DEVOPSdigest

Digital transformation initiatives, many propelled by the pandemic, continue to accelerate at a rapid pace. And, as technology advances and user requirements grow, so does the complexity of the modern application stack — with security defenses often struggling to keep pace.

Developers are leveraging a variety of tools, platforms, languages, and services to deliver more sophisticated features and functionality. However, every additional component used to build an application increases the size of the attack surface and the risk of an attack. Threat actors have a greater chance of discovering a vulnerability, misconfiguration, or bug that can serve as a toehold into the environment.

Increasing Complexity Means New Attack Vectors

APIs are key to enabling developers to connect services and transfer data, automate repeatable tasks, or work with mobile devices and cloud. But the rise of APIs has also extended the attack surface and created another avenue for attackers to access the environment.

An increase in containerization and multi-cloud deployments have similarly expanded the attack surface. Containers are highly dynamic, complicating security. In fact, Sysdig recently reported that 63% of container images are replaced within two weeks or less. In multi-cloud environments, maintaining API visibility for each new cloud platform becomes more complex when security teams are tasked with tracking new, changed, insecure, or unmanaged APIs.

Ultimately, this dynamic attack surface, coupled with attackers' increasingly sophisticated methods, has combined to create a scenario in which traditional security methods are no longer sufficient. As attackers are increasingly figuring out security solutions and working around them, it's no longer enough to just analyze HTTP requests.

Lessons Learned from Log4j

Runtime threat protection — or the ability to monitor the environment where an application is executed, then take the necessary action to stop malicious behavior — is becoming critical in today's environment.

Runtime environments face a multitude of risks. Examples include zero-day attacks, remote code execution, when an attacker remotely executes malicious code on the target web server, and Web shells, which enable attackers to access a web server from a web browser remotely.

The Log4j vulnerability(link is external) highlighted the need for runtime API and application protection. Attackers quickly jumped on this disclosure, and security engineers couldn't deploy patches fast enough. The Log4j vulnerability was targeted at rapid and alarming speed — more than 32%(link is external) of all scanning activity over the course of a year occurred within the first 30 days of the release of Log4j, and peaked at just 17 days. As organizations responded to the attacks and deployed patches for attack variants, the need for urgent response and the limitations of only observing HTTP requests and response pairs became obvious.

While the HTTP requests provided a lot of information, security engineers were not able to quickly identify what attackers were targeting or what techniques they were using. Identifying and blocking at runtime enables security teams to stop threats immediately, no matter how much attackers try to disguise the intent.

Runtime Threat Protection: An Important Part of API and App Security

The need to protect runtime environments is nothing new. Security teams have turned to runtime protection solutions since the term runtime application self-protection (RASP) was coined in 2014. However, obtaining visibility beyond HTTP has been challenging. RASP solutions required teams to deploy and subsequently manage an agent for every tech stack and component, making deployment burdensome and maintenance untenable.

The agents needed to run constantly, and the high CPU load impacted performance while increasing the cost of running applications. Alternative approaches to obtaining runtime visibility required teams to deploy kernel modules, which essentially meant installing code with root access deep within the kernel. As a result, kernel modules added risk and instability, putting the OS at risk.

Not surprisingly, today, few organizations have real-time visibility into runtime vulnerabilities. A recent study found that only 4% of CISOs have this visibility into containerized production environments.

Security teams today need a solution that:

■ Is Multi-Layered: Effective protection combines runtime and edge protection to enable a 360-degree ability to detect, track, and block threats to APIs and applications. Achieving this requires a multi-layered approach that starts well before runtime — including scanning for misconfigurations, unrestricted network access, missing role-based access control, and vulnerability assessments.

■ Offers Visibility into Runtime Environments: Security teams should look for solutions that provide this necessary visibility into runtime environments. These solutions should cover network flows, system calls, and processes. You can't know if an attack is occurring if you can't see it.

■ Evolve with the Pace of Attacks: While providing the needed protection, solutions should also have the ability to evolve as new types of attacks are discovered. Otherwise, security teams will need to constantly redeploy applications or solutions to receive the latest protections.

■ Prevent Attacks Before They Start: Ultimately, solutions should enable security teams to shut down or prevent runtime-based attacks from happening altogether by granularly detecting and blocking these threats in real-time. For example, Extended Berkeley Packet Filter (eBPF) — a framework that extends the ability to attach at the kernel level within a Linux environment — isn't a new technology but shows promise in runtime protection. It enables insights into kernel-level data, without modifying the kernel. It can provide data insights beyond typical HTTP, including network flows, process tables, environmental variables, and more.

As organizations adopt new technology, they also need to evolve their security solutions to keep pace. Runtime protection enables organizations to extend their threat detection, ensuring they can detect, track, and block suspicious activity in real time, without slowing developers. With proper protection, organizations can achieve better visibility and protection, and address a number of common threats, such as zero-day attacks, remote access software, and web shells — and ensure they're prepared for the future.