5 reasons hackers love your application security strategy. February 2015

Transcription

1 5 reasons hackers love your application security strategy February

2 Overview We ve all seen the headlines: pretty much every week there s a new Global 2000 enterprise or government agency in the news... for the wrong reason. Information security has huge implications for organizations of all sizes and hacks can lead to potential data exfiltration, network breach, identity theft, brand defacement and ultimately financial loss. According to research from IBM, more than 500 million records of personally identifiable information (PII) such as names, s, credit card numbers and passwords were leaked in 2013.[1] Yet it is becoming harder and harder to prevent hackers since traditional security methods have been unable to keep up with today s changing application environment. Security is a cat-and-mouse game but in today s world the success of improved network security products together with the increased attack surface available from modern applications has meant that hackers have started to mount increasingly numerous and sophisticated attacks on applications. In fact, Gartner estimates that 70% of all hacks in 2013 occurred at the application layer. So why are existing application security approaches proving inadequate? This paper will outline some of the reasons why conventional application security is simply not in the same league as today s hackers. It will also introduce a radical new approach that offers an elegant solution to a significant part of the problem. 2

3 Cloud Services, Partner Apps, SAML Multi-Device External Services Dynamic Internal Employees Application Developed In-House & Externally User Generated Content Distributed External Employees, VPN External Data Background Today s application environment is dramatically different to when traditional application security methods were developed. In the good old days, you had fairly static web applications developed entirely by your own application development team, accessed via the intranet for internal applications, protected with a firewall and accessed by your users via a browser on a trusted Windows PC. Things have changed. A lot. Applications are dynamic and distributed. In many cases they are developed by a distributed team that may include third parties. They make use of APIs, web services, partner applications, RSS feeds, syndicated content and the cloud. These capabilities in the applications have become business-critical, but they introduce new security risks: organizations cannot trust incoming content and how it may impact their customers. To make things worse, the applications are accessed from any number of untrusted devices, are exposed to untrusted data and often feature user-generated content such as comments & ratings. 3

4 Traditional approach to application security The existing application security strategy for the majority of organizations traditionally contains 3 elements: Perimeter-based security Incoming traffic is analyzed by a firewall, in particular a Web Application Firewall (WAF), before being allowed to access the application itself. WAFs and advanced network layer firewalls typically rely on definitions and signatures to detect patterns for known threats. Developer-Oriented Security The onus is placed on the developer to code their applications with security in mind. Security testing software leveraging static & dynamic code analysis can help to some extent with certain types of application and in-house security teams assist with best practices, code reviews, audits and penetration testing. Security Monitoring Security teams monitor the situation based on whatever information is at their disposal. Security Information and Event Management (SIEM) systems receive alerts based on potential attacks detected by the perimeter infrastructure and, in rare cases, from within select applications that have been appropriately instrumented. 4

5 5 reasons hackers love this approach 1 Relying on signatures & past definitions exposes applications to zero-day attacks Unknown threats, known as zero-day attacks, are unquestionably the most dangerous type of threats. It can take days, weeks or often months before a zero-day threat is blacklisted. According to White Hat, it takes an average of 170 days before a serious vulnerability is resolved after it occurs. 2 Meanwhile, your organization is completely unprotected against malicious code running in your application and accessing your data. The blacklist approach will always be defeated, as it only defines a finite number of terms in an environment with infinite complexity. It is virtually impossible to anticipate all future attacks as part of an exhaustive list. Hackers have an infinite amount of time to craft a new attack while blacklist-based security solutions only have a split second to react. If the attack is a zero-day exploit, it will bypass definition-based security, such as WAFs Hundreds of new hacks happen every week. No matter how many times you update the definitions, your perimeter-based security is guaranteed to be out of date. 2 A perimeter-based approach simply cannot protect today s distributed applications As outlined above, today s applications are dynamic, distributed and have many external entry points for a hacker to exploit such as web services, APIs to external applications and external feeds. So where, exactly, is the perimeter? It is effectively the internet in its entirety. Traditional security is like a city protected by castle walls with a moat and a drawbridge to keep invaders at bay. But now the walls have fallen down and the invaders have sprouted wings, waving to your guards as they fly over the moat. Good luck protecting your citizens. Perimeter-based security is an absolute necessity from a network security standpoint. Does this mean it works for application security? 2. White Hat Website Security Statistics Report

