatic protection to neutralize the vulnerabilities without having to undertake explicit remediation activities.

11 THE BLIND SPOT IN THREAT INTELLIGENCE 11 SUMMARY Threat intelligence is one of the most important areas for information security today, yet enterprises lack the visibility into what threats are actually hitting their applications in production. Prevoty ASM can be easily added to applications to provide the real-time intelligence that can be used by existing parts of an enterprise s security ecosystem to block known bad actors and provide the detailed audit trails required for compliance and root cause analysis. A basic version Prevoty ASM is available as a cloud service free of charge. For details, to request access to the service, see a live demo, or simply get more information, please visit. PREVOTY: SECURE THE HEART OF YOUR BUSINESS