Before discussing if signatures are still relevant in this day and age of automation, sophistication, and complexity, let’s quickly talk about how signatures have evolved over time.
As the internet has found ever-increasing adoption for commerce, banking, etc., it became obvious that we needed something beyond a basic stateful firewall to protect from an ever-growing field of cybercrime. Port and IP-based lock down did not really alleviate the problem of cyber-attacks as hackers moved towards exploiting applications available via HTTP/HTTPS - applications that needed to be available for business. The Web App attacks soon evolved and became extremely sophisticated resulting in the evolution of these firewalls to what came to be known as Web Application Firewalls (WAF) aka "Old-Gen WAF". The basic approach to protect from these evolved attacks was pattern recognition aka signatures. Signatures have been effective during their time or at least I would like to believe so.
The challenge with signatures is multi-fold:
- A high rate of false positives due to lack of application context
- Ever increasing signature count - an indirect overhead on the system in use. Essentially, the higher the signature count is, then the greater the overhead in processing
- Constant overhead on defining signatures for existing or newly discovered vulnerabilities
- Uncertainty around false negatives (Is there any assurance from any vendor that every signature for every threat or vulnerability is included?)
- Operational overhead for white listing false positives
- Is it really possible to define a signature for every possible combination? Eg: 1=1 can be defined in several ways 1=1 is the same as 2=2 or (2-1)=(0+1)
- The Onus of defining Custom Signatures based on application calls will be on the operations team
As other areas of security (end point security, for example) continued to evolve from relying on a signature-based protection to controls based on application context and analytics and machine learning, web application security seems to be stuck in the signature world. It is quite common for security teams to ask questions as; "Can you protect from this xyz vulnerability", "How quickly do you update your signature database", or "How can I easily define a custom signature?".
During a time where the success of businesses relies heavily on applications, we have to ask ourselves, is this the right approach? Is relying on signatures to protect the most important applications the best way to protect our business? Is there a different approach that would break this never-ending cycle of over reliance on vendors for signatures and be worried about zero-day vectors?
As technology has evolved with attacks, using the available signatures is important; however, it’s been proven time and again that attacks can outsmart signatures to get past the web app firewall to execute in the application.
Enter RASP - Runtime Application Self-Protection.
So how's RASP different? RASP is a security technology that is deployed into an application’s server in order to detect and then prevent real-time attacks in the context of an application. RASP prevents attacks by “self-protecting” or applying application context to the traffic patterns automatically without human intervention to then respond to certain conditions.
RASP comes into play when the application is executed (runtime), causing the program to monitor itself and detect malicious input and behavior.
By moving security beyond the perimeter of a network or an endpoint, RASP enables applications to defend themselves.
In real time, RASP analyzes both of the application’s behavior and the context of the behavior. As continuous security analysis is implemented, the system will respond immediately to any recognized attacks.
So, what does this mean to the Security team/Ops team in the trenches fending off the bad actors:
- Reduced overhead of managing a solution (Reduced TCO) -- Reduced False Positives
- No need to define a signature for every vulnerability out there
- Applications continue to be protected even from threats originating from inside the network
- Coverage on Zero-day vectors.
If you’re interested in getting a deeper understanding of how RASP technology automatically blocks and monitors attacks, you can read more about how our architecture plugs into the application for real-time attack monitoring and blocking.