6 3 Any attempt at Active Prevention that occurs outside of the application has no context Active Prevention or Active Defense means not just detecting threats but actively rejecting the users, inputs or queries that may be harmful to the application before they get there. Most WAFs claim this capability and you have to admit that it sounds good, doesn t it? If that active prevention is done outside of the context of the application it is essentially pure guesswork, nothing more. What does an application do when it receives input? It transforms and manipulates the data within the context of application logic. Sophisticated hackers construct attacks that pass cleanly through perimeter defenses because they only become malicious when reconstructed by the application. How can an external appliance or system possibly understand what the application is going to do with that data? So the result of active prevention from a reverse proxy is a spate of false positives where genuine users, content & queries get rejected resulting in unhappy users at best and lost business at worst. Unsurprisingly, this has caused many organizations to turn off Active mode in their WAFs entirely. At a minimum, they turn down the thresholds for rejection in the WAF configuration, exposing the applications to more attacks. Only application security inside the application itself can stand a chance at preventing sophisticated attacks. 6

7 4 Developers are not, and should not be, security experts In order to attempt to stay ahead of hackers, security professionals need to spend a lot of their working lives monitoring the state of the art in terms of publicly available knowledge around vulnerabilities. It takes a thief to catch a thief. Developers were not hired to do this, they don t have the time to do this and their skillsets are not best placed to implement mitigations against complex attacks. So, homegrown solutions are mostly designed to address a few use cases and are based on a limited sample of current or past known attacks. This assumes that in-house security and application development teams have the know-how and time to service multiple applications and keep up with the ever-changing vulnerability classes. But even if they can stay on top of everything that is known to be out there today that might impact their applications, how are they going to defend against man-in-the-middle attacks and zero-day attacks? Developers are an extremely valuable commodity. You hired them to build great applications that add value to your business. Not to defend against hackers. 5 Your business is not application remediation The number of new hacks seen every month is staggering. So an application that was deemed safe by the security team a year ago (or even a month ago!) almost certainly isn t any more. So the applications need to be remediated. Constantly. This takes a lot of time, effort, manpower and money. Developers hate having to go back into old code and try to fix security holes as it impacts the schedules to deliver new applications to the business, ultimately affecting business velocity. In many cases, the original developer has been re-assigned or, worse, left the organization - meaning that it is up to someone completely unfamiliar with the baked-in security to fix the 7

8 application. Or the application may have been developed by a third party organization, in which case you will have limited control. It s not just developers - this pain extends to Security and IT Operations teams who get frustrated when they get stretched in many different directions there are more than enough new challenges to worry about. Going back to remediate old applications is a severe drain of resources. An everything in-house approach to security is simply head-in-the-sand. In addition to the unnecessary resource drain, the team doesn t get the benefit from best practices, the latest knowledge & intelligence. Fix security issues in existing applications OR develop new applications with value for the business? You shouldn t have to make a choice. OK so can we now agree that traditional security approaches are pretty much obsolete when it comes to protecting today s applications? Introducing Prevoty Prevoty is a security software company dedicated to protecting users and enterprises by solving the difficult challenges related to application security. Prevoty s technological approach is based on one very simple but powerful realization: applications can only be truly protected if the analysis of potential threats happens with context in real-time inside the application. Prevoty delivers application security as a service. Prevoty s service handles the application threats that come from three major vectors: content, database queries and users in real-time without any reliance on past definitions or signatures. Applications make inline calls to our contextual security engine that is delivered in the public or private cloud. The engine uses sophisticated proprietary lexical and behavioral analysis in the same way the application would to pre- process content, execute queries and validate users a split second before they are allowed to impact an application. It s like altering the DNA of your application - the application is always protected, from the inside, even beyond the perimeter when accessed by untrusted users from untrusted devices. 8

