Application Security Intelligence
Advanced Persistent Threats (APTs) don’t care about your operating system or your firewall.
APTs want the information in your applications. Likewise, compliance is about protecting
information – the information in your applications. Obviously your infrastructure
must be secure because it’s the foundation upon which your applications run. But
there’s a reason why most security incidents occur at the application layer:
- There are more end-users than administrators and end-users understand the application
layer
- It’s easier to obtain and consume information at the application layer. For instance
printing a report based on a SQL Database takes less authority, less system access
and less technical skill than exporting the underlying tables. And exporting tables
into a portable data format is usually easier than obtaining the physical files
of the database and parsing them.
- End-users only have access to the application layer and it’s usually easier for
external attackers to gain end-user access than take over an administrator’s account
because
- Admins are usually more security conscious than end-users
- End users typically fall prey to phishing and social engineering more easily than
IT staff
- End user accounts and endpoints are traditionally less protected than those of privileged
users
Security intelligence from the application layer is the next big frontier with security
analytics whether you use SIEM or Big Data or both.
To achieve compliance and to stop APTs, your security analysts need to see what’s
happening in your applications. Think about it. Most organizations have a SIEM or
other security analytics solution that monitors network and operating system activity.
If you need to know what’s happening on your network and at the OS layer of your
servers – you definitely need to know what’s happening in your applications. After
all, that’s where your information actually resides and where most security incidents
occur, at the application level – whether the actor is a malicious insider or an
APT outsider.
Application Security Intelligence is knowing about:
- Who is accessing confidential information
- Who is modifying information that must be accurate
- Entitlement changes and other security policy
- Suspiciously large downloads or exports of information
- Behavior suggestive of an exploring expedition
The market is crowded with point solutions for monitoring specific applications
which provide built-in alerting and reporting. Such products are great for teams
dedicated to one application.
But a point solution might not be the answer for a security team who needs to correlate
application security intelligence with the rest of their network's activity. Such
teams don’t need yet another console to monitor, another reporting engine to learn
and another silo of security information.
The answer is to put application audit logs where audit logs belong – in your SIEM
and/or Big Data Security Analytics (BDSA). Then application security intelligence
can be correlated with the rest of your security activity. But getting application
audit logs into your SIEM/BDSA is surprisingly difficult. Application audit logs
tend to be trapped inside the application where they take up valuable application
server resources and are vulnerable to tampering.
LOGbinder makes it easy by bridging the gap between applications and your security analytics
solutions (SIEM, log management, BDSA).