There is a fundamental truth in the business of application security that states that as applications and the services needed to support them grow more complex, then so too do the attacks launched by hackers against these applications grow in complexity. Attacks such as viruses and worms, although still prevalent, are no longer the mainstay of the hacker community. Malicious attackers have instead graduated to more sophisticated levels of assaults that include multi-source application floods. And with each new report of attacks crippling business-critical applications, application security managers become that much more uncertain that the solutions they have in place to deal with these attacks are sufficient to protect their businesses' applications.
The natural reaction to these sophisticated attacks is to examine each individually in order to determine the best way to protect the applications that might be compromised in the event that a hacker launches it. But this can prove enormously counterproductive, as often the time spent dealing with these individual attacks can be cripplingly time-consuming or, worse, divert managers' attention to the point where additional attacks can penetrate the network's application level unnoticed.
How, then, is a network manager to focus on these different types of complex attacks while ensuring that application performance is never compromised? The key to successful application security is to be able defend against malicious activity by examining security from a holistic perspective.
This is, of course, easier said than done. For although the goal of most attacks is the same - to compromise mission-critical applications and assume control of the victims' corporate network or individual PC - the methods used to launch these disparate attacks are often quite different. For example, a denial of service (DoS) attack can be launched either manually or automatically via worms that can propagate on their own and infect every vulnerable host, while rudimentary viruses can be simply e-mailed and spoofed to appear like legitimate mail. And the various methods of application penetration at a hackers' disposal can appear deceptively incongruent, therefore making the methods of prevention appear to be hopelessly unmanageable.
But despite what network managers may think, it IS possible to take a wide-angle, holistic view of application security - without cutting corners. In order to achieve this, one must step back, examine the network application architecture and the technologies in place to protect it, and employ strategies and solutions that will address multiple attacks (even to the point of overlapping), so that all bases are covered and entry points for potential attacks are blocked to the fullest extent possible.
The key to looking at application security from a holistic perspective is, unsurprisingly, to examine the technology solutions a security manager has implemented in order to protect applications from attacks. But in implementing said technology solutions, there is always the danger that the security manager can become overly vigilant and end up blowing his or her entire budget on solutions that overlap and perform the same functions. Additionally, the implementation of excessive security technology can have a crippling effect on a network's bandwidth, which can dramatically slow users' access to applications that security managers are attempting to protect.
This is where a holistic perspective to application security can be strategically and financially rewarding. The first step, in this sense, is for a network manager to come to the realization that no matter how many security appliances and solutions they have employed, no measure of aggressive implementation is going to stop 100 % of application attacks. It just isn't possible. Today's hacker community works too quickly and too efficiently to create new forms of attacks that can compromise applications, and most technology solutions simply aren't equipped to handle the fast-evolving attack landscape. But by choosing technology solutions that can detect anomalies automatically and adapt to new and evolving patterns in network traffic, the resources that would normally be focused on sifting through false positives and looking at every miniscule traffic anomaly can instead be applied in a more cost-effective manner.
And obviously, the most effective way of blocking attacks is to employ an effective intrusion prevention solution. Many IPS vendors are now offering behavioral analysis capability, which can automatically detect illegitimate network activity and curb application attacks as they happen, often without any human interaction. This can not only save an enormous amount of time, but has also proven highly effective in stopping most critical DoS attacks, without disturbing the service.
Because of this, the additional technologies (e.g. Web application firewalls), can be hand-picked strategically to plug the remaining holes in the application architecture as needed, preventing overlap in technology solutions and unnecessary cost infractions. And in choosing a solution that identifies attacks automatically, it frees up the network managers to focus their attention on more important tasks - like monitoring applications and maximizing bandwidth.
And ultimately, this should be the goal of all application security – to protect mission-critical applications from potentially devastating attacks while keeping corporate networks up and running at all times. By viewing application security from a holistic perspective, rather than viewing each type of malicious attack individually, network managers can ensure that nothing slips through the cracks of their application infrastructure, and that all potential attacks are prevented with the least possible investment in additional resources.
-----------------------------------
About the author: Amir Peles is chief technical officer at Radware.
