Gazing into your security operations center (SOC) platform, what do you see?
It depends where you look. If you look at network traffic, your network detection and response (NDR) solution might spot data exfiltration, for example. How are those employee laptops? Your endpoint detection and response (EDR) solution shows it quarantined malware on George’s laptop (again).
Now look over at your application layer — your applications and application programming interfaces (APIs). Can you see what’s happening inside those apps?
The answer is likely “No.” You have extremely limited visibility. You see fog. You can’t squint hard enough to make out what attacks are happening.
“Unfortunately, the application layer is where a lot of the risk is,” according to Jeff Williams, Contrast Security founder and chief technology officer (CTO). “You know, you and I both trust everything that's valuable in our lives to software: finances, healthcare, elections, government, defense, everything. But we're really not doing very much to protect them.”
In a video interview with Information Security Media Group (ISMG) at Black Hat 2024, Williams explained the gap in cybersecurity visibility that’s causing app layer obscurity: “It is an application economy for sure, and there's a real gap,” he said. “Organizations have endpoint detection and response (EDR) products to protect endpoints, and cloud detection and response (CDR) to protect their clouds, but there's no application detection and response (ADR).”
The obscurity surrounding app behavior is why Contrast Security announced Application Detection and Response (ADR) at Black Hat 2024. ADR throws open the window into app/API behavior, shedding light onto what has been, up until now, invisible to the SOC.
Beyond providing pure visibility so security operations center (SOC) analysts can finally see what's happening in the app layer, ADR enables them to respond by blocking attacks.
Five takeaways on ADR’s paradigm-shifting new technology, from Williams’ discussion with ISMG:
1. Unveiling the hidden: Exposing application-layer vulnerabilities
Security teams have long relied on tools like EDR and NDR to monitor their IT infrastructure. These tools, however, often lack the ability to peer into the application layer, where much of the valuable data resides and where many critical vulnerabilities exist. Attackers are increasingly targeting these application-layer vulnerabilities to gain unauthorized access, steal data or disrupt operations.
“Security operations really don’t have very good visibility into the application layer,” Williams explained. “They see the endpoints, they see networks and infrastructure, cloud, but they don't really see much about what's happening inside applications” — the layer in which much of the risk resides.
ADR fills this gap by providing deep visibility into the application layer. ADR instruments the running application, which allows the technology to monitor and analyze the app’s behavior in real time, detecting and responding to otherwise invisible attacks.
2. Staying ahead of the game: Adapting to the evolution of application attacks
Just as applications have evolved, so too have application attacks. Core, long-established vulnerabilities such as SQL injection persist, while attackers have refined their techniques to also target modern applications that are based on complex architectures — i.e., those that include APIs and microservices. One example: attackers are trying Java Naming and Directory Interface (JNDI) injection (the underlying attack involved in Log4Shell attacks) on all your systems, as well as on your custom code.
“[Application attacks have] evolved as applications have evolved,” Williams told ISMG. While the underlying vulnerabilities are fairly similar — unsafe deserialization, for example — “now they're in APIs, or … in more complex applications that have multiple tiers and back ends and so on.”
Williams stressed that detection today requires instrumenting the whole running application.
What’s a basketball got to do with
Application Security instrumentation?
Attackers aren’t stupid; they’ve figured out how complex apps have become, and they’ve adapted to the situation. “Now, they’re sending complex attacks into APIs and complex attack surfaces that you can't really see with a web application firewall [WAF] and exploiting applications where you see gaps in detection and response,” Williams went on.
It’s difficult to understand the behavior and potential vulnerabilities of today’s complex applications, which often have multiple tiers and backends. Attackers exploit that complexity, launching sophisticated attacks that bypass traditional security measures. ADR's ability to instrument and monitor the running application gives it the edge in detecting and responding to these evolving attack methods.
3. A proactive approach: Going beyond detection with ADR
Gaining visibility into app/API behavior — which many organizations lack — is only the first step. Once you understand what's happening, then you can respond to it. That’s why blocking attacks is part of ADR.
