Application Detection and Response (ADR)

What is application detection and response (ADR)? 

In cybersecurity, ADR stands for application detection and response. ADR provides security teams with a powerful tool to defend custom and self-hosted third-party applications against exploits. It leverages software instrumentation to directly observe the behavior of web applications and application programming interfaces (APIs) at runtime, continuously monitoring the applications for behavioral anomalies. The ADR tool not only provides real-time visibility into malicious activity at the application layer, but it also provides compensating controls that prevent attempts to exploit existing vulnerabilities. It’s an “inside-out” approach that establishes highly accurate visibility and protection, especially when integrated with the security operations center (SOC). 

Why do we need ADR? The application visibility gap

Modern SOCs rely on telemetry and analytics from a variety of “detection and response” solutions to gain visibility into emerging attacks across a vast threat landscape. Typical detect and response stacks focus on:

• Endpoint activity through endpoint detection and response (EDR)
• Network traffic through network detection and response (NDR)
• Identity behaviors through identity threat detection and response (ITDR)
• Cloud activity through a cloud native application protection platform (CNAPP) and cloud detection and response (CDR)

These solutions have proven invaluable in the escalating fight against increasingly sophisticated adversaries, but an important visibility gap remains: applications.

Today’s security analysts are not armed with the visibility they need to reliably see what’s happening within web applications and APIs. Because of that, threat actors are increasingly gaining access through applications, where they are able to gain access to their targets without raising alarms.

In order to see and stop modern application attacks, security operations (SecOps) teams need a new level of visibility and control. They need to extend their reach beyond the traditional network and endpoint, into the applications themselves. 

Common Use Cases of Application Detection and Response

Organizations can use ADR in myriad ways to secure applications from attacks:

• Improve application-level threat visibility: ADR closes WAF and EDR blindspots by providing application-layer threat visibility, attack telemetry and actionable insights to respond faster to threats.
• Real-time threat detection: Once deployed, Contrast Security provides real-time blocking, identifying potential incidents before they escalate, measured as time to detect and resolve attacks.
• Provide greater contextual threat intelligence: Without application context, SOC teams struggle to prioritize threats, leading to inefficient response processes.
• Prevents future incidents: With mitigating controls and insight into real gaps in application security that can be resolved prior to attack. ADR improves coordination with AppSec and development, allowing teams to work together to address vulnerabilities that are often exploited by malicious actors before vendors can address them.
• Neutralize zero-day attacks in real time: Gain immediate visibility into novel attacks exploiting unknown vulnerabilities and instantly block them by leveraging behavioral detection within the application to identify and neutralize threats early.

How does ADR detect application attacks in real time?

ADR empowers SecOps teams with the visibility and control they need in order to detect, respond and block attacks targeting web applications and APIs at runtime. By instrumenting applications with a lightweight agent, ADR sensors observe application behavior from inside the application, including the actual routes where data enter and leave the application at runtime. 

This unique internal perspective allows the ADR tool to analyze data flows and raise alerts for any attempted or successful exploits in real time, identifying the likes of path traversal, unsafe deserialization, SQL/NoSQL injection and many more classes of exploits as they happen. Observing behavior at runtime also ensures highly accurate results, which means SecOps teams spend less time chasing false positives.

How does ADR protect applications against zero-day threats?

By taking advantage of its position within a running application, ADR can not only detect attacks, it can also block them entirely. When ADR identifies unsafe application behavior, it can be configured by policy to throw a server exception, which interrupts the exploit before it can execute and effectively blocks the attack. Unlike many legacy signature-based protection tools, ADR’s analytics are focused on detecting dangerous behaviors, which means it can often detect and block zero-day attacks long before the underlying vulnerabilities are disclosed publicly.

How does ADR help security analysts respond to application attacks?

When a SOC analyst receives a security alert, the real work begins. Typically, analysts leverage Security Incident and Event Management (SIEM), Extended Detection and Response (XDR), and Security Orchestration, Automation, and Response (SOAR) platforms to triage and investigate alerts to ensure the incident is well understood, and that a response can be planned and executed to mitigate the threat. ADR empowers analysts with execution context from deep within the application, helping them to more quickly pinpoint and understand application-layer attacks. 

