Application Security Intelligence

Advanced Persistent Threats (APTs) don’t care about your operating system or your firewall. APTs want the information in your applications. Likewise, compliance is about protecting information – the information in your applications. Obviously your infrastructure must be secure because it’s the foundation upon which your applications run. But there’s a reason why most security incidents occur at the application layer:

  • There are more end-users than administrators and end-users understand the application layer
  • It’s easier to obtain and consume information at the application layer. For instance printing a report based on a SQL Database takes less authority, less system access and less technical skill than exporting the underlying tables. And exporting tables into a portable data format is usually easier than obtaining the physical files of the database and parsing them.
  • End-users only have access to the application layer and it’s usually easier for external attackers to gain end-user access than take over an administrator’s account because
    • Admins are usually more security conscious than end-users
    • End users typically fall prey to phishing and social engineering more easily than IT staff
    • End user accounts and endpoints are traditionally less protected than those of privileged users

Security intelligence from the application layer is the next big frontier with security analytics whether you use SIEM or Big Data or both.

To achieve compliance and to stop APTs, your security analysts need to see what’s happening in your applications. Think about it. Most organizations have a SIEM or other security analytics solution that monitors network and operating system activity. If you need to know what’s happening on your network and at the OS layer of your servers – you definitely need to know what’s happening in your applications. After all, that’s where your information actually resides and where most security incidents occur, at the application level – whether the actor is a malicious insider or an APT outsider.

Application Security Intelligence is knowing about:

  • Who is accessing confidential information
  • Who is modifying information that must be accurate
  • Entitlement changes and other security policy
  • Suspiciously large downloads or exports of information
  • Behavior suggestive of an exploring expedition

The market is crowded with point solutions for monitoring specific applications which provide built-in alerting and reporting. Such products are great for teams dedicated to one application.

But a point solution might not be the answer for a security team who needs to correlate application security intelligence with the rest of their network's activity. Such teams don’t need yet another console to monitor, another reporting engine to learn and another silo of security information.

The answer is to put application audit logs where audit logs belong – in your SIEM and/or Big Data Security Analytics (BDSA). Then application security intelligence can be correlated with the rest of your security activity. But getting application audit logs into your SIEM/BDSA is surprisingly difficult. Application audit logs tend to be trapped inside the application where they take up valuable application server resources and are vulnerable to tampering.

LOGbinder makes it easy by bridging the gap between applications and your security analytics solutions (SIEM, log management, BDSA).