Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing

Transcription

1 Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing

2 The cyber security landscape has become increasingly complex in recent years. Threats include hackers motivated by non-commercial considerations, as well as sophisticated cyber-criminal gangs and even the intelligence services of foreign nations. Cyber security has been designated the Number 1 threat facing the United States, and other leading economies face similar threats and concerns. Among the high profile hacking cases in just the last 12 months are major corporations such as Target, the US s 2nd largest retailer; the Wall Street Journal, arguably its most important publication; JPMorgan Chase, its largest bank; and EBay, Amazon and the Apple Cloud, three of the most important e-commerce services. Changes in the cyber security landscape The security industry is belatedly realizing that existing security mechanisms are becoming less and less effective, and that attacks and breaches are now commonplace. Many security vendors now talk as if breaches are inevitable, and that organizations should build robust Incident Response capability to minimize their adverse affects. Why is this? Partly it's due to the emergence of the cloud and mobility and the plethora of ways that data is created, shared and stored. Data is becoming harder to lock down and secure. But it s also due to a misplaced confidence that ever more sophisticated perimeter and network security can protect organizations from attack. It s estimated that 95% of security spend is on traditional security controls such as network and endpoint security, and security spend has risen rapidly in most organizations over the past few years. Yet the breaches keep on coming. The important question is where are the breaches occurring?. According to Gartner, over 80% of security breaches occurred via the application layer. Applications are the gateway to the data (typically stored in databases), they provide access and context to data. Yet firewalls (including Next Generation Firewalls), IPS devices and endpoint security protect against attack at the network or host layer, not the application layer. So if applications are the target, what protects them against attack? Web Application Firewalls? Yet these are also network based and have no contextual awareness of an application, so how are they supposed to protect them if they don t speak the same language? Until now there s been remarkably little protection for applications. The nascent application security market is dominated by vendors that provide application testing tools (eg. Static/ Dynamic Application Security Testing) and penetration/ vulnerability testing, who identify weaknesses and vulnerabilities within an organization's defenses. But whilst providing valuable assistance in reducing risk, neither of these can remediate vulnerabilities or actually protect against attacks. Waratek 2015 Page 2

3 An example analogy: If someone breaks into your home and steals the family jewels from a safe hidden behind a picture in your bedroom, you can view the exploit as being based on the fact that they were able to breach your perimeter defenses e.g. your garden gate or wall; the door to your house or access via a window; entering the bedroom and discovering the safe etc. Or you can view the exploit as being based directly on the fact that they were able to break open the safe, irrespective as to how they gained access to your home. For instance, someone who had legitimate access e.g. a cleaner or gardener who would not have been able to steal your jewels unless they could crack the safe. In this analogy, the perimeter is your security defenses. The safe is the application layer because this is ultimately where the family jewels are stored. Why is Application Security Important? v The application layer is where the real damage is done in 80% of cases.* v Perimeter defenses (i.e. web firewall) have proven to be inadequate for stopping sophisticated hackers, cyber-criminals and foreign agencies from penetrating the perimeter. v The perimeter itself has become porous due to major trends such as: Ø 'Bring your own device' ( BYOD ) and pervasive modern work practices which require remote connection to key applications; and Ø The integration of enterprise servers with e-commerce customer distribution and supply chains. v Modern software applications normally utilize many software imports, none of which have been written by the programmer, but which ultimately constitute more than 90% of the software application.** Ø In addition, software packages written by 3rd parties will generally be a black box in that the client operating the software will not have access to the source code. v Cyber security defenses have historically focused on a subsection of the landscape, typically client facing web applications or other applications with the largest potential damage to corporate reputation or actual monetary loss. With increasingly sophisticated attacks, the penetration of any application on a corporate network can lead to lateral attacks or long term 'sleeping agents / spies which are very difficult to protect against if the application remains vulnerable. * Source: Gartner * Source: 2014 Sonatype Open Source and Application Security Survey Waratek 2015 Page 3

