I attended a hands-on training session on vulnerability scanning attack detection and prevention a few weeks ago. The four-hour session, led by an instructor, aimed to equip all students with the skills to create an attack and use advanced vulnerability detection and prevention tools to defend against it in real-world situations.
When we look at the classic cybersecurity challenges we deal with
High-risk posture
Unprotected vulnerabilities
Manual response
Laborious investigations
There are two reasons why Runtime protection is becoming important:
First, Traditional application security tools support early development stages, but how do we identify and mitigate the risks involved at Runtime for third-party applications not developed by our team?
Another crucial factor contributing to the growing attack surface is the increasing complexity of our applications. These applications, which include container runtimes, language runtimes, third-party libraries, and custom code, are becoming more intricate. As a result, they present a more extensive and diverse target for potential attacks.
How do these Runtime protection platforms work?
These platforms deploy a privileged monitoring agent on all relevant servers to track user requests. The system's heart is an AI-powered backend that collects these traces and performs sophisticated analysis using heuristics, anomaly detections, and pattern matching. This analysis is conducted in real-time, with identified problems compared against vulnerability databases. The platform can start flagging vulnerabilities within an hour if a new vulnerability is detected. The essential advantage of these platforms is their ability to understand the context of your vulnerabilities, as they have visibility into internet exposure and access to critical data, thereby enhancing the understanding of the risks involved.
Assessing the output of the Runtime vulnerability scan module
The vulnerability module creates a risk-based overview with a score based on CVSS. The platform uses observability insights to understand additional context about the vulnerability, such as internet access, database access, and exploits available to lower the CVSS score. Suppose vulnerable components do not have access to the internet and databases, and no exploit is available. In that case, the criticality is reduced, which gives the security team more time to focus on other, more critical issues. The platform also summarizes vulnerabilities by libraries to improve fast remediation of similar problems across systems.
On a details screen, we see more insights, such as affected hosts, processes, services, and vulnerable components.
Assessing the output of the Code Level Vulnerability and Runtime Attack Prevention module
The AI-powered backend of this platform detected the simulated command injection attack within a few seconds. We see the criticality of this attack, the involved services and processes, and the correlated log files. A rule is added to block such attacks in the future by clicking the block attack button. There is also a configuration to block known attacks for the supported technologies such as Java, .Net, and others.
My takeaway
Cybersecurity is a continuous process. While solving security issues at the root is a crucial first step, our business applications must be observed at Runtime to ensure vulnerable components are identified and attacks are reported or blocked.
I like the risk-based approach and the additional insights about the context, which improve my understanding of such vulnerabilities.
Runtime protection is crucial, but organizations should always combine it with several other measures.
Outstanding is the AI-based analytics engine that brings real-time insights into vulnerabilities and attacks, making cybersecurity continuous.
Keep up the great work!
Comments