Introduction to Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing

Transcription

1 Introduction to Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing

2 The cyber security landscape has become increasingly complex in recent years. Threats include hackers motivated by non-commercial considerations, as well as sophisticated cyber-criminal gangs and even the intelligence services of foreign nations. Cyber security has been designated the Number 1 threat facing the United States, and other leading economies face similar threats and concerns. Among the high profile hacking cases in just the last 12 months are major corporations such as Target, the US s 2nd largest retailer; the Wall Street Journal, arguably its most important publication; JPMorgan Chase, its largest bank; and EBay, Amazon and the Apple Cloud, three of the most important e-commerce services. Changes in the cyber security landscape The security industry is belatedly realizing that existing security mechanisms are becoming less and less effective, and that attacks and breaches are now commonplace. Many security vendors now talk as if breaches are inevitable, and that organizations should build robust Incident Response capability to minimize their adverse affects. Why is this? Partly it's due to the emergence of the cloud and mobility and the plethora of ways that data is created, shared and stored. Data is becoming harder to lock down and secure. But it s also due to a misplaced confidence that ever more sophisticated perimeter and network security can protect organizations from attack. It s estimated that 95% of security spend is on traditional security controls such as network and endpoint security, and security spend has risen rapidly in most organizations over the past few years. Yet the breaches keep on coming. The important question is where are the breaches occurring?. According to Gartner, over 80% of security breaches occurred via the application layer. Applications are the gateway to the data (typically stored in databases), they provide access and context to data. Yet firewalls (including Next Generation Firewalls), IPS devices and endpoint security protect against attack at the network or host layer, not the application layer. So if applications are the target, what protects them against attack? Web Application Firewalls? Yet these are also network based and have no contextual awareness of an application, so how are they supposed to protect them if they don t speak the same language? Until now there s been remarkably little protection for applications. The nascent application security market is dominated by vendors that provide application testing tools (eg. Static/ Dynamic Application Security Testing) and penetration/ vulnerability testing, who identify weaknesses and vulnerabilities within an organization's defenses. But whilst providing valuable assistance in reducing risk, neither of these can remediate vulnerabilities or actually protect against attacks. Waratek 2015 Page 2

3 An example analogy: If someone breaks into your home and steals the family jewels from a safe hidden behind a picture in your bedroom, you can view the exploit as being based on the fact that they were able to breach your perimeter defenses e.g. your garden gate or wall; the door to your house or access via a window; entering the bedroom and discovering the safe etc. Or you can view the exploit as being based directly on the fact that they were able to break open the safe, irrespective as to how they gained access to your home. For instance, someone who had legitimate access e.g. a cleaner or gardener who would not have been able to steal your jewels unless they could crack the safe. In this analogy, the perimeter is your security defenses. The safe is the application layer because this is ultimately where the family jewels are stored. Why is Application Security Important? v The application layer is where the real damage is done in 80% of cases.* v Perimeter defenses (i.e. web firewall) have proven to be inadequate for stopping sophisticated hackers, cyber-criminals and foreign agencies from penetrating the perimeter. v The perimeter itself has become porous due to major trends such as: Ø 'Bring your own device' ( BYOD ) and pervasive modern work practices which require remote connection to key applications; and Ø The integration of enterprise servers with e-commerce customer distribution and supply chains. v Modern software applications normally utilize many software imports, none of which have been written by the programmer, but which ultimately constitute more than 90% of the software application.** Ø In addition, software packages written by 3rd parties will generally be a black box in that the client operating the software will not have access to the source code. v Cyber security defenses have historically focused on a subsection of the landscape, typically client facing web applications or other applications with the largest potential damage to corporate reputation or actual monetary loss. With increasingly sophisticated attacks, the penetration of any application on a corporate network can lead to lateral attacks or long term 'sleeping agents / spies which are very difficult to protect against if the application remains vulnerable. * Source: Gartner * Source: 2014 Sonatype Open Source and Application Security Survey Waratek 2015 Page 3

4 Runtime Application Self Protection (RASP) a new type of defense Which is why we have seen the emergence of a new type of application security category that Gartner has named RASP - Runtime Application Self Protection. Modern security fails to test and protect all apps. Therefore, apps must be capable of security self-testing, self-diagnostics and self-protection. It should be a CISO top priority. * A true RASP technology should have: v Deep visibility into applications, and the ability to monitor and block attacks. v Critically, it should also be non invasive, requiring no changes to application code. v Should be transparent to both the application owner and the user. v There should be no noticeable latency. v It should automatically remediate vulnerabilities found in testing tools, and provide application profiling and hardening. v It should also provide a granular feedback loop that gives valuable real-time insight as to which applications are being attacked, by whom, and how. v A true RASP technology will radically reduce the attack vector of applications, and at the same time drive down costs by providing for automatic remediation of vulnerabilities. v A true RASP technology will enable you to move your applications to the cloud, safe in the knowledge that they re protected as well (or better) as they would be on your network. If a technology can do all that, then it's probably time you got serious about Application Security. Waratek 2015 Page 4

5 Gartner Maverick* Research: Stop Protecting Your Apps; Its Time For Apps To Protect Themselves On 25 September 2014 Joseph Feiman, VP and Gartner Fellow, published a paper entitled 'Stop Protecting Your Apps; Its Time for Apps to Protect Themselves *. In this report Feiman advocates the necessity of new technologies, which will enable applications to protect themselves at run-time, i.e. as they operate live, and not to be dependent on external defenses such as firewalls which may or may not have been able to inhibit attacks. In 2015 this paper was voted Maverick Status by the other Gartner Analysts. Some of the Report findings: Infrastructure and perimeter protection technologies inherently lack insight into application logic and configuration, event and data flow, executed instructions and data processing. Thus, they lack the necessary means to ensure accurate detection of application vulnerabilities and protection against application-level attacks. Perimeter protection technologies cannot protect against behind-the-perimeter insider attacks, which are as devastating as outsider attacks. Perimeter protection technologies cannot protect what ceases to exist the perimeter, whichdissipates in the mobile, consumer-oriented and cloud-oriented world. Technologies and services that we use to test and diagnose our applications for security vulnerabilities fail to scale to test all applications and to test them with the necessary accuracy. There are too many apps, testing skills are scarce, and tools are too complex and inaccurate. And Report Recommendations: Make application self-protection a new investment priority, ahead of perimeter and infrastructure protection. Build and buy applications, systems, and IoT devices capable of self-protection. Review existing offerings and plan for adoption. The existing security paradigm fails to test and diagnose all applications for security vulnerabilities, and then fails again to protect those vulnerable applications: Our application security testing strategy fails because there are too many applications, application security testing skills are too scarce, testing tools are too complex, and their accuracy is not sufficient. Contact Waratek for a complimentary copy of this Gartner Maverick Research *Gartner Maverick Research: Stop Protecting Your Apps; Its Time For Apps To Protect Themselves. Joseph Feiman, 25th September 2014 Waratek 2015 Page 5

6 waratek Making Applications Self Protecting, Self Diagnosing and Self Testing RASP Introduction v 1.2