THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE



Similar documents
IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

The Evolution of Enterprise Application Security. Why enterprises need runtime application self-protection

THE EVOLUTION OF ENTERPRISE APPLICATION SECURITY

From the Bottom to the Top: The Evolution of Application Monitoring

The webinar will begin shortly

End-to-End Application Security from the Cloud

The Cyber Threat Profiler

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Improving your Secure SDLC ( SSDLC ) with Prevoty. How adding real-time application security dramatically decreases vulnerabilities

Cisco Advanced Malware Protection

Passing PCI Compliance How to Address the Application Security Mandates

Vulnerability Management

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Table of Contents. Page 2/13

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

The Hillstone and Trend Micro Joint Solution

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Bridging the gap between COTS tool alerting and raw data analysis

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

INTRODUCING isheriff CLOUD SECURITY

QRadar SIEM and FireEye MPS Integration

QRadar SIEM and Zscaler Nanolog Streaming Service

IBM Security Intelligence Strategy

About SecuPi. Your business runs on applications We secure them. Tel Aviv, Founded

SANS Top 20 Critical Controls for Effective Cyber Defense

Introducing IBM s Advanced Threat Protection Platform

IBM Security Strategy

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

Do not forget the basics!!!!!

IBM QRadar Security Intelligence April 2013

Requirements When Considering a Next- Generation Firewall

Security Intelligence Services.

10 Things Every Web Application Firewall Should Provide Share this ebook

SPEAR PHISHING AN ENTRY POINT FOR APTS

Enterprise-Grade Security from the Cloud

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Advanced Threats: The New World Order

Breaking down silos of protection: An integrated approach to managing application security

IBM Security QRadar Risk Manager

End-user Security Analytics Strengthens Protection with ArcSight

The Evolution of Application Monitoring

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Auditing the Security of an SAP HANA Implementation

Boosting enterprise security with integrated log management

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Решения HP по информационной безопасности

Win the race against time to stay ahead of cybercriminals

Introduction to Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing

Developing Secure Software in the Age of Advanced Persistent Threats

After the Attack: RSA's Security Operations Transformed

With Cloud Defender, Alert Logic combines products to deliver outcome-based security

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Combating a new generation of cybercriminal with in-depth security monitoring

CylanceINFINITYENGINE: Applying Data Science to Advanced Threats

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

RSA Security Analytics

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

The Web AppSec How-to: The Defenders Toolbox

Software that provides secure access to technology, everywhere.

The Importance of Cybersecurity Monitoring for Utilities

Where every interaction matters.

VULNERABILITY MANAGEMENT

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

APIs The Next Hacker Target Or a Business and Security Opportunity?

How To Sell Security Products To A Network Security Company

STEALTHWATCH MANAGEMENT CONSOLE

Columbia University Web Security Standards and Practices. Objective and Scope

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Cisco Advanced Malware Protection for Endpoints

How Web Application Security Can Prevent Malicious Attacks

Unified Security, ATP and more

IBM Security IBM Corporation IBM Corporation

24/7 Visibility into Advanced Malware on Networks and Endpoints

Effectively Using Security Intelligence to Detect Threats and Exceed Compliance

Can We Become Resilient to Cyber Attacks?

AMPLIFYING SECURITY INTELLIGENCE

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Transcription:

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE How application threat intelligence can make existing enterprise security infrastructures smarter

THE BLIND SPOT IN THREAT INTELLIGENCE 2 ABSTRACT Search the web for a definition of threat intelligence and you ll find many different sources providing their own takes on what it means. Interestingly, as of the writing of this paper, the term does not yet have its own Wikipedia page. While perceptions on its definition may differ, there is no question that threat intelligence is one of the most important areas of security investment for enterprises. Thanks to the growth in cybersecurity attacks and increased exposure at the Board level due to high-profile hacks, it has never been more important to know the true status of your defenses. Still, there is a major blind spot in threat intelligence today. Enterprises have no visibility into what is actually happening with their applications in production. Analysis of network traffic does not provide any clues as to what the application will do with the data when it executes. Because of this lack of context, security operations teams either get no application data at all, or are flooded with false positives. Alarmingly, many successful attacks go undetected. This paper will: Introduce a coherent definition of the term threat intelligence Outline how a lack of application threat intelligence can hurt an enterprise Introduce a new monitoring technology that provides real-time application threat intelligence Discuss the actions that can be taken based on this intelligence to make existing security infrastructure more effective

THE BLIND SPOT IN THREAT INTELLIGENCE 3 APPLICATION THREAT INTELLIGENCE In an article entitled: Putting IT in Perspective: Threat Intelligence, Aberdeen Group VP and Research Fellow Derek Brink outlines four noteworthy attributes of threat intelligence: It comes from a qualified, trusted third-party source It provides insight into an active campaign, not just notice of a known threat, a known vulnerability, or a known compromise It provides the means to draw relevant insights into risk, in terms of both likelihood and business impact, for the specific context of our own organization It (often) includes options for additional help For the purposes of this paper, we will examine information security threat intelligence through this lens. Based on this definition, existing technologies provide intelligence in many threat areas, and major progress has been made in important disciplines such as endpoint threat detection, user behavior analytics (UBA), APT detection, phishing prevention, post-breach detection and the use of advanced deception techniques to identify active threats.

THE BLIND SPOT IN THREAT INTELLIGENCE 4 BUT WHAT ABOUT APPLICATIONS? Applications have become the number one attack vector for hackers, and the databases they use store the information that hackers value most. Yet there is scant, if any, intelligence available about what attacks are actually being seen when applications are in production. Dangerous application security threats such as cross-site scripting (XSS) and SQL injection (SQLi) are well understood. However, the inability to detect them in production applications is a major security blind spot.

