A new ESG report has found that nearly half of all cybersecurity alerts are false positives, and 75% of companies spend as much time, if not more, than actual attacks.
Additionally, the report found that 46% of all app downtime was due to false positives. The report also asked organizations about their migration to the cloud and the use of API-based applications, which made security more complicated than it was in the age of on-premises computing. Organizations reported that, on average, they have 11 web application and API security tools that cost the typical business nearly $ 3 million per year. The report found that these tools are ineffective and largely hamper growth due to false positives and the time spent trying to fix them.
Current security tools haven’t worked for many organizations, leading them to operate in log and watch mode (53% of the time), be completely disabled (12%), or both (26%) . An incredible 91% of businesses turn off or downgrade their security software in response to too many false positives.
The high prevalence of false positives should be a good indicator that security tools need to evolve and offer evidence that a real vulnerability is being exploited when an attack report occurs. Reporting an attack that causes no damage, is actually blocked by a security tool, etc., should be reported as informational rather than a serious or critical security event.
Businesses need to take a fresh look at how applications that live in the cloud are secure, especially those with known vulnerabilities that still go unpatched and are subject to real, verifiable attacks. This is where RASP (Runtime Application Self-Protection) really shines as a security solution. A RASP solution like that of K2 Cyber ââSecurity is based on a revolutionary approach. K2’s RASP solution, K2 Security Platform is the first to truly detect zero day exploits as well as attacks on known vulnerabilities, while providing proof that a vulnerability is exploitable. Rather than relying on technologies such as signatures, heuristics, fuzzy logic, machine learning or artificial intelligence, the K2 security platform uses a deterministic approach to detect true zero attacks. day. Traditional security approaches are limited to detecting attacks based on prior knowledge about the attacks (often causing false positives) or require weeks or months to learn the behavior (also prone to false positives when one-off events occur. produce). K2’s security platform can detect new zero day attacks within seconds of starting the application and provide proof of vulnerability to reduce the risk of false positives.
The deterministic security of K2’s security platform is based on a unique patent-pending technology called Optimized Control Flow Integrity (OCFI). OCFI uses application execution validation as the primary source of attack detection. K2 maps the application as it runs in memory and verifies that function calls and API calls within the application execute the way the code is written and expected. There is no use of prior knowledge about the attacks, and no use of signatures, patterns, or behavioral rule sets. K2’s unique approach has virtually no false alarms, due to the ability to validate code execution, providing proof of operability, and can help reduce security costs significantly.
K2’s security platform issues alerts based on the severity of the vulnerability and includes actionable alerts that provide complete visibility into attacks and vulnerabilities. By providing the location of the vulnerability in the application, along with details such as the filename and line of code where the vulnerability exists, and proof of exploitability, security organizations can quickly address the vulnerability and solve the problem.
K2’s platform is easy to install and can be deployed in the cloud, on-premises, or in hybrid environments, making it ideal for today’s transition to the cloud, including IaaS and PaaS environments.
Take a page from NIST to improve application security
Don’t just take our word for it, the National Institute of Standards and Technology (NIST) has just finalized its security and privacy framework, SP800-53 and released on September 23, 2020. The new security framework standard and privacy now requires Runtime. Application Self-Protection (RASP) and Interactive Application Security Testing (IAST) as additional security layers within the framework. This is a first by recognizing these two advances in application security and now requiring them within the framework of security.
In addition to using K2’s RASP to protect a production CI / CD environment, we also wrote previously about adding a RASP agent to DAST tests to get IAST security test results. Our RASP solution resides on the same server as the application and provides continuous application security during runtime for CI / CD environments. By running on the same server as the application, RASP solutions ensure continued application security, even when subjected to DAST testing. For example, as mentioned earlier, a RASP solution has full visibility into the application, so a RASP solution can analyze the execution of an application to validate the execution of the code, and can understand the context of the interactions of the application. application, giving RASP the ability to provide details such as line of code visibility, evidence exploitability, and a full payload to replicate an exploit.
IAST is the other new recommendation for application security from the revised NIST draft, and if you haven’t heard of IAST, there is a good definition available from Optiv.
âIAST is an emerging approach to application security testing that combines elements of its two more established brothers in SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing). IAST instruments the application binary which can allow both DAST type confirmation of the success of the exploit and SAST type coverage of the application code. In some cases, IAST allows security testing as part of the general application testing process, which offers significant benefits to DevOps approaches. IAST has the potential to conduct tests with fewer false positives / negatives and a higher speed than SAST and DAST.
With the addition of these two new requirements (RASP and IAST) for application security to the NIST framework, it really is time to rethink the way your organization handles application security and get security that works for an environment. CI / CD.
We also recently released a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs), fail to prevent zero day attacks and how deterministic security meets the need for detect zero day attacks. The video explains why technologies such as artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of ‘attacks where these technologies work and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change the way you protect your apps, include RASP, and verify K2’s app workload security.
Find out more about K2 today by requesting a demo or get your free trial.