OSI Layer 7

With attacks targeting OSI layer 7, the application layer, on the rise, organizations need more robust solutions to protect their application blindspot. Contrast ADR directly addresses this blindspot by instrumenting applications from within, providing the crucial visibility and context needed for accurate detection and effective response at the application layer.

What is OSI layer 7?

The Open Systems Interconnection (OSI) model is made up of seven layers that help describe how data and applications move and communicate over a network. Each layer helps guide software vendors and developers so the communication products and software programs they create will interoperate. For example, when developing an application, the OSI model can provide a visualization of what layers the application needs to work with.

OSI layer 7, called the application layer, serves as the interface between user applications and the network in that it receives information directly from users and displays incoming data to the user.

In essence, OSI layer 7 is where the network meets the application. It's the layer that defines the protocols that  applications use to  communicate over a network.

What is the OSI model?

The Open Systems Interconnection (OSI) model is a conceptual framework created by the International Organization for Standardization (ISO) in 1984. It standardizes the functions of a communication system by dividing them into seven distinct layers. Each layer has a specific set of responsibilities and communicates with the layers directly above and below it.  

The primary purpose of the OSI model is to provide a universal language for computer networking. This allows diverse networking technologies and protocols to interoperate, enabling communication across different systems regardless of their underlying hardware and software. It provides a structured way to understand how data travels from an application on one computer to an application on another across a network.   

The seven layers of the OSI model:

1. Physical layer (layer 1): This layer deals with the physical medium for data transmission. It defines the electrical, mechanical, procedural and functional specifications for activating, maintaining and deactivating the physical link between end devices. 
2. Data link layer (layer 2): This layer provides reliable data transfer between two directly connected nodes. It handles framing (dividing data into packets called frames), physical addressing (MAC addresses), error detection and sometimes error correction.
3. Network layer (layer 3): This layer is responsible for routing data packets across a network. It handles logical addressing (IP addresses), path determination and packet forwarding.
4. Transport layer (layer 4): This layer provides end-to-end communication between applications. It handles segmentation and reassembly of data, flow control and error control to ensure reliable and ordered delivery of data.
5. Session layer (layer 5): This layer manages and controls the connections (sessions) between applications. It establishes, maintains and terminates sessions, and handles dialogue control and synchronization.
6. Presentation layer (layer 6): This layer is responsible for data formatting, encryption and compression. It ensures that data sent by the application layer of one system is in a format that the application layer of another system can understand. 
7. Application layer (layer 7): This is the topmost layer and the closest to the end user. It provides network services directly to user applications. It doesn't contain the application itself but provides the protocols that applications use to communicate over the network. 

While the modern internet is based on the TCP/IP model, which has a different layered structure (typically four layers), the OSI model is still a valuable tool for understanding networking concepts and how different protocols and technologies relate to each other. It provides a common language for discussing network functionality and troubleshooting.

What is the role of the OSI model’s application layer 7?

The application layer (layer 7) of the OSI model serves as the interface between end user applications and the underlying network. It is the topmost layer and the closest to the user, providing the means for applications to access network services and for users to interact with the network. 

Here's a breakdown of the key roles of the application layer:

• Providing network services to applications: This is the primary role. The application layer defines protocols that applications use to exchange data. It doesn't contain the applications themselves (like your web browser or email client) but provides the necessary services for them to communicate over the network. Examples include:  
  • Web browsing: HTTP/HTTPS
  • Email: SMTP, POP3, IMAP  
  • File transfer: FTP, SFTP  
  • Domain name resolution: DNS  
  • Dynamic host configuration: DHCP 
  • Remote access: Telnet, SSH  
• Identifying communication partners: The application layer helps applications identify and communicate with the correct destination. For instance, DNS helps translate a human-readable domain name into the IP address of the server to which the application needs to connect. 
• Determining resource availability: Before communication begins, the application layer can determine if the necessary resources are available on the network and the remote host. 
• Synchronizing communication: For applications that require coordinated communication (like a multi-user game), the application layer helps manage and synchronize the dialogue between the applications on different hosts.
• Supporting data formatting (in conjunction with the presentation layer): While the presentation layer (layer 6) is primarily responsible for data formatting, the application layer is aware of the data formats needed by applications. It works with the presentation layer to ensure data is in a usable format for the receiving application. 
• Error handling (application-specific): The application layer often includes mechanisms for error recovery that are specific to the application being used.