4 Runtime Application Self Protection (RASP) a new type of defense Which is why we have seen the emergence of a new type of application security category that Gartner has named RASP - Runtime Application Self Protection. Modern security fails to test and protect all apps. Therefore, apps must be capable of security self-testing, self-diagnostics and self-protection. It should be a CISO top priority. * A true RASP technology should have: v Deep visibility into applications, and the ability to monitor and block attacks. v Critically, it should also be non invasive, requiring no changes to application code. v Should be transparent to both the application owner and the user. v There should be no noticeable latency. v It should automatically remediate vulnerabilities found in testing tools, and provide application profiling and hardening. v It should also provide a granular feedback loop that gives valuable real-time insight as to which applications are being attacked, by whom, and how. v A true RASP technology will radically reduce the attack vector of applications, and at the same time drive down costs by providing for automatic remediation of vulnerabilities. v A true RASP technology will enable you to move your applications to the cloud, safe in the knowledge that they re protected as well (or better) as they would be on your network. If a technology can do all that, then it's probably time you got serious about Application Security. Waratek 2015 Page 4

5 Gartner Maverick* Research: Stop Protecting Your Apps; Its Time For Apps To Protect Themselves On 25 September 2014 Joseph Feiman, VP and Gartner Fellow, published a paper entitled 'Stop Protecting Your Apps; Its Time for Apps to Protect Themselves *. In this report Feiman advocates the necessity of new technologies, which will enable applications to protect themselves at run-time, i.e. as they operate live, and not to be dependent on external defenses such as firewalls which may or may not have been able to inhibit attacks. In 2015 this paper was voted Maverick Status by the other Gartner Analysts. Some of the Report findings: Infrastructure and perimeter protection technologies inherently lack insight into application logic and configuration, event and data flow, executed instructions and data processing. Thus, they lack the necessary means to ensure accurate detection of application vulnerabilities and protection against application-level attacks. Perimeter protection technologies cannot protect against behind-the-perimeter insider attacks, which are as devastating as outsider attacks. Perimeter protection technologies cannot protect what ceases to exist the perimeter, whichdissipates in the mobile, consumer-oriented and cloud-oriented world. Technologies and services that we use to test and diagnose our applications for security vulnerabilities fail to scale to test all applications and to test them with the necessary accuracy. There are too many apps, testing skills are scarce, and tools are too complex and inaccurate. And Report Recommendations: Make application self-protection a new investment priority, ahead of perimeter and infrastructure protection. Build and buy applications, systems, and IoT devices capable of self-protection. Review existing offerings and plan for adoption. The existing security paradigm fails to test and diagnose all applications for security vulnerabilities, and then fails again to protect those vulnerable applications: Our application security testing strategy fails because there are too many applications, application security testing skills are too scarce, testing tools are too complex, and their accuracy is not sufficient. Contact Waratek for a complimentary copy of this Gartner Maverick Research *Gartner Maverick Research: Stop Protecting Your Apps; Its Time For Apps To Protect Themselves. Joseph Feiman, 25th September 2014 Waratek 2015 Page 5

6 Risk Management From a risk management perspective, Runtime Application Self-Protection ( RASP ) helps to protect an application with high accuracy at runtime; and reduce the overall risk of the portfolio of assets which need to be protected. In addition, Application Self-Protection also creates an important new information asset for cyber security. Major organizations have been building enormous information systems which log and correlate vast amounts of data generated by all of their existing protection points, including firewalls, network defenses etc., and then utilize sophisticated new data mining tools, which can identify threatening patterns of behavior occurring right across their infrastructure. One silent component in this landscape has been the software applications themselves. However if applications could talk i.e. generate meaningful intelligence whenever they identify unusual activity at the application layer, the overall utility of these big data approaches would be enormously increased. Applications - the weak link in the security chain. Applications have been the weakest point in the security chain up to now, in that they are both the hardest to protect and cause the most damage when penetrated. Traditional defenses have relied on external systems such as web application firewalls and next generation firewalls, which despite significant investment in both equipment and operations have proven to be only partially effective. These defenses can read suspicious data streams but because they do not see this data interacting with the software code in the application program itself, they rely on a form of sophisticated guess work and pattern matching to try and determine what might be an actual attack. Generally, they produce a very large proportion of false positives, which make it difficult for security operation teams to quickly identify what are the real threats, and consequently are very difficult to operate in absolute denial blocking mode, as far too much legitimate traffic will be inhibited. The other approach with applications involves extensive testing of the software on a static or dynamic basis to reveal potential security holes which are then remediated by re-writing the code. Figure 2. Extensive testing of the software on a static or dynamic basis Figure 1. Traditional Defenses This is a very slow and expensive process and it is very difficult to achieve a comprehensive result. Also none of these analysis tools has been shown to cover all risks. Waratek 2015 Page 6