“As part of ADR, we block attacks as well,” Williams said. “It's not just detection, it's detection and response to help stop some of those attacks.” In fact, observability and detection are only two out of this list of features:
- Security observability: ADR provides a detailed map of the application’s attack surface, security defenses, risky behaviors and backend connections, allowing security teams to fully grasp the application's risk profile.
- Behavioral analysis: ADR constantly monitors the application's behavior, identifying anomalies that may signal an attack, thus enabling rapid detection and response.
- Alerts with context: ADR provides alerts to the SOC with significant context, providing blueprint instructions for incident response teams and dev teams to respond and remediate.
- Attack blocking: ADR can be configured to actively block attacks in progress, preventing them from reaching their target and minimizing the impact of successful attacks.
4. Strengthening security posture: The benefits of ADR
ADR delivers multiple key benefits. Like other XDR types of tools, ADR generates telemetry about events and incidents happening within applications that it can send to a security information and event management (SIEM) solution via Syslog or other mechanisms. Contrast has integrations into SIEMS such as Splunk, which has a plug-in that enables ADR data to become part of the XDR ecosystem. The rich telemetry can also be fed into cloud-native application protection platforms (CNAPPs) and other systems.
Williams said that data about incidents — as in, real incidents, not just a blizzard of false positives or false negatives that waste analysts’ time — is probably the highest-value benefit customers will see: “Lots of tools can generate tons of events, like, ‘All this stuff happened,’ but most of it is sort of ‘Who cares?’ We want to get people focused on real incidents that demand immediate response,” Williams continued. ADR is unlike a WAF, which is triggered by anything that looks like an attack. Dealing with all the false alarms is “way too much,” Williams contended. “The real difference with ADR … is you don't have to see all these possible attacks.”
ADR will only report attacks that reach the vulnerabilities that they were targeting: For example, if you have a SQL attack that doesn't reach a SQL query, “it doesn't really matter,” Williams stressed. “We're trying to focus on that 1% that really matter.”
False positives + false negatives = real costs
Other benefits:
- Improved visibility: ADR offers unprecedented visibility into the application layer, allowing for identification and prioritization of vulnerabilities, attack monitoring and rapid incident response.
- Enhanced detection: ADR's behavioral analysis capabilities detect attacks that may bypass traditional security, reducing the risk of successful breaches.
- Faster response: Real-time monitoring and attack blocking enable rapid incident response, minimizing damage.
- Reduced risk: Comprehensive visibility, enhanced detection and faster response significantly reduce the overall risk of application-layer attacks.
5. A security blueprint from inside the running application
ADR generates what Contrast calls a security blueprint of every application. These blueprints show these things, Williams said:
- The full attack surface. Contrast doesn’t reverse-engineer apps. Rather, “We actually get it from inside the running application,” Williams said. “We get the whole attack surface,” along with the security defenses in place for each route: authentication, access control, encryption, etc.
- Dangerous behavior possible in each route: for example, parsing an XML file, which accesses the file system. “This starts a native process: It's not a vulnerability; it's not an attack,” Williams explained. “It's just dangerous stuff.”
- Back-end connections: For example, what valuable systems does a route connect to?
A blueprint makes it far easier to secure the app layer. As Williams pointed out, you wouldn't try to do anything else in life without a blueprint. “You wouldn't build a house without a blueprint. It's fundamental to what we do,” he said.
On top of that blueprint, ADR’s behavioral analysis analyzes how routes behave in production, spotting anomalies. “We can see attacks very clearly because they're doing things that they shouldn't,” Williams said. “Things that should never happen in a running application.”
Conclusion:
As threats evolve, ADR's role in cybersecurity will only grow. Integration with other security tools such as Splunk will provide a more holistic security view, as ADR detects unwanted behavior and reports it to your XDR or SIEM platform, giving back control over something that has been largely invisible.
ADR is a significant advancement in cybersecurity. It empowers organizations to detect and respond to attacks that would otherwise remain hidden, closing a critical gap in application visibility. As the threat landscape evolves, ADR is poised to become an indispensable tool for protecting critical web applications and the sensitive data they hold.
Are you ready to close the visibility gap and find out what your apps and APIs are really up to? Get in touch for a demo. Also, check out Williams’ white paper for a deep dive on ADR.
Read more: