Why CISOs Need Application Detection and Response

What most chief information security officers (CISOs) know about their organizations' applications and application programming interfaces (APIs): 

That's not nearly enough data. But most tools lack visibility into the application layer, causing a huge blind spot. Worse, bad actors are acutely aware of this blind spot, and they're exploiting it to evade defenses.

CISOs might be surprised to learn that the application layer — a prominent source of risk — is poorly defended by traditional cybersecurity controls and countermeasures. Application detection and response (ADR) is one approach to protecting production applications.

Hidden Vulnerabilities

The application layer, comprising server-side applications and application programing interfaces (APIs), is critical for security but poorly defended. That's led to high-profile cybersecurity incidents originating with application-layer attacks. For example, in 2021 threat actors targeted Kaseya — an IT solutions provider — using authentication bypass and SQL injection techniques at the application layer to target Kaseya's customers.

Such attacks are particularly dangerous because the application layer effectively runs the business, handling virtually all company data, including sensitive data like personally identifiable information (PII) and personal health information (PHI). It's typically connected with databases and other applications, sometimes ones that operate outside the organization. In short, the application layer is a tempting target.

However, the application layer tends to be difficult, or impossible, to monitor effectively for threats. The security operations center (SOC) can monitor almost every other aspect of the IT environment.

Lack of visibility implies many risks, including attackers' ability to linger undetected in the application layer, persisting until they escape to move laterally across the environment. Perimeter protections like Web application firewalls (WAFs) can be helpful in this scenario, but they often lack the contextual understanding to detect subtleties that reveal a lurking threat. Extended detection and response (XDR) solutions similarly lack visibility into production applications and APIs. The net result: The application layer becomes a veritable black box — masking threats where you need to see them.

ADR Mitigates Application-Layer Risk

ADR provides much-needed detection and response capabilities at the application layer. An ADR solution uses in-app agents to monitor security-relevant application behavior continuously while the code is running. It detects anomalous behavior across the application stack.

ADR can thereby detect vulnerabilities in open source and custom code that manifest only at runtime. Its "inside-out" approach enables ADR to spot evidence of zero-day attacks that XDR and WAFs will miss at the application layer. The ADR solution can then transmit threat data to the SOC for incident response workflows through a security orchestration, automation, and response (SOAR) or other platform.

An ADR platform can also feed vulnerability and attack data to security information and event management (SIEM), XDR, and cloud-native application protection platform (CNAPP) platforms, so SOC teams can improve their visibility without changing security tools multiple times a day.

Three Reasons CISOs Need an ADR Solution

In sum, here are three reasons CISOs needs ADR:

1. Reduce Overall Risk Exposure and Impacts of Attacks

Improving threat detection and response capabilities at the application layer can reduce your organization's overall cyber-risk exposure. ADR enables enhanced mitigation of significant threats such as zero days and advanced persistent threats (APTs) that lurk at the application layer. Additionally, by making it harder for attackers to persist at the application layer, you can reduce the attack surface and shrink the business impact of cybersecurity incidents.

2. Decrease Time at Risk

The longer an attacker goes undetected, the greater the potential for data breaches and other disruptions. With ADR, you can catch attackers as they lurk in the application layer. You can also detect vulnerabilities in the code — both known and unknown — and remediate them before they're exploited. The amount of time you're exposed to risk thereby decreases, improving your security posture in the process.

3. Increase Response Speed While Decreasing Resolution Time

By identifying threats early at the application layer, ADR solutions can speed up incident response. SOC analysts can get enriched data about threats and respond accordingly. ADR data can feed into SOAR platforms and inform automated incident response playbooks, too. The solution can also automatically block attacks at the application layer and prevent an attack from spreading or causing more damage. The mean time to resolution (MTTR) should drop as well.

Conclusion

Despite its criticality for security and business operations, the application layer is strikingly vulnerable. Visibility into what's happening there is quite limited. ADR offers a way forward. It provides continuous monitoring of code in production, flagging anomalies and other threat indicators before attackers can break out and move laterally. This translates into improved overall cyber-risk exposure, decreased time at risk, and increased speed of response. ADR helps CISOs close an important gap in security and limit the potential impact of application layer attacks.

By David Lindner, CISO & Data Privacy Officer, Contrast Security

About the Author

David Lindner is an experienced application security professional with over 20 years in cybersecurity. In addition to serving as the chief information security officer and data privacy officer at Contrast Security, David leads the Contrast Labs team that is focused on analyzing threat intelligence to help enterprise clients develop more proactive approaches to their application security programs.