High-profile data breaches seem to make headlines on an almost daily basis. As we saw in the conclusions of the last Verizon Data Breach Incident Report, a significant number of these data breaches result from the exploitation of vulnerabilities and misconfigurations in web applications. the historically high prevalence of vulnerabilities in code is not a new topic, and neither is misconfiguration. Yet the tools we have to protect web applications from attacks exploiting vulnerabilities and misconfigurations still fall short when it comes to securing application infrastructure.
Why is application security difficult?
Why is securing web applications so difficult and why are current security tools proving less effective in combating the latest attacks and detecting vulnerabilities during testing? Today, many organizations use tools such as a Web Application Firewall (WAF) and/or an Endpoint Detection and Response (EDR) solution to protect web applications at runtime. against new attacks and dynamic application security testing (DAST) and static applications. Security Testing Tools (SAST) to help find vulnerabilities during development. Although these tools claim to be effective, let’s see what actually happens for most organizations that use these tools.
In our conversations with customers, we often hear these issues with their security tools:
- WAFs and EDRs often fail to detect “new” attacks because new attacks do not match the patterns or signatures of known attacks.
- Tools (production and development testing) have too many false positives due to attack pattern accidentally matching valid traffic
- Too many overlooked and missed vulnerabilities in SAST and DAST testing
- Tools have too many alerts that are not based on serious or critical issues, and instead are more informative, resulting in overhead for teams investigating those alerts
- Tools impact performance and slow down the web application
- Reports lack details of discovered vulnerabilities, details needed to resolve issues quickly
Why do today’s security tools fail to detect attacks and have false positives?
Let’s first look at why production security tools, such as WAF and EDR solutions, fail to detect new attacks and have so many false positives.
To understand the problem, we need to look at the underlying technology that many of these tools use to detect new attacks. Although these solutions claim to detect zero-day attacks, the technology behind zero-day attack detection tends to include a mixture of machine learning, artificial intelligence (AI), heuristics, fuzzy logic, pattern matching models and signatures. While all of these technologies are capable of detecting known attacks, they tend to fall short when it comes to detecting new, sophisticated, and novel zero-day attacks. Indeed, all of these technologies are based on known prior attacks. Take machine learning for example. Any machine learning expert will tell you that you need good data sets and lots of data sets to train a machine learning algorithm. The datasets used to feed machine learning to detect new attacks are of course information about known prior attacks. This results in machine learning algorithms detecting variations in past attacks, but failing to detect and stop attacks that are completely unknown and never seen before.
Our customers also tell us that because these algorithms look at patterns and pattern variations of past attacks, there is a high incidence of false positives when these attacks either match probes (attackers look for vulnerabilities where there is no doesn’t exist), or harmless traffic that happens to include text/content that matches the pattern. The result is that many security organizations must perform a high level of tuning to remove false positives, and many are beginning to find that the level of tweaking and tuning to make security tools effective does not match the feedback they get from those same tools.
So how do we find new application attacks if we can’t rely on the security technologies used by most security products today?
Solve the problem by approaching the application
We need to get closer to the problem first. Perimeter-based security and security testing misses too much of the activity that takes place directly in the application and on the application server. RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing) solve this problem by using a software agent running directly on the application server, giving the agent visibility into the execution and operation of the application. This is a fundamental departure from the WAF and DAST previously used for application security. WAF and DAST operate from a location remote from the application and application server and rely on network communications to determine when an attack is occurring, which misses much of what actually happens in the app itself.
Runtime application self-protection solves application security issues
Being ideally positioned for application security, Runtime Application Self-Protection (RASP) has code-level visibility into the application and can analyze all application-related activity to accurately identify when an attack is occurring. , thus reducing the number of false positives. Unlike WAFs which only see traffic entering and leaving the server, a RASP can see what is happening inside the application, to determine if there is any inappropriate use of the application itself. RASP is truly the first security category to offer self-protection for the application.
A RASP solution resides on the same server as the application and provides continuous security for the application during runtime. But at the same time, it is important that the RASP solution has the least possible impact on a running application. K2 Cyber Security’s RASP provides significant application protection while using minimal resources and adding negligible latency (less than a millisecond measured in testing) to an application.
The technology used by the RASP solution to detect attacks also makes a difference. K2 offers an ideal runtime protection security solution that detects attacks against zero-day, unpatched, and OWASP Top 10 vulnerabilities. Rather than relying on technologies such as signatures, heuristics, fuzzy logic , machine learning or AI, we use a deterministic approach to detect true zero-day attacks, not limiting ourselves to attack detection based on prior knowledge of attacks. Deterministic security uses validation of application execution and verifies that API calls work as expected by the code. No prior knowledge of an attack or the underlying vulnerability is used, giving our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending and has virtually no false alarms.
K2’s RASP solution also provides meaningful details about discovered attacks and exploited vulnerabilities. Due to the positioning of the RASP solution, K2 can provide down to the line of code details to help identify vulnerabilities, as well as the full payload to reproduce the exploit and trigger the vulnerability, details that help a developer quickly address vulnerabilities.
We also recently released a video, The need for deterministic security. The video explains why technologies used in today’s security tools, including web application firewalls (WAFs), fail to prevent zero-day attacks and how deterministic security addresses the need to detect zero-day attacks. The video explains why technologies such as artificial intelligence, machine learning, heuristics, fuzzy logic, pattern matching and signature matching fail to detect true zero-day attacks, giving very good examples. specific attacks where these technologies work and where they fail to detect an attack.
The video also explains why deterministic security works against true zero-day attacks and how K2 uses deterministic security. Watch the video now.
Change the way you protect your applications, include RASP, and learn about K2’s application workload security.