THE BLIND SPOT IN THREAT INTELLIGENCE 5 INTRODUCING APPLICATION SECURITY MONITORING The concept of application performance monitoring (APM) using technologies from vendors such as New Relic and AppDynamics is well understood. What if it was possible to use the same monitoring approach -- not for application performance, but for security threats? Prevoty Application Security Monitoring (ASM) is a new capability that has been designed to give enterprises: The ability to determine which applications are actually under attack in order to manage risk and prioritize remediation efforts Ability to enable an instant, effective response by proactively blocking IP addresses of bad actors without the risk of false positives Detailed information on all database queries issued by specific applications, allowing for detailed audit trails and supporting root cause analysis for data breaches An easy upgrade to runtime application self-protection (RASP) in order to automatically neutralize the identified attacks

THE BLIND SPOT IN THREAT INTELLIGENCE 6 Without requiring any changes to the application, plug-ins enable Prevoty to run inside the application itself. Prevoty-enabled applications are able to deliver unparalleled insights into what is happening in the application from a security perspective, including the Four W s of an attack: WHO IDENTIFY THE ORIGIN OF THE THREAT Includes IP address, session information (including User ID if available), cookie detail WHAT PROVIDE DETAILS OF THE NATURE OF THE THREAT Contents of the payload, payload intelligence WHERE WHERE THE EXPLOIT HAPPENED IN YOUR APPLICATIONS URL for web applications, stack trace for SQL queries WHEN WHEN DID THE ATTACK TAKE PLACE Timestamp (down to the nanosecond)

THE BLIND SPOT IN THREAT INTELLIGENCE 7 This intelligence is available in real-time for consumption by SIEMs such as Splunk, ArcSight, QRadar, LogRhythm, etc. and can obviously be used as a definitive source of information for root cause analysis (RCA).

THE BLIND SPOT IN THREAT INTELLIGENCE 8 HOW IT WORKS At a conceptual level, Prevoty ASM works as follows: Analyze Alert Plug-Ins 1 2 3 4 1 Applications are instrumented to call the security engine via Plug-ins (no coding required) 2 At runtime, the application automatically sends payloads to the security engine via the Prevoty API 3 The security engine analyzes the incoming payload and determines whether it is malicious. The analysis is effected with no dependence on signatures, definitions or pattern matching 4 If the payload is malicious, alerts are issued to the Prevoty console plus any logs and SIEM s configured. Detailed information on who / what / where / when of the attack is included

THE BLIND SPOT IN THREAT INTELLIGENCE 9 MAKING EXISTING SECURITY INFRASTRUCTURE SMARTER Network-based threat intelligence may never detect many of the application layer attacks at all, especially SQL injections and more sophisticated XSS attacks. Even if it does, because the detection is based on looking for known vulnerabilities (signatures, definitions, regular expressions, pattern matching, etc.), it can only say: This looks like it might be an attempt at XSS based on the fact that it looks like an attack pattern that we have seen before In many cases, the attack is simply allowed through and no active protection measures are ever taken because of the risk of false positives negatively impacting valid users. Since the Prevoty security engine is able to accurately determine the DNA of content and database queries without relying on signatures, definitions, patterns or behavioral analysis, Prevoty intelligence says: This was an XSS attack, or This was a SQL injection Therefore, taking the steps to block IP addresses of bad actors via NGFW s, IPS s or WAF s can be done without risking the negative business impact of false positives. PREVOTY ASM ALLOWS THE EXISTING SECURITY INFRASTRUCTURE TO ADD A LEVEL OF INTELLIGENCE ABOUT APPLICATIONS THAT HAS NOT BEEN POSSIBLE TO DATE.

THE BLIND SPOT IN THREAT INTELLIGENCE 10 SO DOES THIS QUALIFY AS TRUE THREAT INTELLIGENCE? Revisiting the definition used earlier in this paper, let s evaluate Prevoty ASM s capabilities: It comes from a qualified, trusted third-party source Prevoty is a leader in runtime application security and trusted by major enterprises around the world. However, the real source of the intelligence is an enterprise s own applications what could be trustworthy? It provides insight into an active campaign -- not just notice of a known threat, a known vulnerability, or a known compromise Applications can now alert in real-time when an attack is detected while the applications are running in production It provides the means to draw relevant insights into risk, in terms of both likelihood and business impact, for the specific context of our own organization Understanding which applications are actually under attack (and which are not!) together with the volume and nature of those attacks provides security, development and GRC leaders with relevant information to make smarter decisions on defense and remediation based on the business-criticality of the applications It (often) includes options for additional help The detailed intelligence delivered allows for active measures to be taken to block bad actors. Additionally, any applications instrumented for Prevoty monitoring can be easily upgraded to add Prevoty automatic protection to neutralize the vulnerabilities without having to undertake explicit remediation activities.

THE BLIND SPOT IN THREAT INTELLIGENCE 11 SUMMARY Threat intelligence is one of the most important areas for information security today, yet enterprises lack the visibility into what threats are actually hitting their applications in production. Prevoty ASM can be easily added to applications to provide the real-time intelligence that can be used by existing parts of an enterprise s security ecosystem to block known bad actors and provide the detailed audit trails required for compliance and root cause analysis. A basic version Prevoty ASM is available as a cloud service free of charge. For details, to request access to the service, see a live demo, or simply get more information, please visit. PREVOTY: SECURE THE HEART OF YOUR BUSINESS

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information