7 Waratek AppSecurity for Java Making Applications Self Protecting, Self Diagnosing and Self Testing If an application is essentially defenseless once an attack has circumvented the perimeter and network, then we need to provide it with its own protection. This is one of the core tenets of RASP. But we also can re-enforce security through providing self diagnosis - enabling an application to provide detailed code analysis and identify vulnerabilities within its code. Once vulnerabilities are found, they can be assessed and remediated. And should we not also empower an application to send real-time diagnostics about its status and environment, including granular intelligence on attacks? At Waratek, our core belief is that we can empower applications to protect themselves, and at the same time provide application owners and security teams with actionable intelligence to reduce risk and improve overall security. How Waratek works At Waratek we have developed a very unique and distinctive runtime protection technology, which is essentially a hypervisor for java-based applications. You can also think of it as a secure container, in which you place your applications and provide them instant protection. Java is used as the framework for the majority of production Enterprise applications deployed today, including web applications. However, these applications lack the ability to defend themselves from today s targeted, dynamic attacks. Waratek s secure container technology enables each application to run in a secure and isolated virtual container. Waratek runtime protection technology monitors all interactions into and out of the secure container (secure JVM), and all application executions and operations inside the secure container. This gives Waratek 100% visibility into the application stack, and the ability to detect and block malicious attacks. Waratek 2015 Page 7

8 In addition, all remote data inputs are supervised by a methodology known as 'Taint Tracking', which clearly identifies the difference between untrusted 3rd party data input as opposed to the legitimate instructions of the software program itself. The combination of complete visibility of application input/output (I/O) data and complete visibility of application code as it executes in the secure container affords complete contextual awareness of any application security vulnerability or exploit that no other security technology can rival. It can therefore tell with absolute accuracy when an actual attack is occurring and this can either be sent as a real-time alert to the security team, or can be prevented from executing, when the blocking mode is enabled. To return to the analogy of the thief stealing the family jewels: The Waratek technology monitors everything that is happening during the application execution, but does not intervene until the actual threat itself occurs. In other words, Waratek technology would be aware when someone tries to open the safe, and if it sees it is a 3rd party and not a family member, would immediately block the attack and alert the family. This is a totally new type of defense. It s the first solution which has complete visibility of the application runtime environment - and with the addition of small rules set, provides for complete protection for the most critical attack vectors (such as SQL Injection, Cross Site Scripting, Command line Injection etc). It also serves to substantially reduce the attack surfaceof an application, making it much harder for attackers to attempt to circumvent security controls. By integrating application vulnerability reporting into our RASP platform we have created an end to end remediation process that can reduce mitigation times from months to minutes and increase productivity 100 fold. Firehose of Flaws One leading software application security testing (SAST) vendor that evaluated 54,000 applications at 200 companies over a nine month period discovered 11 million vulnerabilities. Despite the widespread use of SAST and DAST (static and dynamic application security testing) tools, the enormous number of vulnerabilities detected are virtually impossible to remediate. Primarily because these tools do not mitigate flaws. As a result, fixing security problems in source code is manual, time consuming and costly. Waratek has developed an integration solution that automatically generates rules to protect the most critical vulnerabilities found by SAST and DAST tools. This takes remediation from an average of 3 months to 30 minutes.this fully automated workflow can be integrated into the Software Development Lifecycle, and does not require any manual intervention or configuration. Even in companies with sophis0cated remedia0on processes, it is much easier to find vulnerabili0es than it is to fix them Waratek 2015 Page 8

