Incident Responders, if you deal with breaches or incidents that might stem from the application layer, you know there’s always unnecessary fog and haze that prevents you from seeing what’s happening. You’re facing a constant barrage of alerts without context that create a perfect storm of stress and potential breaches.
What you might not know: You could see through the storm and gain some (relative) calm with a technology that gives you visibility into the application layer.
There’s a new way to ride the waves of cases sent by the Security Operations Center (SOC) for IR to investigate and solve: Application Detection and Response (ADR). ADR offers a game-changing approach, drastically reducing dwell time, minimizing the workload on IR teams, and ultimately saving companies significant time and money by rapidly identifying and containing application-layer attacks.
According to fractional CISO and former enterprise IR manager Brad Swanson, who managed enterprise incident response for years, the emerging security technology is what IR needs — even if it doesn’t know it yet. After all, some of the biggest security threats are clouded by lack of visibility, Swanson said in a recent conversation with Contrast Security’s editorial team. “Zero days and stealthy, skilled threat actors who cover their tracks are difficult to detect,” Swanson said.
The more dwell time, the more damage
As of 2023, the global median dwell time was 10 days. “Consider the amount of information a threat actor can access in that period of time, adding up to tremendous risk exposure and costs for the company,” Swanson noted.
The former head of IR for a major healthcare provider, Swanson said that having ADR would have saved his organization time and money. “ADR can significantly shorten a malicious actor’s time lurking on the network, reduce the IR team’s stress and workload, and ultimately save the company large sums of money by finding and stopping incidents more quickly,” he stated.
Swanson, who also previously led threat intelligence analysis and response for a support software provider, says that, unfortunately, security leaders have a false sense of security. “They invest in lots of blinky boxes, hire a bunch of people and think they’re protected when they’re not,” he explained. “If they reviewed things regularly and relied on ADR, we would see far fewer data breaches in the news.”
Mission possible: Reduce false alerts and enable application-layer visibility
Two of the biggest problems facing IR teams are the high number of false alerts and the lack of visibility into the application layer, according to Swanson. He explained that for companies with a dedicated SOC team, there are processes and playbooks that help them determine what alerts coming from their security information and event management (SIEM) are actual threats that should be handed off to IR. For smaller organizations that don’t have a SOC, the alerts go directly to the IR team to handle.
“They have a checklist of items to determine what’s real and what’s false. That can take hours and hours of their time and leads to lost productivity and high stress levels and burnout,” he offered.
“Additionally, the IR team rarely knows what developers are doing and has no visibility into application vulnerabilities that may be present. If they don’t know what exists, they have no idea what to look for and how to find threats in their systems,” Swanson said. “This is where ADR can help.”
WAFs alone are not the answer
When asked about using web application firewalls (WAFs) to detect threats in applications, Swanson said they aren’t always reliable.
“WAFs won’t always stop an application-layer threat. First off, not everyone has one. For those who do, they’re not always configured correctly,” he said. “Someone who’s in charge of the WAF may not know what to do with it. Just because you have a hammer doesn’t mean you know how to build a house.”
If only we’d had ADR …
“With current methods, IR teams don’t always find and remediate these issues, which can lead to bigger, more costly issues the longer an exploit goes undetected,” Swanson said.
"In my previous role, there was an instance where a hacker leveraged a vulnerability in some in-house customer support software [for three years] to gain access to sensitive information across the organization. We only discovered malicious activity through our bug bounty program, which ultimately cost us thousands of dollars,” he explained. “ADR would have caught this glitch and saved us that money right off the bat. It also would have saved us from having to notify customers, which was a direct hit on our brand.”
Contrast Security’s ADR fills the critical visibility gap left by other detection and response solutions by providing deep, real-time visibility and protection directly within the application layer. It’s a tool that enables analysts to detect and track lateral movement in applications and application programming interfaces (APIs) and stop the incursion before it becomes persistent.
Similar to other detection and response methods such as Endpoint Detection and Response (EDR), Cloud Detection and Response (CDR), and Identity Threat Detection and Response (ITDR), Contrast ADR feeds its telemetry wherever the security teams want to consume it — most likely their SIEM.
The SOC is the ambulance; the IR folks are the EMTs
The SOC sees malicious activity and then either blocks it or triages it. It then passes it to IR, which investigates the triage, blocking and rooting out the attacker. ADR gives the IR team detailed context to illuminate how the adversary executed the attack, thereby minimizing both the impact and any future attacks
Armed with detailed context from ADR, IR determines what the attacker accessed and works to close the gap(s) that enabled them to get in.
Boiling it all down
The business benefits of Contrast ADR for IR teams and the SOC are many. Here are the top five:
- Reduced false positives: ADR helps cut down on the number of false alerts, which in turn reduces alert fatigue and allows IR teams to focus on real threats.
- Improved visibility: ADR provides much-needed visibility into the application layer, which is often a black box for security teams. This helps identify vulnerabilities and attacks that might otherwise go unnoticed.
- Faster detection and response: ADR detects breaches earlier in the attack chain, reducing the time attackers have to operate within a network and minimizing the damage they can cause.
- Cost savings: By catching vulnerabilities early, ADR helps organizations avoid costly data breaches and regulatory fines.
- Improved collaboration: ADR helps improve communication and collaboration between developers and security teams, breaking down silos and leading to more secure applications.
ADR can’t stop the violent winds of cyber turbulence. But it can help IR to know where they’re coming from and block them before the organization gets blown over. “Before ADR, life was rough. But now, this valuable tool can reduce the stress and workload for IR teams, which is urgently needed,” said Swanson. “At the end of the day, ADR is a critical tool that can make our lives better.”
Cut your stress level. To see ADR in action, request a demo today.
Schedule a demo
Read more:
