Oliver Pinson-Roxburgh, EMEA director, Alert Logic
Oliver Pinson-Roxburgh, EMEA director, Alert Logic

Competitiveness requires agility, automation, speed, scalability, and relentless focus on the customer, and that is why organisations are developing or moving their business-critical applications to the Cloud.  But security needs to keep pace with that change, and traditional approaches to securing those web applications are not going to be able to protect against the latest cyber-threats and protect customer data and confidence.

Data breach – what's the leading source?

Verizon's widely followed Data Breach Investigation Report shows that web application attacks are now the leading source of breaches, up 500 percent since 2014. Meanwhile, according to Gartner, businesses are still spending 95 percent of data centre security budgets on perimeter security – so less than five percent is spent on securing directly against web application attacks. This balance needs to shift. As much as perimeter or end-point security are needed, there needs to be a seismic shift of focus to investing in protection for web applications across their full infrastructure stack.

Cyber-attacks on web applications account for over 40 percent of incidents resulting in a data breach, and are the single-biggest source of data loss. These stats are reflected in AlertLogic's own data, where web application attacks comprise the Top five attacks seen in its Security Operations Centre (SOC). Most prevalent cyber-attack methods observed are SQLi (SQL Injection), File Inclusion, and exploits against Apache Struts.

So why are web applications so difficult to defend?

Web applications are the hardest workloads to defend, whether on premises or in the cloud, due to their multi-faceted nature. They are complex, with rapidly changing code and fast deployment cycles, often utilise open source and third-party development tools that can introduce a long-tail of inherited vulnerabilities, and have a large attack surface that can be compromised at any layer within their application stack. They are internet-facing, and typically deliver ecommerce, rich content or SaaS functionality. The OWASP Top 10 (list of the 10 most critical web application security risks) go some way to showing the scale of the challenge for developers and security teams trying to keep these applications secure.

Cloud-based applications gain the benefit of being hosted on hardened cloud platforms, but attackers are getting wise to that, and are starting to work their way up the application stack to find the weakest link: the more dynamic and interconnected an application is, the more exposed it is to the risk of compromise.

The only way to get ahead of this risk is to have visibility into, and understand, the full application stack so that you can monitor, detect and defend every layer that may be the entry point for attackers. 

Easier said than done, though, right?

Security technologies are great at collecting data – events, logs, feeds from up and down the application stack. But, whilst the indicators of compromise are within that data, the reality is that it is so vast that it is becoming harder and harder to put a spotlight on what is obviously malicious, and which needs to be analysed and investigated further. And this is being exploited by attackers.

The Target data breach from 2013 is the most famous example of this. The US retailer in fact did have alerts indicating they were under attack. But these alerts were part of 50,000+ events that day collected by their SIEM (Security Information and Event Management), and all of them looked exactly the same, so when the alarm was raised by their SOC, no one realised it was part of an extremely dangerous cyber-attack.

Inspecting data up and down the application stack is important, but as we can see from the Target data breach, it isn't enough.

Protecting web applications

Automated analytics and machine learning are playing a key role in protecting web applications – from detecting anomalies and making sense of suspicious activity, to learning from attack patterns and identifying emerging threats.

But even that isn't enough if you don't have the people skills to be able to help tune machine learning results, or provide deeper threat intelligence, or investigate incidents to determine remediation.

So, unless you're in the enviable position of being able to run a fully comprehensive security system, with all the tools, technologies, threat intelligence and people that can keep you safe, 24x7, CIO's and the wider application development team must establish priorities. Baking security practices into the Devops lifecycle and reprioritising budgets to account for the recent surge in cyber-attacks on web applications are a must-do, particularly when considering the incoming General Data Protection Regulation (GDPR) in May 2018.

One thing is certain: the threats are not going away, and so company executives need to take more ownership of understanding the risk and attack surface of their business-critical web applications, and ensure that they identify high risk areas to address - before attackers get there first.

Contributed by Oliver Pinson-Roxburgh, EMEA director, Alert Logic 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.