High profile data breaches seem to be in the news at an almost daily rate. As we have seen from the findings of the last Verizon Data Breach Incident Report, a significant number of these data breaches result from exploiting vulnerabilities and misconfigurations in web applications. The historically high prevalence of vulnerabilities in code is not a new topic, and neither is misconfiguration. Yet the tools we have to secure web applications from attacks exploiting vulnerabilities and misconfiguration are still missing the mark when it comes to securing application infrastructure.
Why is Application Security Difficult?
Why is securing web applications so difficult, and why do today’s security tools prove to be less than effective at combating the latest attacks and detecting vulnerabilities during testing? For many organizations today, they’re using tools like a web application firewall (WAF) and/or a Endpoint Detection and Response (EDR) solution to protect web applications during runtime from new attacks and Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) tools to help find vulnerabilities during development. While these tools claim to be effective, let’s see what’s really happening for most organizations using these tools.
In our conversations with customers, we often hear that these issues with their security tools:
- WAFs and EDR often miss detecting “new” attacks, since the new attacks don’t match patterns or signatures of known attacks
- Tools (both production and development testing) have too many false positives due to accidental matching attack pattern to valid traffic
- Too many vulnerabilities overlooked and missed during SAST and DAST testing
- Tools have too many alerts that aren’t based on serious or critical problems, and instead are more informational, resulting in overload for teams investigating these alerts
- Tools impact performance and slow the web application
- Reporting lacks the details on discovered vulnerabilities, details that are needed to remediate the problems quickly
Why Do Today’s Security Tools Miss Detecting Attacks and Have False Positives?
First let’s look at why production security tools, like WAF and EDR solutions miss detecting new attacks and have so many false positives.
To understand the issue, we need to examine the underlying technology many of these tools use to detect new attacks. While these solutions claim to detect zero day attacks, the technology behind zero day attack detection tends to include some mix of machine learning, artificial intelligence (AI), heuristics, fuzzy logic, pattern and signature matching. While all of these technologies are able to detect known attacks, they tend to come up short when it comes to detecting novel, sophisticated, and new zero day attacks. That’s because all of these technologies are based on known prior attacks. Take machine learning for example. Any machine learning expert will tell you that you need good datasets and lots of datasets to train a machine learning algorithm. The datasets used to feed machine learning to detect new attacks is of course, information about prior, known attacks. That translates to machine learning algorithms detecting variations on past attacks, but failing to detect and stop completely unknown and never seen before zero day attacks.
We also hear from our customers that because these algorithms are looking at patterns, and variations on patterns on past attacks, there’s a high incidence of false positives where these attacks match either probes (attackers looking for vulnerabilities where none exist), or harmless traffic that happens to include text/content matching the pattern. The result is that many security organizations need to do a high level of tuning to remove the false positives, and many are beginning to find that the level of tweaking and tuning to make the security tools effective isn’t matching the return they are getting from these same tools.
So, how do we find new attacks on applications, if we can’t rely on the security technologies being used by most security products today?
Solving the Problem By Getting Close to the Application
First we need to get close to the problem. Security and security testing that is sitting on the perimeter misses too much of the activity that’s happening directly in the application, and on the application server. RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing) solve this problem by using a software agent running directly on the application server, giving the agent visibility into the execution and operation of the application. This is a fundamental shift from the WAF and DAST used previously for application security. Both WAF and DAST work from a location remote from the application and application server and rely on network communications to determine when an attack happens, which misses much of what actually happens in the application itself.
Runtime Application Self-Protection Solves the Application Security Problems
By being ideally positioned for application security, Runtime Application Self-Protection (RASP) has code level visibility into the application and can analyze all the activity related to the application to accurately identify when attack occurs, thereby reducing the amount of false positives. Unlike WAFs which only see the traffic coming to and from the server, a RASP can see what’s happening inside the application, to determine if there’s inappropriate use of the application itself. RASP is really the first security category to offer self protection for the application.
A RASP solution sits on same server as the application, and provides continuous security for the application during runtime. But at the same time it’s important for the RASP solution to have the least impact possible to a running application. The RASP from K2 Cyber Security offers significant application protection while at the same time uses minimal resources and adding negligible latency (less than a millisecond measured in testing) to an application.
The technology used by the RASP solution to detect attacks also makes a difference. K2 offers an ideal runtime protection security solution that detects attacks against zero day, unpatched and OWASP Top 10 vulnerabilities. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has virtually zero false alerts.
K2’s RASP solution also gives significant details around discovered attacks and the vulnerabilities that are exploited. Due to the positioning of the RASP solution, K2 can provide details down to line of code to help pinpoint vulnerabilities, along with the full payload to reproduce the exploit and trigger the vulnerability, details that help a developer remediate vulnerabilities quickly.
We’ve also recently published a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs) fail to prevent zero day attacks and how deterministic security fills the need for detecting zero day attacks. The video covers why technologies like artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of attacks where these technologies work, and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change how you protect your applications, include RASP and check out K2’s application workload security.