[BreachExchange] Unprotected web applications: The new security frontier. So reprioritise

Destry Winant destry at riskbasedsecurity.com
Thu Jun 29 02:14:04 EDT 2017


https://www.scmagazineuk.com/unprotected-web-applications-the-new-security-frontier-so-reprioritise/article/667980/

Competitiveness requires agility, automation, speed, scalability, and
relentless focus on the customer, and that is why organisations are
developing or moving their business-critical applications to the
Cloud.  But security needs to keep pace with that change, and
traditional approaches to securing those web applications are not
going to be able to protect against the latest cyber-threats and
protect customer data and confidence.

Data breach – what's the leading source?

Verizon's widely followed Data Breach Investigation Report shows that
web application attacks are now the leading source of breaches, up 500
percent since 2014. Meanwhile, according to Gartner, businesses are
still spending 95 percent of data centre security budgets on perimeter
security – so less than five percent is spent on securing directly
against web application attacks. This balance needs to shift. As much
as perimeter or end-point security are needed, there needs to be a
seismic shift of focus to investing in protection for web applications
across their full infrastructure stack.

Cyber-attacks on web applications account for over 40 percent of
incidents resulting in a data breach, and are the single-biggest
source of data loss. These stats are reflected in AlertLogic's own
data, where web application attacks comprise the Top five attacks seen
in its Security Operations Centre (SOC). Most prevalent cyber-attack
methods observed are SQLi (SQL Injection), File Inclusion, and
exploits against Apache Struts.

So why are web applications so difficult to defend?

Web applications are the hardest workloads to defend, whether on
premises or in the cloud, due to their multi-faceted nature. They are
complex, with rapidly changing code and fast deployment cycles, often
utilise open source and third-party development tools that can
introduce a long-tail of inherited vulnerabilities, and have a large
attack surface that can be compromised at any layer within their
application stack. They are internet-facing, and typically deliver
ecommerce, rich content or SaaS functionality. The OWASP Top 10 (list
of the 10 most critical web application security risks) go some way to
showing the scale of the challenge for developers and security teams
trying to keep these applications secure.

Cloud-based applications gain the benefit of being hosted on hardened
cloud platforms, but attackers are getting wise to that, and are
starting to work their way up the application stack to find the
weakest link: the more dynamic and interconnected an application is,
the more exposed it is to the risk of compromise.

The only way to get ahead of this risk is to have visibility into, and
understand, the full application stack so that you can monitor, detect
and defend every layer that may be the entry point for attackers.

Easier said than done, though, right?

Security technologies are great at collecting data – events, logs,
feeds from up and down the application stack. But, whilst the
indicators of compromise are within that data, the reality is that it
is so vast that it is becoming harder and harder to put a spotlight on
what is obviously malicious, and which needs to be analysed and
investigated further. And this is being exploited by attackers.

The Target data breach from 2013 is the most famous example of this.
The US retailer in fact did have alerts indicating they were under
attack. But these alerts were part of 50,000+ events that day
collected by their SIEM (Security Information and Event Management),
and all of them looked exactly the same, so when the alarm was raised
by their SOC, no one realised it was part of an extremely dangerous
cyber-attack.

Inspecting data up and down the application stack is important, but as
we can see from the Target data breach, it isn't enough.

Protecting web applications

Automated analytics and machine learning are playing a key role in
protecting web applications – from detecting anomalies and making
sense of suspicious activity, to learning from attack patterns and
identifying emerging threats.

But even that isn't enough if you don't have the people skills to be
able to help tune machine learning results, or provide deeper threat
intelligence, or investigate incidents to determine remediation.

So, unless you're in the enviable position of being able to run a
fully comprehensive security system, with all the tools, technologies,
threat intelligence and people that can keep you safe, 24x7, CIO's and
the wider application development team must establish priorities.
Baking security practices into the Devops lifecycle and reprioritising
budgets to account for the recent surge in cyber-attacks on web
applications are a must-do, particularly when considering the incoming
General Data Protection Regulation (GDPR) in May 2018.

One thing is certain: the threats are not going away, and so company
executives need to take more ownership of understanding the risk and
attack surface of their business-critical web applications, and ensure
that they identify high risk areas to address - before attackers get
there first.


More information about the BreachExchange mailing list