Application Detection and Response (ADR)

What is application detection and response (ADR)? 

ADR provides security teams with a powerful tool to defend custom and self-hosted third-party applications against exploits. It leverages software instrumentation to directly observe the behavior of web applications and application programming interfaces (APIs) at runtime, continuously monitoring the applications for behavioral anomalies. The ADR tool not only provides real-time visibility into malicious activity at the application layer, but it also provides compensating controls that prevent attempts to exploit existing vulnerabilities. It’s an “inside-out” approach that establishes highly accurate visibility and protection, especially when integrated with the security operations center (SOC).

Why do we need ADR? The application visibility gap

Modern SOCs rely on telemetry and analytics from a variety of “detection and response” solutions to gain visibility into emerging attacks across a vast threat landscape. Typical detect and response stacks focus on:

• Endpoint activity through endpoint detection and response (EDR)
• Network traffic through network detection and response (NDR)
• Identity behaviors through identity threat detection and response (ITDR)
• Cloud activity through a cloud native application protection platform (CNAPP) and cloud detection and response (CDR)

These solutions have proven invaluable in the escalating fight against increasingly sophisticated adversaries, but an important visibility gap remains: applications.

Today’s security analysts are not armed with the visibility they need to reliably see what’s happening within web applications and APIs. Because of that, threat actors are increasingly gaining access through applications, where they are able to gain access to their targets without raising alarms.

In order to see and stop modern application attacks, security operations (SecOps) teams need a new level of visibility and control. They need to extend their reach beyond the traditional network and endpoint, into the applications themselves. 

How does ADR detect application attacks in real time?

ADR empowers SecOps teams with the visibility and control they need in order to detect, respond and block attacks targeting web applications and APIs at runtime. By instrumenting applications with a lightweight agent, ADR sensors observe application behavior from inside the application, including the actual routes where data enter and leave the application at runtime. 

This unique internal perspective allows the ADR tool to analyze data flows and raise alerts for any attempted or successful exploits in real time, identifying the likes of path traversal, unsafe deserialization, SQL/NoSQL injection and many more classes of exploits as they happen. Observing behavior at runtime also ensures highly accurate results, which means SecOps teams spend less time chasing false positives.

How does ADR protect applications against zero-day threats?

By taking advantage of its position within a running application, ADR can not only detect attacks, it can also block them entirely. When ADR identifies unsafe application behavior, it can be configured by policy to throw a server exception, which interrupts the exploit before it can execute and effectively blocks the attack. Unlike many legacy signature-based protection tools, ADR’s analytics are focused on detecting dangerous behaviors, which means it can often detect and block zero-day attacks long before the underlying vulnerabilities are disclosed publicly.

How does ADR help security analysts respond to application attacks?

When a SOC analyst receives a security alert, the real work begins. Typically, analysts leverage Security Incident and Event Management (SIEM), Extended Detection and Response (XDR), and Security Orchestration, Automation, and Response (SOAR) platforms to triage and investigate alerts to ensure the incident is well understood, and that a response can be planned and executed to mitigate the threat. ADR empowers analysts with execution context from deep within the application, helping them to more quickly pinpoint and understand application-layer attacks. 

ADR also provides analysts with comprehensive playbooks to guide them through the containment and remediation process. The context and guidance provided by ADR not only helps analysts respond quickly and efficiently, it also helps developers and AppSec teams to fix the underlying application vulnerabilities with less hassle.

What is Contrast ADR?

Contrast Security is the world’s leader in Runtime Application Security, embedding code analysis and attack prevention directly into software. Contrast Application Detection and Response (ADR) empowers defenders with the observability and control they need in order to detect, respond and block threats that target custom applications and APIs, delivering it in a manner that’s tightly integrated with existing security operations tools and workflows. 

Contrast ADR is built on the Contrast Runtime Security Platform, which enables developers, AppSec teams and SecOps teams to better protect and defend their applications against the ever-evolving threat landscape. Contrast’s patented security instrumentation delivers integrated and comprehensive security observability that brings accurate assessment and continuous protection of an entire application portfolio. 

Learn more about Contrast ADR email adr@contrastsecurity.com