ADR also provides analysts with comprehensive playbooks to guide them through the containment and remediation process. The context and guidance provided by ADR not only helps analysts respond quickly and efficiently, it also helps developers and AppSec teams to fix the underlying application vulnerabilities with less hassle.

Application Detection and Response vs. Other Security Measures

Security operations centers (SOCs) often have a number of tools in place to protect their environments and infrastructure. However, these other solutions typically lack adequate coverage for applications and APIs. 

Comparing ADR to WAFs

Many organizations deploy Web Application Firewalls (WAFs) to protect applications in production. WAFs protect against common web attacks such as distributed denial of service (DDoS) attacks and certain cross-site  scripting attacks. They also reduce load off your application servers by blocking network traffic of simple and common web application attacks.

However, WAFs rely on static signatures or known patterns to identify threats: two methods that sophisticated attackers can evade. WAFs also generate a high number of false positives and alerts that aren’t clearly actionable.

In comparison, Contrast ADR provides deep visibility into the application layer, allowing you to detect and block attacks at their source before they can cause damage or spread throughout your environment. ADR is designed to minimize false positives and provide actionable insights, enabling you to focus on the most critical threats.

Comparing ADR to EDR

As the name suggests, Endpoint Detection and Response (EDR) monitors and protects endpoints (e.g., desktops, laptops or servers). EDR detects suspicious activity and investigates incidents at the operating system and network level. Additionally, EDR provides response capabilities to contain and remediate threats on the operating system level.

Typically with EDR, SOC teams would have no way to know if code inside the application is manipulated. And, EDR can miss attacks that occur entirely within the application layer. As a result, SOC teams may have to wait until an application is compromised before EDR detects the threat.

In comparison, with the deep visibility into application behavior and data flows provided by Contrast ADR, your teams can identify anomalies and potential threats that may have bypassed traditional security tools. ADR real-time threat detection and response capabilities enhance the overall security architecture by providing a crucial layer of protection against sophisticated attacks. ADR enhances proactive threat detection capabilities, so the SOC can finally identify and mitigate application-layer attacks.

Agent-Based ADR vs. eBPF

Not all ADR solutions function in the same manner. Contrast ADR instruments applications, while other ADR solutions in the market leverage Extended Berkeley Packet Filter (eBPF) technology. Here are some of the main pros and cons of each option:

• eBPF provides powerful monitoring of system calls, network activity and process interactions in the kernel layer. It is designed to limit the potential consequences of agent failure. As an added bonus, it’s language independent. On the flip side, eBPF is available only for newer Linux distributions. Kernel-level visibility only covers a small fraction of common application and API vulnerabilities and attacks; for example, eBPF-based ADR can’t effectively mitigate SQL injection attacks. It also works asynchronously, so cannot prevent exploitation.
• Instrumentation-based ADR provides detailed insights into application logic, data flows, attack surface, defenses, vulnerabilities and assets. This kind of ADR solution can enforce security policies in real time, and it covers a broad range of application and API vulnerabilities and attack rules. However, it has no way to detect system-level threats.

What is Contrast ADR?

Contrast Security is the world’s leader in Runtime Application Security, embedding code analysis and attack prevention directly into software. Contrast Application Detection and Response (ADR) empowers defenders with the observability and control they need in order to detect, respond and block threats that target custom applications and APIs, delivering it in a manner that’s tightly integrated with existing security operations tools and workflows. 

Contrast ADR is built on the Contrast Runtime Security Platform, which enables developers, AppSec teams and SecOps teams to better protect and defend their applications against the ever-evolving threat landscape. Contrast’s patented security instrumentation delivers integrated and comprehensive security observability that brings accurate assessment and continuous protection of an entire application portfolio. 

Learn more about Contrast ADR email adr@contrastsecurity.com