Mirror, Mirror: Using Self-Protection to Boost App Security
Last week while reading to my toddler, I came across the story of “Snow White,” in which the evil queen consults a magic mirror to find her greatest threat, the fairest person in the land. While my kid fell asleep — probably due to my effective storytelling technique — I kept thinking about why the queen would want to identify that threat. The answer, of course, is self-protection from anything that might dethrone her.
Then I began to think about what mechanism the mirror might use to compile and analyze a list of the fairest people in the land. If we think in security terms, the mirror was using runtime analytics to prioritize the threats and track down the fairest of them all.
A Magic Mirror for App Security
In the security world, the explosion of new and complex applications has introduced a host of new threats. Security analysts need a magic mirror on the wall to identify and prioritize the runtime threats in these applications. IBM QRadar SIEM identified the pain the analysts are going through and partnered with Prevoty to come up with the Prevoty QRadar App, which builds reports and visualizations to help analysts act on threats.
Runtime application security is a mysterious black hole for most enterprises, even though applications and their operating environments are constantly under attack. Analysts too often use content, database and command injections to extract sensitive data via the application, which provides little visibility or actionable insights.
With the complexity of distributed software and proliferation of the cloud, it has become increasingly difficult to detect attacks that are actually hitting applications in production and use that data to make informed security decisions. This is a critical gap because enterprises frequently accumulate vulnerability backlogs and resort to using theoretical levels of criticality — not actual risks — to prioritize threats. Response teams suffer from an inability to correlate preproduction vulnerability data with runtime attack data.
Runtime Application Self-Protection
Prevoty’s runtime security technology can detect and identify the who, what, when and where of an attack, revealing a more complete picture of runtime security events. The Prevoty QRadar App builds reports and visualizations for real-time events generated by the product. At runtime, the security engine feeds live attack data into the Prevoty QRadar app, revealing a detailed breakdown of active threat data and malicious behavior that can be correlated with other data sources.
This results in improved forensics and faster fraud detection for security operations and remediation efforts. Correlating preproduction vulnerability data from a dynamic scanner with Prevoty’s runtime attack logs in QRadar, for example, allows security teams to prioritize remediation based on actual risk.
The core Prevoty security product can be deployed without changes to the application using agents, which live and travel within the application and log all runtime security events. As a runtime application self-protection (RASP) technology, it can also be used to perform automated vulnerability mitigation for software in production. This saves time, shortens vulnerability backlogs and ensures that the enterprise is not exposed to risk at runtime.
Other benefits of the app include:
- Runtime application and data security visibility;
- Automated application vulnerability remediation;
- Detection and prevention of data exfiltration; and
- Improvement of fraud detection using real-time app behavior.
Mirror, Mirror on the Wall…
Prevoty’s approach to security accounts for the variable nature of applications and calls for seamless, pain-free implementation. This means apps must be compatible with old and new programming languages, web application frameworks and microservices; support on-premises, cloud and containerized deployments; and integrate with a wide array of code scanners, data logging tools and SIEM tools.
Prevoty can also be deployed at scale and speed using scripts for Ansible, Chef, Jenkins, Puppet and more within the DevOps process. Its high-performance runtime security technology does not add any latency to the operating application, conducting all of its detection and protection at submillisecond speeds.
Ultimately, by using the Prevoty QRadar app in conjunction with the security product, QRadar customers can employ more sophisticated and unified application protection strategies, access never-before-seen, real-time application threat information and reduce friction across different tools.
What’s the Most Secure App of Them All?
The Prevoty RASP app can be downloaded from the IBM Security App Exchange and integrated to IBM QRadar SIEM to create new reports and visualizations worthy of a fairy tale. To learn more, watch our on-demand webinar, “Detect and Respond to Threats Better With IBM Security App Exchange Partners.”