Discover PerformanceHP Software's community for IT leaders // September 2014
Go where the enemy is: Cover your apps
The adversary is putting more effort into your applications. Here’s how you can do the same.
When cybercriminals change their tactics, security professionals need to change right along with them. Over the years, hackers have shifted their sights from the network to the OS and on to applications. Today, about 84 percent of security breaches target the application layer—but CISOs are struggling to adapt.
To date, enterprises have mostly doubled down on network-layer and perimeter-based defense techniques. Network-layer tripwires detect breaches and anomalies within applications some of the time, but not nearly often—or intelligently—enough to be an adequate defense, especially in light of the significant growth of enterprises’ application portfolios.
Today’s app-centric threat landscape requires a more strategic approach, designed specifically for sophisticated app-exploitation techniques.
The shift to applications
In hindsight, cyber crime’s stealthy creep from network attacks to application attacks is something we might have predicted. After all, attackers had been getting diminishing returns from their network-layer tactics. So it’s no surprise that the adversaries moved the battle lines—especially when applications present such a big target.
Thanks in part to widespread use of mobile devices and employees’ embrace of increasingly specialized third-party cloud apps, organizations have increased their application footprint dramatically. The largest enterprises may have 90,000 application instances and 3,000 web-based properties.
The state of application security
Our applications aren’t all easy targets, of course. In addition to the intact, but insufficient, methodologies for network-layer detection, organizations generally test applications to make sure they’re secure before they are deployed. But time-to-market pressures have compromised this approach.
Organizations are under pressure to release applications faster than ever. With mobile apps, it’s not uncommon for a business unit to outsource development to firms that do little or no security testing. As we wrote about in an earlier issue, sometimes apps get released without any security checks or IT vetting whatsoever.
When applications do get tested, the security team is usually given only enough time to address critical vulnerabilities; many lower-priority weaknesses go into production, to be addressed later. While more testing would have a positive effect on an organization’s security posture, testing is not a cure for all problems.
The context for a better defense
Applications exist in a context of user interactions and intentions: it isn’t a simple matter of normal behavior vs. abnormal behavior. A mobile app’s request for a device’s GPS coordinates can be appropriate when the user clicks to display a map of his location. But the same request in another context could reveal malicious intent.
Network security catches a portion of exploit attempts, but it lacks the context to see how a particular user might be manipulating application behavior. Because network traffic is decoupled from the application runtime, it’s often impossible to distinguish benign actions from targeted attacks.
Therefore, to create outstanding application defense, traffic monitoring must sit within the runtime environment. It’s inevitable that the industry will move in this direction. HP Enterprise Security Products has made just such a move, debuting HP Application Defender at HP Protect 2014. HP Application Defender is a new, cloud-based runtime protection solution that watches everything going on in the app and stops suspected exploits in real time. Being a cloud-deployed solution, it offers ease of deployment and management with no infrastructure required to establish the service.
While ease of deployment adds value, the real takeaway is closing the gap on cyber crime’s most pressing vulnerability while supporting rapid business innovation. Increasingly, CIOs, CISOs, and security vendors are going to have to do a better job of stopping the attacks where they happen: at the application layer.
To better protect your apps, learn more about HP Application Defender.
HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.
Preparing today for tomorrow’s threats.
Introduction to Enterprise 20/20
What will a successful enterprise look like in the future?
Challenges and opportunities for the CIO of the future.
Dev Center 20/20
How will we organize development centers for the apps that will power our enterprises?
Welcome to a new reality of split-second decisions and marketing by the numbers.
IT Operations 20/20
How can you achieve the data center of the future?
What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.
Looking toward the era when everyone — and everything — is connected.
Data Center 20/20
The innovation and revenue engine of the enterprise.