THE BLIND SPOT IN THREAT
INTELLIGENCE
June 2015
How application threat intelligence can make existing enterprise security infrastructures smarter
Search the web for a definition of “threat intelligence” and you’ll find many different sources providing their own takes on what it means. Interestingly, as of the writing of this paper, the term does not yet have its own Wikipedia page.
While perceptions on its definition may differ, there is no question that threat intelligence is one of the most important areas of security investment for enterprises. Thanks to the growth in cybersecurity attacks and increased exposure at the Board level due to high-profile hacks, it has never been more important to know the true status of your defenses.
Still, there is a major blind spot in threat intelligence today. Enterprises have no visibility into what is actually happening with their applications in production. Analysis of network traffic does not provide any clues as to what the application will do with the data when it executes. Because of this lack of context, security operations teams either get no application data at all, or are flooded with false positives. Alarmingly, many successful attacks go undetected.
This paper will:
ABSTRACT
· Introduce a coherent definition of the term ‘threat intelligence’
· Outline how a lack of application threat intelligence can hurt an enterprise
· Introduce a new monitoring technology that provides real-time application threat intelligence
· Discuss the actions that can be taken based on this intelligence to make existing security infrastructure more effective
June 2015 prevoty.com
In an article entitled: “Putting IT in Perspective: Threat Intelligence”, Aberdeen Group VP and Research Fellow Derek Brink outlines four noteworthy attributes of threat intelligence:
APPLICATION THREAT INTELLIGENCE
· It comes from a qualified, trusted third-party source
· It provides insight into an active campaign, not just notice of a known threat, a known vulnerability, or a known compromise
· It provides the means to draw relevant insights into risk, in terms of both likelihood and business impact, for the specific context of our own organization
· It (often) includes options for additional help
For the purposes of this paper, we will examine information security threat intelligence through this lens.
Based on this definition, existing technologies provide intelligence in many threat areas, and major progress has been made in important disciplines such as endpoint threat detection, user behavior analytics (UBA), APT detection, phishing prevention, post-breach detection and the use of advanced deception techniques to identify active threats.
Applications have become the number one attack vector for hackers, and the databases they use store the information that hackers value most. Yet there is scant, if any, intelligence available about what attacks are actually being seen when applications are in production.
Dangerous application security threats such as cross-site scripting (XSS) and SQL injection (SQLi) are well understood. However, the inability to detect them in production applications is a major security blind spot.
June 2015 prevoty.com
The concept of application performance monitoring (APM) using technologies from vendors such as New Relic and AppDynamics is well understood. What if it was possible to use the same monitoring approach -- not for application performance, but for security threats?
Prevoty Application Security Monitoring (ASM) is a new capability that has been designed to give enterprises:
INTRODUCING APPLICATION SECURITY MONITORING
· The ability to determine which applications are actually under attack in order to manage risk and prioritize remediation efforts
· Ability to enable an instant, effective response by proactively blocking IP addresses of “bad actors” without the risk of false positives
· Detailed information on all database queries issued by specific applications, allowing for detailed audit trails and supporting root cause analysis for data breaches
· An easy upgrade to runtime application self-protection (RASP) in order to automatically neutralize the identified attacks
WHO
WHAT
WHERE
WHEN
IDENTIFY THE ORIGIN OF THE THREAT
Includes IP address, session information (including User ID if available), cookie detail
PROVIDE DETAILS OF THE NATURE OF THE THREAT
Contents of the payload, payload intelligence
WHERE THE EXPLOIT HAPPENED IN YOUR APPLICATIONS
URL for web applications, stack trace for SQL queries
WHEN DID THE ATTACK TAKE PLACE
Timestamp (down to the nanosecond)
application itself. Prevoty-enabled applications are able to deliver unparalleled insights into what is happening in the application from a security perspective, including the “Four W’s” of an attack:
June 2015 prevoty.com
QRadar, LogRhythm, etc. and can obviously be used as a definitive source of information for root cause analysis (RCA).
At a conceptual level, Prevoty ASM works as follows:
HOW IT WORKS
Plug-Ins
Alert
Analyze
1 2 3 4
1 Applications are instrumented to call the security engine via Plug-ins (no coding required)
2 At runtime, the application automatically sends payloads to the security engine via the Prevoty API
3 The security engine analyzes the incoming payload and determines whether it is malicious. The analysis is effected with no dependence on signatures, definitions or pattern matching
June 2015 prevoty.com
Network-based threat intelligence may never detect many of the application layer attacks at all, especially SQL injections and more sophisticated XSS attacks. Even if it does, because the detection is based on looking for known vulnerabilities (signatures, definitions, regular expressions, pattern matching, etc.), it can only say:
MAKING EXISTING SECURITY INFRASTRUCTURE SMARTER
“This looks like it might be an attempt at XSS based on the fact that it looks like an attack pattern that we have seen before”
In many cases, the attack is simply allowed through and no active protection measures are ever taken because of the risk of false positives negatively impacting valid users.
Since the Prevoty security engine is able to accurately determine the DNA of content and database queries without relying on signatures, definitions, patterns or behavioral analysis, Prevoty intelligence says:
“This was an XSS attack”, or “This was a SQL injection”
Therefore, taking the steps to block IP addresses of bad actors via NGFW’s, IPS’s or WAF’s can be done without risking the negative business impact of false positives.
PREVOTY ASM ALLOWS THE EXISTING SECURITY INFRASTRUCTURE
TO ADD A LEVEL OF INTELLIGENCE ABOUT APPLICATIONS THAT HAS
NOT BEEN POSSIBLE TO DATE.
Revisiting the definition used earlier in this paper, let’s evaluate Prevoty ASM’s capabilities:
SO DOES THIS QUALIFY AS TRUE THREAT INTELLIGENCE?
Prevoty is a leader in runtime application security and trusted by major enterprises around the world. However, the real source of the intelligence is an enterprise’s own applications – what could be trustworthy?
It comes from a qualified, trusted third-party source
Applications can now alert in real-time when an attack is detected while the applications are running in production
It provides insight into an active campaign -- not just notice of a known threat, a known vulnerability, or a known compromise
The detailed intelligence delivered allows for
It (often) includes options for
Understanding which applications are actually under attack (and which are not!) together with the volume and nature of those attacks provides security, development and GRC leaders with relevant information to make smarter decisions on defense and remediation based on the business-criticality of the applications
It provides the means to draw relevant insights into risk, in terms of both likelihood and business impact, for the specific context of our own organization
June 2015 prevoty.com
Threat intelligence is one of the most important areas for information security today, yet enterprises lack the visibility into what threats are actually hitting their applications in production. Prevoty ASM can be easily added to applications to provide the real-time intelligence that can be used by existing parts of an enterprise’s security ecosystem to block known bad actors and provide the detailed audit trails required for compliance and root cause analysis.
A basic version Prevoty ASM is available as a cloud service free of charge. For details, to request access to the service, see a live demo, or simply get more information, please visit prevoty.com.