How does the application layer 7 interact with other OSI layers?

The application layer (layer 7) doesn't directly interact with the hardware or the physical transmission of data. Instead, it relies on the services provided by the lower layers of the OSI model to handle the complexities of network communication.

How is the OSI Model different from the TCP/IP model?

The OSI (Open Systems Interconnection) model and the TCP/IP (Transmission Control Protocol/Internet Protocol) model are both conceptual frameworks used to understand and standardize how different network components communicate. However, they differ in several key aspects:  Summary of differences between OSI model different from the TCP/IP model:

What is layer 7 security?

Layer 7 security, also known as application layer security, refers to the security measures and practices implemented at the application layer (layer 7) of the OSI model to protect applications and the data they handle from various cyber threats.  

Since the application layer is the closest to the end user and interacts directly with software applications, it presents a significant attack surface. Many sophisticated and damaging cyberattacks target this layer because it's where users input and receive sensitive data, and where business logic is executed.

Importance of Contrast ADR for layer 7 security

Modern applications and APIs are primary targets for attackers, yet they often represent a significant blindspot for Security Operations Center (SOC) teams relying on traditional security tools. A core security principle holds true: “You can't secure what you can't see.” However, when it comes to the internal workings of applications, many SOC analysts are effectively operating blind.

Tools like web application firewalls (WAFs), network tools, and even Endpoint Detection and Response (EDR) primarily monitor network traffic, system calls or process activity. They typically lack deep visibility inside the application layer. This "application blindspot" means SOCs struggle to detect sophisticated attacks targeting application logic or leveraging internal vulnerabilities. 

Often, SOC teams have to wait until attackers move from the compromised application to the endpoint before traditional tools (like EDR) can detect activity, allowing significant dwell time. Further, they need to differentiate real application attacks from the noise generated by external tools like WAFs, leading to alert fatigue and missed threats.

Contrast ADR eliminates the critical visibility gap — the application blindspot — that prevents SOC teams from effectively detecting and responding to threats originating or operating within applications and APIs.

• Secure the unseen: Eliminate the application blindspot to actively detect and block threats hiding inside. Eliminate the critical gap left by traditional tools that are blind to internal application behavior. Detect and block attacks invisible from the outside by seeing inside of applications.
• Pinpoint application layer attacks: Accurately identify application attacks that exploit the internal blindspot. Pinpoint the exact vulnerable code and pathways exploited by attackers operating within the application layer. Focus on real threats occurring inside the application, eliminating noise from other tools.
• Turn visibility into security: Accelerate containment by knowing precisely where inside the application to intervene. Enrich SOC tooling with unique runtime visibility from inside applications. Base security decisions on ground truth observed at runtime, not guesswork.

Just seeing isn't enough; the goal is security. Contrast ADR provides visibility to enable accurate detection and precise blocking and control. Gain meaningful context about alerts related to applications, forcing reliance on development teams for investigation and slowing down incident response (IR). Understand the true risk and impact of an event when the application's internal state is unknown.

How does Contrast ADR provide deeper layer 7 protection?

External tools like WAFs analyze layer 7 traffic (HTTP, APIs) but miss what happens inside the application. Contrast ADR instruments the application runtime itself, providing direct visibility into:

• Internal execution: Seeing how code actually runs and processes data received via layer 7.
• Real-time exploit detection: Identifying unsafe data handling and logic abuse within the application as attacks happen (e.g., SQL injection, command injection).

This "inside view" allows ADR to accurately detect and block sophisticated attacks exploiting application logic – threats often invisible to external defenses – thereby eliminating the critical layer 7 application blindspot.