Bringing the application layer into cybersecurity monitoring and response

At long last, there’s a spotlight — Application Detection and Response (ADR) — that shines the light into what’s been a blindspot: namely, the application layer. 

The applications and application programming interfaces (APIs) in that layer are the target of the threats involved in 25% of data breaches, according to the latest Verizon Data Breach Investigations Report (DBIR). Yet these attacks are, for the most part, not detected by traditional perimeter or EDR products.

To gain that never-before-seen visibility, ADR can be brought into the security operations center’s (SOC’s) monitoring and response. Organizations can gain visibility by integrating into:

• Security information and event management (SIEM) platforms such as Splunk
• Security orchestration automation and response (SOAR) platforms
• Extended detection and response (XDR) platforms
• Cloud-native application protection platforms (CNAPP)

Read on for a look at the blindspot SOCs are dealing with when it comes to the application layer. We’ve also laid out a walk-through of how ADR can be operationalized so as to provide visibility into the application layer for the SOC and help SOC analysts triage alerts to minimize risk for their organization. 

Are you tired of wearing blinders? 

As it is, you’re managing too many security tools, you’re still missing critical threats and you’re blind when it comes to seeing what’s happening in the application/application programming interface (API) layer. 

What is the application layer?

The idea of the application layer has evolved in recent years. With methodologies like DevOps and continuous integration/continuous deployment (CI/CD) predominating, applications and APIs have become much more than discrete software programs running their respective workloads in isolation. Rather, the application layer comprises a vast, interconnected and interdependent ecosystem of code. In many cases, this ecosystem operates across cloud and on-premises infrastructure, and in cases, across multiple corporate entities. It consists of server-side applications, frequently connected by APIs.

Technology aside, the application layer has also grown in importance to the business. Modern digital businesses run on software and, for many, there is nothing more important than their software. The application layer is essential for operations in virtually every area of a business, from sales to customer experience, logistics, manufacturing and services, human capital management, and beyond. The ability to innovate quickly and introduce new software features is a boon to strategic execution, but it’s a process that creates increasing security risks. 

Why the application layer matters for security

The application layer is essential for business, but it’s also a broad, vulnerable attack surface, as underscored in the aforementioned DBIR finding that the app layer is targeted in a quarter of all data breaches. The typical application is built from dozens of software repos, has a complex software supply chain, includes hundreds of libraries and frameworks, uses dozens of APIs, has multiple backend connections, and has an attack surface consisting of hundreds of endpoints.

For one thing, given its operational importance, a disruption of the application layer is a threat to the business. Outages that originate in the application layer can negatively affect the brand by damaging customer experiences. The application layer also handles a great deal of valuable, often sensitive data. It might process personally identifiable information (PII) and personal health information (PHI), for instance. The layer has access to many data sources, all of which are at risk if an attacker targets it. 

For these reasons, the application layer is a popular target for hackers. Several high-profile attacks show what’s at stake. The 2021 attack on the Accellion file transfer application (FTA), for example, was based on multiple application layer attacks, including SQL Injection, OS Command Execution (CVE-2021-27102), and Server Side Request Forgery (SSRF). After compromising Accellion, the hackers went on to breach and extort many of the company’s customers. In the attack on Kaseya, a provider of IT solutions, hackers used Authentication Bypass and SQL Injection at the application layer to perpetrate a ransomware attack that also targeted Kaseya’s customers. 

What security lessons can come from the Kaseya ransomware attack? 

The current gap in monitoring and response at the application layer

Despite its criticality for the business and its vulnerability to attack, the application layer is typically not well-defended. Traditional Application Security (AppSec) controls and countermeasures, such as static code scanning and vulnerability remediation at the development stage, do not work as well as promised. Despite all of the Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools, too much insecure code makes it through to production. Additionally, when code goes into production, traditional AppSec tools become even more useless. 

The SOC's prevailing security platforms, such as SIEM and XDR, don't see inside the application layer. They can only detect an application layer attack when it shows up in network activity, device logs, endpoints and so forth. They can almost never detect an application layer attack that executes entirely within the targeted application or API. Even if they do see application attack behavior in operating system or container events, they lack the context to understand the subtle anomalies that reveal the threat.

This lack of visibility causes a great deal of risk. Attackers can linger undetected in the application layer, persisting and waiting for the right moment to burst out and move laterally across the environment. The application layer thus presents itself to the SOC as a black box. Some of the most serious threats are all but invisible to SOC analysts. 

The new opportunity to close the gap 

The application layer does not have to remain a blindspot for security monitoring and response. ADR gives the SOC visibility into APIs and code that’s in production. An ADR solution detects anomalous behavior across the application stack by leveraging in-app agents that monitor security-relevant application behavior continuously while the code is actually running. 

ADR is therefore able to detect vulnerabilities in custom code and open-source (OSS) code that only appears at runtime. It’s an “inside-out” approach. With the advantage of internal positioning inside the application layer, ADR has all the context necessary to spot attacks on both known and unknown vulnerabilities, including zero-day attacks at the application layer that XDR and WAFs will miss. 

ADR is then able to transmit threat and attack data to the SOC for incident response workflows. This might involve sending an alert to a SIEM and/or SOAR solution. It could also mean enriching an alert with data about the state of the attack and the relevant vulnerabilities it is exploiting. ADR data can become part of SOAR “playbooks” that drive incident response workflows. 

