Making the Change to Risk-Based AppSec

PUBLISHED ON July 9, 2020
LAST UPDATED August 2, 2021

By focusing intently on risk-based security, ThreatX delivers a truly modernized approach to AppSec that enables our clients to manage their threat posture in a fundamentally different way. It lets us consistently recognize and stop more legitimate attacks for our customers, vastly reduce false positives, and significantly reduce the fatigue and burden on staff and analysts. Let’s take a closer look at what it’s all about and why it matters.

Security Focused on the Business

At its highest levels, risk quantifies the potential of a loss or some negative outcome resulting from a threat. Viewing potential threats from a risk perspective shifts the focus to the result rather than merely looking at the suspicious activity itself. While this may seem like a subtle shift, it has a material impact on the process. It forces organizations to assess security decisions in business-relevant terms rather than purely based on a cybersecurity viewpoint.

It’s common for security and application teams to have natural friction because one side is focused on threats, and the other is focused on serving users. A risk-based approach doesn’t necessarily resolve all potential conflicts. Still, it does allow security teams, app teams, and various levels of management to approach security issues with more information and from a collective, collaborative viewpoint with common goals.

Telling the Big Picture

The real value of a risk-based approach is that it allows us to tell a bigger, far more complete story around a security event. If we simply add a risk score to each threat, then we haven’t made much progress. ThreatX brings together multiple security detection techniques, various detection strategies, and numerous suspicious events over time to paint a complete picture of risk.

This is a significant change compared to the traditional WAF-based model. WAFs have historically amassed vast collections of individual threat detections. There may be signatures and blacklists and countless modules. Still, they ultimately lead to a binary, yes/no style of detection decision that then generates an alert and potentially a blocking action. However, these are very binary-level detections that are based on single events and therefore lead to very binary-level decisions. Instead of individual words, the focus is on the narrative of an attack and, ultimately, the outcome.

And this has real results for the real world. First, organizations are not forced into binary decisions based on a single piece of data. In some cases, a single detection is all you need to decide to block or not. But far more often, security teams may be in a grey area, which requires more context. In these cases, it is always incumbent on security teams and analysts to mine through large amounts of data and put the pieces together, typically using a SIEM and hours of manual analysis. ThreatX’s WAAP++ (web application and API protection + Bot protection + DDoS attack mitigation) platform integrates and automates all of this analysis. The ThreatX platform automatically builds the full narrative, allowing decisions to be automated in real-time while preserving all the details and proof needed for verification.

Informing Risk with Multiple Contexts

ThreatX’s breadth of detection methodologies is one of the things that often stands out about the platform. Application behavioral analysis, attacker behavioral analysis, active interrogation, and a wide variety of additional techniques are all employed to detect threats. However, all of these techniques roll up to a centralized risk-based engine. This engine synthesizes all of the various contexts into a single quantifiable and actionable verdict about a security event.

This is incredibly important and powerful in several ways:

  • It ensures that teams typically don’t have to make block/allow decisions based on only a single piece of data.
  • Threats can be corroborated from multiple perspectives, which vastly reduces the potential for false positives.
  • An ensemble of detection strategies allows the system to take advantage of each method’s natural strengths while compensating for any potential weaknesses.

For example, ThreatX continually models the behavior of applications, features, and individual microservices. Changes in the behavior of the application can be a reliable early indicator of an attack, such as a malicious bot attempting to take over an account. However, a behavioral anomaly on its own may not be conclusive. In this case, ThreatX can actively collect more context by interrogating the suspicious visitor. This can allow the system to quickly distinguish between a valid visitor and a bad bot automatically while remaining completely invisible to real users.

Risk Over Time

ThreatX’s approach to risk also continually evolves in response to changes in the real world. Unlike traditional signatures, which are typically verdicts rendered at a single point in time, ThreatX’s view of risk is dynamic and continuously updated based on the latest observations. This can allow teams to make very timely enforcement decisions as the overall risk rises or falls. Rather than manually correlating events and blocking events hours or even days too late, ThreatX can trigger high confidence blocking at the right time when the risk rises to dangerous levels. Conversely, the solution can automatically unblock a host once the risk declines, freeing staff from manually unblocking IP addresses that could be reused by valid users in the future.

This time-based view also allows security teams to address threats in the context of the lifecycle of an attack. By automatically fingerprinting and tracking behavior over time, ThreatX can track the progression of a threat over time and trigger protections before an impact. For example, ThreatX can detect the earliest stages of attacker reconnaissance and enumeration as they scope out an organization’s attack surface and look for weaknesses. This may progress to brute force techniques or actively testing exploit techniques. The risk-based approach connects all of these events over time to reveal and protect against a coordinated attack risk that is easily lost in the noise of daily alerts.

Adding it All Up

Now that we’ve identified the benefits of a risk-based decision model, let’s raise the conversation up a level. By modeling risk for each application and technology stack, we can begin to define risk patterns over time:

  • Some customers get attacked simply because of name recognition.
  • Certain technologies are inherently prone to higher risk because of the constant flow and exposure to new vulnerabilities.
  • In other cases, the risk for a particular platform may be the result or poor patching or development practices introducing unnecessary risk (e.g., a new code release exposing unencrypted PIA, for example.)

By monitoring relative and varied risk for each application over time, ThreatX can begin to identify key drivers of risk and potential business decisions that could significantly reduce that risk.

ThreatX uses the combination of detailed attack metrics about applications and targeted components to identify specific areas of greatest risk. To make the intelligence even more actionable, ThreatX compares the relative risk to customer peer groups to identify outliers. This elevates the conversation beyond simple security management to assessing the viability of certain technologies and support mechanisms to incorporate risk into business decisions. While ThreatX provides virtual patching for any vulnerability identified, some customers have actually accelerated application platform migrations and/or switched third-party providers based on the ability to mitigate significant (and previously unknown) risks.

While certainly not an exhaustive list of all the ways that risk can be used to drive better AppSec policies, hopefully, these examples serve to illustrate an important concept: Risk-based views can give a much better context for decision-making. When risk-based context is an integral part of the solution and not an external process layered on top of it, smarter, faster decisions result. And that is undoubtedly a good thing. If you’d like to learn more about the ThreatX risk engine and how it could help your organization, please reach out to us and let’s schedule a demo so we can show you how a risk-based approach to application security can change the way to you think about application security.

About the Author

Bret Settle

Bret has served in multiple executive roles for Corporate Express/Staples and BMC Software and has extensive knowledge of the software development and security products industries. Bret has been responsible for enterprise security in multiple roles and has been an innovator throughout his career and has a proven track record of building and developing high performing organizations and dynamic cyber security teams.