9 In addition to actively preventing threats from inside the application, Prevoty s engine also provides realtime threat intelligence for security teams across the entire application portfolio and data can be delivered instantly to external data stores and SIEMs such as Splunk, HP ArcSight and IBM Q1 Labs. How does Prevoty solve the challenges? Zero-Day Attacks Prevoty has no reliance on past definitions or signatures. If you understand content, queries and user behavior as they happen within the context of the application, you can identify and accept what behavior and content you want to allow. Everything else can be blocked, whether it is a known attack or a new one. Dynamic, Distributed Applications The in-app contextual approach means that no matter where the content, queries or users originate (the cloud, web services and API calls, RSS feeds, user generated content, etc.) Prevoty s engine will always be able to process the inputs and state changes, ensuring protection even with the most complex applications. Active Prevention The Prevoty engine looks at content the same way any browser will render content, looks at queries in the same way your database will execute queries, and manages tokens to reflect appropriate state changes in user sessions. By determining the actual behavior the Prevoty engine understands whether or not it s malicious or forbidden. Since all of these activities happen a split second before actual execution in the application, if there is malicious or forbidden intent then it is rejected or removed, rendering the application safe. In other words, active prevention that actually works. 9

10 Developer Security Expertise When Prevoty is used, developers don t need to have security expertise and, importantly, security teams know that the main attack vectors related to content, queries and user tokens are covered automatically. Application Remediation With Prevoty, you are not remediating your applications for known issues, you are retrofitting them with active defense technology. Framework products (no SDK required) are available for Java and.net. Additionally, pre-built SDK s are available for all common languages and frameworks, including PHP, Python, Java, C#, Ruby on Rails, Objective-C, etc. To integrate, developers add literally three lines of code to their application: 1. Include the Prevoty libraries 2. Instantiate a session with the Prevoty engine when the application starts 3. Invoke the API calls to the Prevoty engine to validate inputs, queries and tokens That s it. Done. The application is now retrofitted with Prevoty s active defense technology and no more remediation is required. And security teams have centralized control across both new and legacy applications. 10

11 Implementing your new application security model Implementing the Prevoty solution is extremely straightforward. At a high level, the architecture looks like this: The Prevoty security engine is the heart of the Prevoty solution. It provides real-time monitoring and protection capabilities, along with a number of additional security services for developers. The security engine can be deployed in the public cloud, private cloud or on-premise via a virtual appliance and applications are easily instrumented to call the engine via Prevoty s API. At runtime, the engine preprocesses content, database queries, tokens, etc. and secured payloads are sent back to the application in milliseconds. Prevoty API The Prevoty API is an open API that enables an application to call the Prevoty security engine with payloads for analysis that may include content, database queries or tokens. Applications can be easily instrumented to call the API, either at the framework level via the Prevoty Plug-ins or from the business logic of the application via Prevoty SDKs. 11

12 Prevoty Plug-ins Currently available for Java and.net, Prevoty Plug-ins provide a mechanism to have applications call the Prevoty Engine without requiring any changes to the applications themselves. The Plug-ins are installed via a single command script. Prevoty SDKs Prevoty SDKs allow developers to quickly add Prevoty security into their applications. A single API call is added to the application whenever analysis is required (i.e. GET and POST requests). In addition to monitoring and protection, Prevoty SDKs include additional security services for developers, including: Standardized cryptography Typed input validation Data leakage detection Spam and profanity filters Prevoty SDKs are available for all common languages, including Java, C#, PHP. Ruby, Python, Node.js, Go, and others. Prevoty Console The Prevoty console provides a single place for monitoring and protection intelligence and analytics from the Prevoty security engine to be collated and displayed across all applications. This feed can also be made directly available to logging tools (syslog, Splunk, etc.) and SIEM s (e.g. QRadar, ArcSight, etc.). 12

13 Summary The hacker attack plane of choice has moved from the network layer to the application layer. The dramatically increased attack surface available - thanks to the new breed of cloud-enabled dynamic applications - means that traditional perimeter-based security alone can no longer protect organizations from sophisticated attacks. Attempting to build your own security into all your applications is not just a massive waste of valuable resources, it is also a losing battle. It s time for a new approach and Prevoty can help. Prevoty s mission is to protect enterprises and their users by delivering application security that actually works. In-app calls to Prevoty s contextual and behavioral security engine provide automatic prevention of the top application security threats and zero-day attacks. Prevoty Application Security: monitor and protect your applications at runtime To request a live demo, start a free trial or simply get more information, please visit prevoty.com/contact 13