9 Business Benefits Overview Reducing Risk By protecting customers against data breaches Virtually all data breaches occur through an attack on an application. The application is the gateway to an organization's critical Intellectual Property and its customer and corporate data. Waratek protects 100% agains the most critical attacks (such as SQL Injection and Cross Site Scripting, which make up 80%+ of attacks) and reduces the attack surface by profiling and hardening applications. Waratek protects against both known and unknown attacks. Waratek also provides forensic data to assist security teams better protect the organization against future attacks and to assist with Incident Response. Drive ongoing cost savings By radically reducing the ongoing cost of patching and remediation applications, which is currently a costly exercise The biggest single pain point to most enterprise application developers is what s called the Time to Remediation. This is the length of time it takes to remediate a vulnerability once it s been discovered. Waratek reduces that timespan from an average of 3 months to just 30 minutes. Essentially Waratek automates the process of patching and remediating applications, taking away the pain and cost of existing processes. This can save customers millions of dollars over the lifecycle of their applications. Patching applications Organizations must constantly patch their applications, which is a costly and time consuming exercise. To complicate matters, it s often impossible to patch or update some applications as this would break the application, hence many organizations are left with critically exposed applications. Waratek obviates the need for customers to patch their applications as it deploys a virtual patching technology. Even the exposed applications which would break using the regular patching process are virtually patched and protected. Remediation Cost savings Automating patching saves customers from deploying expensive resource and manpower to manually patch applications, which is a constant, ongoing process. Enterprise organizations use Application Security Testing (AST) tools to discover code and application vulnerabilities. They then have to manually remediate the applications against the vulnerabilities found. This is a slow process, and even in organizations with highly sophisticated testing processes, it s estimated that 5X more vulnerabilities are found than can be remediated against. Waratek 2015 Page 9

10 Waratek automates this process and enables 100% protection of all vulnerabilities found by the customers AST tools. Instead of manually remediating the code, Waratek takes the output from AST tools and creates a ruleset to automatically protect against the vulnerabilities found. It does this with very low administrative overhead, requires no application or server downtime, and takes minutes to deploy. Leveraging existing security controls Cost Savings This reduces remediation from an average of 3 months manual effort into 30 minutes. Over the lifecycle of an enterprise application estate, this saves customers millions of dollars. Enterprise organizations typically deploy an array of network defenses against malicious attack, but network defenses (such as firewalls and Intrusion Prevention Systems) cannot hope to protect against attacks directed at the application. These defenses can analyze traffic and monitor user sessions, but they cannot see this data interacting with the application code in the application itself. They thus rely on a form of sophisticated guess work and pattern matching to try and determine what might be an actual attack. This is because network defenses don t and can t understand the application and business logic within an application. Even Web Application Firewalls (WAF), which are designed to protect applications, lack this visibility and context. Waratek adds more value to these existing systems by providing forensic data that gives clear insight as to how and where application attacks are happening, and if internal resources or user credentials have been compromised Customers can use this information to adapt their network security controls against further attacks, both from outside the organization and from internal attack. This data can also be used for Incident Response and forensic investigations. Facilitate business agility To better respond to market opportunities, enterprises are constantly building new applications and adapting older ones. Building new applications and adapting older ones are normally time critical, but existing security testing and controls often take much longer than the enterprise would like or can afford. This creates tensions between the application owner and the security team, and hinders business agility. Waratek radically reduces the time it takes to secure applications, allowing faster application development, and thus improved business agility Compliance Enterprise organizations typically have both internal policies and external compliance and regulatory overhead to comply with. Securing customer, employee and corporate data against breaches is a critical compliance issue, and one that most organizations struggle with. Waratek aids compliance in several ways: v Protects applications (and therefore data) against the most critical attack vectors. This reduces both risk to the organization and aids their compliance efforts v Radically accelerates the timespan between discovery of vulnerabilities and their remediation, lowering the risk to the organization v Provides forensic level data for use in both improving security controls and for auditing and Incident Response purposes Waratek 2015 Page 10

11 waratek Making Applications Self Protecting, Self Diagnosing and Self Testing Waratek 2015 RASP and Waratek vs 1.2