Last week at Structure Security 2016, I heard a lot of speakers, including keynoter Art Coviello,...
Eliminate Blind Spots: Protect the Full Application Stack
If you lock your front door but leave a basement window open, that’s where the burglars will go. Similarly, placing a shiny new padlock on a front gate but forgetting to lock it doesn’t provide much of a deterrent. Protecting web applications in today’s cyber security environment poses a comparable challenge with multiple areas to cover. Bad actors have choices for where they can apply their breaking-and-entering efforts.
Ninety-five percent (95%) of businesses deploy some kind of endpoint protection for user devices – a practice that is definitely needed. But these measures are poorly suited for protecting applications and server workloads, which is where company’s most sensitive data typically resides. Seventy percent (70%) of attacks target server workloads.
In the effort to prevent web-based attacks, companies must also protect the underlying servers, third-party code, backend applications, and data that are all connected and exposed to the outside world. Existing endpoint protection platform (EPP) solutions are not suitable to protect these servers or sensitive applications such as custom, legacy or SCADA applications left vulnerable due to CPU utilization, dwell time and configuration issues.
Can’t Organizations Just Rely on WAFs and RASPs
to Protect Their Servers and Apps?
A common misconception is that security tools like WAF (web application firewall) or RASP (runtime application self-protection) solutions can protect web applications. But WAF and RASP solutions are inherently limited because they only address visibility into a small portion of application data in the HTTP pipeline.
WAFs are supposed to analyze web traffic and try to identify common OWASP threats like SQL injections or cross-site scripting. They can spot obvious problems in HTTP code but cannot accurately detect when malicious input data is turning into executable code for downstream interfaces and servers.
Similarly, conventional RASP solutions provide limited runtime and memory visibility, only covering a small slice of the application, not full application stack protection. RASPs also require custom application-by-application SDK integration and access to source code.
Eighty percent (80%) of businesses with web applications use WAFs. But because of what they can miss, WAFs and RASPs represent just the tip of the iceberg for cyberattacks. Additionally, businesses have reported that these tools are difficult to manage. Not only do they fatigue staff with high levels of false positives, but they can overlook two-thirds of the attack surface of a server.
These gaps leave security operators in the precarious position of perpetually being in the. Operators have to actively look for signs like oddities in the app behavior or strange IP addresses going outbound from the server to determine if they’ve been compromised or not. It’s not a successful premise, as evidenced by the high number of significant breaches that have occurred this year alone, which does not include other types of attacks such as ransomware.
The Entire Application Stack Is Vulnerable,
Yet Invisible to Most Security Tools
Attackers are adept at finding vulnerabilities. They’ve demonstrated they can easily bypass point solutions such as WAF, EPP (endpoint protection platform) and EDR (endpoint detection and response) tools that don’t see the bigger picture. Bad actors succeed because they go after all tiers of the application stack: web, memory and host.
First, the web tier is where the OWASP Top 10, SQL injections, and more occur. The web layer includes web frameworks, third-party compiled code, legacy apps, files, processes, libraries and more. Many exploits start here and spread to the other tiers, attacking runtime memory and the host system.
At the memory tier, threat actors launch attacks at the execution memory level – buffer errors, ROP chains, stack smashing and so on. These methods target third-party apps and databases. Lastly, attackers go after the host tier where they attempt to change files, processes, and libraries by injecting malware and commands.
Servers often share the same devices across tiers, making them all the more vulnerable to sophisticated, multi-faceted attacks.
All of these attack efforts happen far below the radar of WAF, RASP, or EDR solutions. If your tools can’t or don’t protect the full application stack, attackers will inevitably find and exploit your blind spots.
Lessons from the Equifax Breach
To understand the breadth and severity of a blind-spot attack, look no further than the devastating Equifax breach of 2017. Impacting more than147 million people, it remains one of the largest and worst breaches in US history.
The breach exposed the personal data of millions of consumers, and many assumed it was a web-based attack. However, the primary entry point was a vulnerability in third-party code provided by the Apache Struts framework. This weakness was exploited by a memory-based attack, which exposed the full server and backend data.
Because the systems weren’t segmented, attackers were able to move around from server to server. They pulled and encrypted data for months, unbeknownst to Equifax. Even after Equifax learned of the breach, they kept it under wraps for more than a month.
While this attack was invisible to Equifax’s network and WAF tools, it would have been instantly detected and stopped by the Virsec security platform, which secures application workloads.
Virsec Provides Full-Stack Application Visibility & Protection
Businesses can’t protect just one or two layers of the application stack. Nor can they rely on individual point products to provide the full level of protection needed to block the full gamut of these attacks. Without complete and layered protection, threat actors easily find the gaps. Virsec protects these gaps by securing application workloads.
Virsec protects the full application stack including Web, Memory and Host layers.The Virsec solution creates a comprehensive map of expected application, providing companies full visibility into runtime. Any deviation from the application – no matter how small – triggers an instant alert and precise, defensive action.
Protect the Entire Attack Surface
Virsec is the only vendor that can protect the entire attack surface of the application, including the web, memory, and host tiers – all during application runtime. Detect and stop the widest spectrum of attacks, including OWASP Top 10, MITRE Top 25, memory errors, library injections, process corruption, malware, and more.
Free Download: Five Essential Steps for Enterprise Application Security: A Guide