Web Application Security Intelligence: Making Security Analytics Even More Powerful

Web applications remain the number one source of data breaches, as researchers at Verizon found in their 2016 Data Breach Investigations Report. But application security operations and best practices have not evolved to keep up with the rapid advances in attackers’ skillsets. In a world ruled by agile development practices and cloud computing, web apps are more important than ever. It’s critical for organizations to do a better job of keeping them safe.

Filtering Out the Noise

Security Operations Center (SOC) teams are struggling to cope with the thousands of security events that flood their SIEMs (security information and event management systems) each day. Unfortunately, a lot of these events are “noise.” Where web applications are concerned, there are many blind spots in log sources. These blind spots arise from insufficient application security logging and server logging misconfiguration.

What’s more, modern application architectures (such as WebSockets and microservices) place the burden on the application developer to take care of application security logging, wasting valuable time and resources. Next-generation application security analytics platforms such as Runtime Application Self-Protection (RASP) are instrumented to generate security events from within the application itself, instead of from system logs alone.

Simplifying Security Analysis for SOC Teams

Security teams must continuously investigate, analyze, and do post mortems to assess if and how attackers conduct malicious activity, whether a breach has occurred, and if so, what the magnitude of the breach was.

Today, this process involves collecting logs from database, server, and network logs, SIEMs, and other sources, each of which gives an incomplete picture of attacker activity. Then analysts face the onerous task of trying to piece together those logs. This is a slow, manual process, and the final generated report rarely contains all the information needed to assess the severity of attacks.

By contrast, RASP solutions offer access to data on suspicious and malicious activity, attacker information, attacks and payloads, application vulnerabilities, and more. This allows the security analyst to understand, in real time, all the details about the threat. RASP offers security teams critical intelligence on:

• The top 10 suspicious IP addresses accessing websites
• Which users log in from those IP addresses
• Which threats and attack types have surfaced
• Which threats targeted real vulnerabilities
• Which payloads succeeded and which were blocked

Rapid Response Speeds Remediation

As analysts identify threats, they have to work across network, server, and application teams to address those threats. RASP not only allows analysts to understand the threats they are under in real time, but also allows them to address threats in real time without relying on external teams.

With RASP solutions, users can block a given IP address temporarily. Users can also block suspected botnets by serving captchas to prevent the botnets from successfully operating against websites. To stop hackers from exploiting SQL injection vulnerabilities, organizations can use RASP to block SQLi payloads to an otherwise vulnerable line of code.

High-Fidelity Application Security Logging Neutralizes Threats

Having lots of data is great, but without context, that data isn’t fully useful. RASP solutions address this problem by pulling specific, accurate event information directly from applications, with only minimal configuration required to make sense of it all. RASP can integrate directly into a SIEM, offering an easy-to-use interface that lets users navigate application security event information. This allows for real-time threat analysis and mitigation, as well as forensic investigation after the fact.

A RASP solution doesn’t replace your SIEM, but it can fill in critical gaps in app security data the SIEM may leave open. It also lets your organization eliminate threats much more quickly than with a SIEM alone.