Eliminate AppSec Sprawl

PUBLISHED ON April 1, 2020
LAST UPDATED August 2, 2021

As the threat landscape has become more diverse, AppSec solutions have become increasingly fractured. For each new type of threat or problem, a new corresponding type of security product seems to arise. However, this sort of technology sprawl has become operationally unsustainable as organizations are forced to support exponentially more applications, more APIs, and defend against a much broader set of threats including bots, DDoS attacks, and patient, multi-stage, targeted attacks and evasion techniques.

To keep pace, teams simply must have AppSec tools that can detect and prevent across a full spectrum of threats automatically, continuously, and reliably. Delivering on this goal requires more than a collection of individual products or yet another bandaid on the old WAF, and instead requires a new truly coordinated approach built for these modern challenges. 

Ensemble Detection and Prevention

To detect sophisticated and diverse threats, organizations need a broad set of detection strategies. This is why ThreatX takes an ensemble approach to detection and prevention. By “ensemble”, we mean bringing together a complementary set of technologies that work together in ways that any single technique couldn’t achieve on its own. By bringing multiple perspectives in a single context, security teams get a highly accurate, reliable and complete view of threat activities.

Specifically, ThreatX includes detection models based on:

  • Analysis of application behavior
  • Attacker behaviors and profiling
  • Active interrogation & deception techniques
  • Global shared threat intelligence
  • Traditional signatures

However, more than simply being a collection of features, all of these techniques work together to deliver a unified, fully-informed verdict about a potential threat entity. Instead of having several individual alerts or anomalies, the ensemble approach drives to a single actionable answer, without the need for doing manual or external log correlation. As an analogy, where traditional alerts focus on individual atomic events, an ensemble approach is able to see the larger chemistry. Instead of a jumbled collection of words, an ensemble can reveal the narrative of the story.

This approach is immediately different from many traditional WAF vendors, which have simply bolted together a variety of acquired models and techniques that were never intended to work together. This can cause organizations to maintain multiple sets of policies, with each module requiring its own tuning and also having its own impact on performance and availability. This leads to a situation, where multiple independent products are housed under a single brand, yet retains all the complexity, cost, and overhead of multiple solutions.

ThreatX provides a truly integrated approach where all the perspectives are designed to work together and contribute to a shared narrative of a threat entity. This also gives the solution incredible flexibility to detect many different types of threats. Behavioral analysis can be critical for identifying signs of malicious automation or attacks that may have no known signature. Attacker profiling and behavior can recognize the unique traits and techniques used by bad actors, while more active methods such as interrogation and deception can provide more deterministic tests that reveal hosts that are truly malicious as opposed to acting anomalously. This allows ThreatX to deliver reliable answers across a truly wide range of threats without the need for heavy customization.

Continuous, Real-Time VIEW of Risk

Ultimately this collective context and insight is boiled down to reveal an up-to-the-minute view of risk to the organization. The resulting risk score gives a standardized metric that can drive enterprise policies and protections that are both real-time and continuously adapt to changes in the environment.

For example, a particular visiting host(s) could accumulate risk based on a combination of anomalous application, attacker profiling, and active interrogation results. Any single trait or detection on their own may not be enough to trigger a blocking response, but taken together, the overall risk rating of the host can allow ThreatX to take proactive action. This both allows organizations to block threats that would otherwise be missed, but also to aggressively reduce false positives by correlating a threat from multiple perspectives.

This view of risk also naturally adapt over time. Modern attacks can often evolve over multiple days and weeks as attackers perform reconnaissance, enumeration, and progressively aim to attack the application and its infrastructure. ThreatX can fingerprint attackers and track them over time so that the risk score maintains the long-term context of all the events that should contribute to the overall risk. This means that an organization’s policies and view of risk breaks out of the realm of individual events and alerts, and instead is informed by an ongoing narrative.

This view of time also works in the opposite direction as well. The cumulative view of risk could trigger a blocking policy to protect the application and assets. However, for many organizations unblocking IP addresses after a threat is passed is just as important as blocking the threat in the first place. As IP addresses are reused, organizations don’t want to block valid visitors, and the task disabling a block is often manual. ThreatX once again handles this work automatically. By analyzing risk over time, a host’s risk score will naturally decay, and once the threshold is reached, the host can be automatically unblocked. This both ensures that the organization stays protected in real-time while freeing AppSec staff from constantly doing manual work to clean up after their AppSec tools.

These are just some of the ways that a truly integrated approach to AppSec can change the ways organizations think about defending their applications. Ultimately, our approach is not about simply checking boxes of functionality, but rather to build a solution that is greater than the sum of its parts. The threat landscape is incredibly varied and changes every day. And to keep pace, we need all of our intelligence working together.

About the Author

Chris Brazdziunas

Chris has a proven track record of leading global product and R&D organizations to deliver large-scale enterprise software and security solutions. Prior to joining ThreatX, Chris held multiple senior product management and engineering positions, most recently serving as the Vice President Product at market leading SIEM provider LogRhythm, where she was responsible for product strategy, product operations, and development. Chris holds an M.S. degree in Information Networking from Carnegie Mellon University and a B.S. in Computer Engineering from the University of Illinois.