We’ve made a conscious decision to focus on application-layer defense to mitigate cyber threats and attempt to eradicate the chance of data breach in an organization. Here’s why:
- Successful attacks on web applications through the network layer are much harder today than when they first appeared. We’re not talking about network layer attacks like the ILOVEYOU virus that spread through email and self-forwarding means, although clearly we don’t hear about many of those anymore either. When web applications first appeared, they were entirely centralized at one location. This non-distributed infrastructure represented a single point of failure and could result in the application being brought to its knees by a denial of service, or DDoS attack. Simply by flooding the server with a large number of requests or by sending large SQL firing requests, the server’s resources (CPU, memory, sockets or threads for example) would be exhausted and deny serviceability.
While it’s easier than ever to mount a DDoS attack today (with a mere $10 and searching for “web stressor” apps you can find many options), several developments have made mounting a successful DDoS attack harder than ever. First, the evolution to a distributed architecture of application delivery added resiliency to an app and raised the difficulty of bringing down all instances of a typically load balanced application. Second and just as important, network-based defenses at either an ISP or on-premise have also become much better at identifying and defending against DDoS attacks. Today, while prices can still be high for some forms of DDoS security, for relatively modest sums, anti-DDoS protection can be added to most CDN’s. Therefore the application owner often does not need to worry about protecting their apps against DDOS attacks
- It is very difficult to wring out application layer vulnerabilities. While getting to perfect code is a great concept, we all know through real-world experience that today’s process of vulnerability identification during development and iterative remediation is highly manual, doesn’t scale and slows down our gradual shift to agile and bimodal IT processes. We also know that no amount of training for the developers on security will eliminate coding flaws. No human is perfect, and we know from history that humans are the weakest link in security strategies. What’s worse, development groups that are under the gun to get products out the door will resist efforts from App Sec IT to baseline risk, undergo extensive security training and modify their processes, on a dime. With 15 years of OWASP categorizing exploitable vulnerabilities in applications, the prevalence rates in most code being written for the web is still very high. It’s the reason that reputed analyst firm Gartner states that vulnerable applications are still the #1 means hackers employ to breach data (stated as recently as at the Gartner Security and Risk Management Summit in June 2016).
- Network-layer signatures for application-layer attacks are very hard to develop. Think about it. Each exploit could use a wildly different payload to exercise an application-layer vulnerability. This makes content-based signatures almost useless. Add to that the fact that cybercriminals are using short-lived command control centers and BOTs to avoid detection by IP reputation-based solutions and that complicates the problem further. Lastly, behavioral cyber security solutions are too coarse to detect fine-grained malicious activity that deviates from an application’s normal behavior. As a result, cyber security solutions that focus on tracing malicious application activity through network layer stimulus are totally blindsided. Unfortunately, this is where the bulk of our IT security dollars are spent.
Application Layer Defense
This is why we believe that cyber security solutions that factor in fine-grained application layer behavior have a much better shot at detecting cyber-attacks and APT’s (advanced persistent threats). This is because the most sophisticated attacks like APT’s occur in the memory of the target application. Ultimately, the attacker is trying to get to important data, most if not all of it sits behind an application, and trying to take control of an application by having their malicious code execute as opposed to the application’s good code presents the highest chance of success.
In my view, the ability to look deep inside the application process memory for malware activity is the key to application layer defense success for today’s advanced threat environment.