Operationalizing ADR to achieve full-spectrum detection and response

As the application layer becomes visible and accessible to the monitoring and response processes, security teams experience these benefits:

Increase in incident response speed. If the SOC has to wait until an application layer attack shows up on the network or on endpoints, it has lost a lot of valuable time. This time might be measured in mere seconds, but that lag time can make a big difference in terms of impact. ADR provides the SOC team with the ability to detect and contain threats earlier in the kill chain to limit the blast radius of the attack and negative impact on the organization. 

Shorter dwell time for attackers. The application layer can be used for advanced persistent threat- (APT-) style attacks, allowing threat actors to lurk undetected for a long time: months, days, years. ADR strips attackers of that luxury: Hackers have less time to conduct reconnaissance, prepare to escape the application layer and wreak havoc on the IT estate. 

Solving for false positives and false negatives. SOC analysts are inundated with the problem of false positives and false negatives. In one case, the SOC wastes time. In the other, it missed an attack. To solve this, there’s constant tuning of tools to get things just right. With ADR, SOC analysts can know that the information they are getting is accurate and has the context they need to chase down next steps. 

How a bank could plug in ADR to cure their blindspot

Imagine a financial services organization that decides to defend its application layer security by deploying Contrast ADR. Initially, their focus was on leveraging the platform’s advanced instrumentation and real-time monitoring capabilities to detect and respond to threats within their application environment.

But as soon as Contrast is deployed, the security team starts to see an unprecedented level of detail and insights into the application’s potential vulnerabilities and active attacks. A brief outline of their next steps: 

Step 1: Integration with Splunk for event management

Impressed by the granularity and relevance of the data Contrast collects, the financial services organization’s security team seeks to integrate this valuable information into their existing SIEM platform, Splunk. The team used syslog to stream events from Contrast into Splunk, adhering to the Common Information Model (CIM) for standardized event data.

Once the events are flowing into Splunk, the financial services organization’s security analysts utilize the Contrast Splunk plugin to visualize the data. The integration allowed them to seamlessly incorporate Contrast’s AppSec telemetry into their existing monitoring and triage processes. The rich, contextual information provided by Contrast enables the team to identify and prioritize incidents more effectively.

They can now view detailed attack patterns, understand the impact of vulnerabilities in real time and correlate AppSec events with other data sources within Splunk, streamlining their incident response workflow.

Step 2: Enhancing CNAPP with application behavior

Recognizing the broader value of integrating AppSec insights with their CNAPP, the financial services organization also connects Contrast to Wiz. This integration allows them to gain a holistic view of their infrastructure and its security posture, bridging the gap between infrastructure and AppSec.

With Contrast feeding detailed AppSec data into Wiz, the security team can drill down into each workload to see a comprehensive security architecture. ADR enables the team to understand the exact vulnerabilities and incidents associated with each component in their enterprise infrastructure. They’re able to visualize the interconnections between different components, understand the security implications of each connection and highlight incidents in the broader context of their cloud environment. This provides a deeper understanding of how vulnerabilities and threats at the application layer can impact the overall security of their infrastructure.

Step 3: Operationalizing ADR with enhanced workflows

The integration of Contrast with Splunk and Wiz enables the financial services organization’s security operations team to identify and respond to application and API security incidents without changing their existing workflows. The Splunk plugin facilitates easy access to Contrast data, making it a natural extension of their existing security operations workflows. In Wiz, the team can map out the full security architecture of their applications and infrastructure, identify critical vulnerabilities, and understand their potential impact on the organization.

This story underscores the transformative impact of deploying ADR within a robust security ecosystem. By embedding security within the application runtime and integrating it with comprehensive monitoring and management platforms, organizations can extend their protection across the entire application layer.

For more on operationalizing ADR, check out the white paper: The Case for ADR

Conclusion

The application layer is a major source of cyber risk. If attackers can breach it, they can disrupt an entire business and steal sensitive data. At this moment, though, the application layer is largely out of sight from 24x7 security detection and response capabilities. ADR can address this disconnect with an inside-out approach that continuously monitors applications for threats, vulnerabilities and attacks — flagging anomalies and triggering alerts for the SOC to handle. This shortens the incident response time, which helps mitigate the impact of threats. It also reduces dwell time for threats, bolstering overall security posture in the process. 

Read more:

• ADR white paper: The Case for Application Detection and Response (ADR) 
• Contrast explainer video: Contrast Application Detection and Response (ADR)
• Contrast demo video: Contrast Security ADR Demo
• Contrast press release: Contrast Security Application Detection and Response (ADR) Praised by Industry Analysts for Addressing Gap in Cybersecurity Defenses 
• Contrast press release: Contrast Security Introduces Application Detection and Response (ADR) to Identify and Block Attacks and Zero Days on Applications in Production 
• Contrast glossary: What is ADR?
• Contrast blog: Why Contrast Security is making the case for Application Detection and Response (ADR)
• Contrast blog: Contrast Security founder Jeff Williams explains how to fix AppSec in production
• Contrast blog: 5 ways Contrast Security ADR closes the gap in protection for apps & APIs
• Contrast blog: Understanding ADR’s detection and response layers
• Contrast blog: Why application detection and response is sparking excitement in cybersecurity
• Contrast blog: August attack data: A look beyond the numbers
• Contrast blog: Anatomy of an attack
• Contrast blog: Analyst: Application Detection and Response is an ‘emerging category’
• Contrast blog: September attack data: Spotlight on path traversal, one of the gnarliest application attack types
• Contrast blog: Wake up, CISOs: You need an ADR flashlight to see into critical application blindspots