12 things to know about ADR

The Application Security (AppSec) landscape is changing fast. With recent high-profile breaches and a wave of new Application Detection and Response (ADR) solutions hitting the market, it's crucial to understand why legacy technologies are failing to protect organizations and how ADR is a game-changer. Here are the 12 essential facts about ADR you need to know: 

Why you should care about ADR

Your detection and response security tools probably give you visibility into  network traffic, endpoint and/or cloud activity, and identity behavior. But they’ve also got a blindspot. Do they help you to respond to AppSec incidents or breaches? Zero days? Vulnerabilities in custom code? 

Probably not. When it comes to looking into the application layer — the web applications and application programming interfaces (APIs) where many modern attacks originate and unfold — the app layer is a blindspot. That’s why there’s been  so much talk about ADR, which is being called "the gap-bridging technology we need” to protect your applications.”

To help organizations understand ADR and determine the right solution for their needs, we’ve pulled together a list of the most important things to know:

12 things to know about ADR

1. What is ADR?

ADR is a critical platform that addresses a glaring visibility gap in threat detection and response. While traditional security tools provide visibility into cloud, network and endpoint activity, they miss the intricate details of what is attacking the application layer. This is where ADR plays a critical role, providing granular visibility into application and API behavior, recognizing and identifying anomalies, and enabling precise threat detection and response across the entire application layer. 

Understanding ADR’s detection and response layers

2. How is ADR different from other tools that are supposed to protect applications in production?

Aside from ADR, enterprises have three traditional options for detecting and responding to AppSec incidents in production, each with limitations that render them ineffective for true ADR.

• Web application firewalls (WAFs) — WAFs are useful for blocking simple attacks against known threats but have significant limitations. They operate at the perimeter, inspecting incoming and outgoing traffic to identify malicious patterns. They have no visibility into the internal workings of applications and cannot detect attacks accurately. WAFs are notorious for under-blocking and over-blocking, burdening security teams with a flood of false positive alerts and failing to detect many actual attacks. 
• Traditional security operations tools — Tools such as extended detection and response (XDR); endpoint detection and response (EDR); network detection and response (NDR); cloud detection and response (CDR); security information and event management (SIEM); security orchestration, automation and response (SOAR); and cloud-native application protection platforms (CNAPPs) are useful for specific purposes. They receive data from sensors and log files from hosts, containers, network devices and cloud environments. They might even see the downstream indications of an application attack. But they lack application visibility and are ineffective for detection of and response to AppSec incidents.  
• Secure software development — Using application security testing (AST), developers can detect vulnerabilities and eliminate them during the development life cycle. This sounds good in theory, but in fact, AST and open-source Software Composition Analysis (SCA) tools can identify vulnerabilities and prevent vulnerable libraries from being imported based on policy, but they won’t stop  attacks in production.
  

3. How does ADR gain visibility into my applications? Does it use instrumentation or other methods? How much performance impact does it have? 

ADR is designed as an integrated approach to application and API security. It uses fully distributed, lightweight security instrumentation that monitors AppSec behavior from within running applications and APIs and feeds this telemetry to other platforms of the security operations center (SOC) team’s choosing, including SIEMs, SOARs and CNAPPs.

By providing accurate, rich security insights, ADR reduces false positives, enables risk prioritization using production context and streamlines remediation. ADR integrates security into the development pipeline and supports development, security and operations (DevSecOps) practices, enabling application developers to innovate rapidly without compromising security.

4. What specific insights does ADR provide into application behavior? 

ADR can track data flows, identify vulnerable code execution and detect anomalous activity within the application logic. Incident responders get full execution context and comprehensive playbooks to contain and remediate application threats quickly. Developers and AppSec teams receive detailed execution path details down to the line of code from the specific targeted function, enabling them to fix vulnerabilities with less hassle. 

5. How is information visually presented? Can I easily understand the application activity and identify potential threats?

