Back in mid-August 2020, we wrote about why it is important to block attackers at the network edge. We also discussed why organizations are reluctant to block attackers based on alerts issued by security tools, given the prevalence of false positives from these tools.To understand why false positives happen, we need to examine the security technologies currently being used to identify an attack on an vulnerability.
Let us start by taking a look at some of the common technologies being used today to detect a new zero day attack. You have probably heard of many of these being used to describe security technologies being used in your environment: Heuristics, Fuzzy Logic, Machine Learning, and Artificial Intelligence. These are considered state of the art technologies when it comes to security. And while these methods sound like they would produce great results, the truth is they aren’t very good at detecting attacks as a recent study found as much as 76% of zero day attacks are successful. And these same technologies have the added problem of being particularly susceptible to false positives. But organizations continue to use these technologies, because they are what’s available.
We will talk about what the solution is later, but first let us look at why these technologies are prone to false positives. Regardless of whether you’re looking at Heuristics, Fuzzy Logic, Machine Learning or Artificial Intelligence, all of these technologies have one thing in common, they require a dataset of known prior attacks to start their detection algorithms. Machine Learning, one of the newest technologies, requires a dataset of past attacks to train on. The result of this requirement is that these technologies only detect variations of past zero day attacks. It also means these technologies rely on a variation of either signature, pattern or ruleset matching to detect zero day attacks.
This is where we run into problems with false positives with these technologies. Whenever you are trying to match a signature, pattern or ruleset, there’s always a possibility, and sometimes a very good possibility that you will match a pattern with something that’s not an attack. Take for example the most common example of SQL Injection, where the phrase “OR 1=1” gets appended to the end of an SQL query. Finding a match to the pattern ‘1=1’ can occur accidently, causing a false positive. This is just one example, and there are others that will more easily cause an accidental match, without actually catching an attack, essentially a false positive. If you’re an organization that relies on internet generated revenue, you can’t risk blocking a real source of income by blocking a false positive.
The question then remains, how can you ensure you’re only blocking attackers, and not real users? The answer is to make sure you’re only blocking based on alerts generated from a security technology that has virtually no false positives. Deterministic security from K2 Cyber Security is an example of a security that has the fewest false positives, because deterministic security validates the attack and reports the actual results of what the attack exploited, down to the line of code that has the vulnerability being exploited.
Deterministic security works by understanding the execution and intention of the code in the application during runtime, so there’s no issues with code bases changing due to CI/CD, and validates that the code is running as executing as the code intends. When an attacker does manipulate the code, K2’s deterministic security recognizes that the intention of the code has been altered during runtime, and signals an alert with detailed information about the attack, including the entire contents of the transaction along with the type of vulnerability being exploited, and the location of the vulnerability in the code, down to the line number. By providing the actual code being executed by the attacker, the possibility of a false positive is minimized.
As with any new technology, test the technology, get comfortable with it, before you decide to start blocking attacks with it. If you’re looking for technology that has the lowest false positives, there’s finally an alternative that no longer relies on signatures, patterns or rulesets, reducing significantly the possibility of a false positive alert.
K2 Cyber Security provides deterministic runtime application security that issues alerts based on severity and includes actionable alerts that provide complete visibility to the attacks and the vulnerabilities that the attacks are targeting including the location of the vulnerability within the application, providing details like file name and line of code where the vulnerability exists.
K2 can also help reduce vulnerabilities in production by assisting in pre-production testing and addressing issues around the lack of remediation guidance and the poor quality of security penetration testing results. K2 Cyber Security Platform is a great addition for adding visibility into the threats discovered by penetration and security testing tools in pre-production and can also find additional vulnerabilities during testing that testing tools may have missed. K2 can pinpoint the exact location of the discovered vulnerability in the code. When a vulnerability is discovered (for example, SQL Injection, XSS or Remote Code Injection), K2 can disclose the exact file name along with the line of code that contains the vulnerability, details that testing tools typically are unable to provide, enabling developers to start the remediation process quickly.
Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, K2 uses a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has minimal false alerts.
Get more out of your application security testing and change how you protect your applications, and check out K2’s application workload security solution.