Leading ADR solutions provide robust search and querying capabilities, rich dashboards and powerful analytics for a complete view of the organization’s AppSec posture. Dashboards can be tailored to different roles (e.g., development, security, etc.) with role-based access control and the ability to query and analyze data for deeper insights.

6. What types of attacks can ADR detect and block?

The ADR agent secures applications from within by gathering security telemetry using various security instrumentation techniques, including code scanning, library scanning, application instrumentation, configuration file scanning and others. A sampling of the types of attacks ADR can detect and block:

• SQL injection / NoSQL injection

• Cross-site scripting (XSS)

• Account takeover (ATO)

• Command injection

• Object Graph Navigation injection (OGNL injection)

• Java Naming and Directory Interface injection (JNDI)

• Server-side request forgery (SSRF)

• Template injection

• Unsafe file upload

• Path traversal 

• Reflected XSS

• Unsafe deserialization

• XML external entities (XXE)
• ClassLoader manipulation

7. Does ADR protect against zero-day exploits and unknown threats? 

With the advantage of internal positioning inside the application layer, ADR has the context necessary to spot attacks on both known and unknown vulnerabilities, including zero-day attacks at the application layer that XDR and WAFs miss. 

Analyst: Application Detection and Response is an ‘emerging category’

8. Can ADR detect threats to my AI-generated code?

If your organization uses AI (or AI assistants) to code, then you’re developing faster … and creating more vulnerabilities. ADR can address those vulns in development with Application Security Testing (AST) and in production with ADR.

9. What response actions can ADR take (e.g., block attacks, alert security teams)? 

ADR detects attacks on production applications and blocks them in real time. It then generates alerts with supporting telemetry to drive fast and effective incident response. Detailed playbooks, application alerts and telemetry ensure that responders are equipped with the data and expertise they need; integration with SIEM and XDR ensures they can take action where they are most effective.

10. Can we customize response actions based on the severity of the threat?

Teams can define how they want ADR to act based on an organization’s unique requirements and risk tolerance, what types of threats it should block, and the level of alerting and telemetry to provide for SOC analysts.

11. How does my SOC team use ADR? Can it share data and trigger automated responses?

ADR gives SOC teams visibility into APIs and code in production, detecting anomalous behavior across the application stack by leveraging in-app agents that monitor security-relevant application behavior continuously while code is running. 

Taking an “inside-out” approach, ADR can detect vulnerabilities in custom code and open-source (OSS) code that only appears at runtime. ADR transmits threat and attack data to the SOC for incident response workflows, including sending an alert to a SIEM and/or SOAR solution. It can also enrich alerts with data about the state of the attack and the relevant vulnerabilities it exploits. ADR data can become part of SOAR playbooks that drive incident response workflows. 

12. What key features should an advanced ADR solution offer?

Features will vary by vendor, but an advanced solution should offer the following capabilities:

• AppSec model

  ADR creates a real-time, integrated view of the enterprise ecosystem that covers inventory, attack surface, vulnerabilities, threats, defenses, connections and more. Capable of handling hundreds or thousands of applications, the DST enables unparalleled analysis, precise risk prioritization and effective incident response within a single model.

• Search, dashboarding and reporting

  Rich dashboards and powerful analytics offer a complete view of the organization’s AppSec posture across the full application portfolio. Dashboards are provided and tailored to different positions with role-based access control and the ability to query and analyze data provides deeper insights.

• Modern data-streaming architecture

  With a distributed architecture, ADR can efficiently ingest and analyze large volumes of security data from various sources across all environments. Real-time vulnerability and attack telemetry informs SecOps and developers, enabling rapid identification and response to security threats.

To learn more about how ADR technology can protect your organization, request a demo of Contrast Security ADR to see its capabilities in action.

Read more: 

• Contrast blog: If only I’d known ADR was possible when I was a SOC analyst!
• Contrast blog: Wake up, CISOs: You need an ADR flashlight to see into critical application blindspots
• Contrast blog: Anatomy of an attack