Copyright Waratek 2016 – All Rights Reserved

Waratek.com

Discussion Paper | November 2016

The Changing Economics of Application Security

The Beneficial Impact of Runtime Protection on the Cybersecurity Marketplace

Highlyaccurate.Easytoinstall.Simpletooperate.

2

Introduction In a Financial Times (September 12, 2016) interview from a Moscow hotel, Edward Snowden said "We are living through a crisis in computer security the likes of which we've never seen.” The solution, said Snowden, is that there should be some form of liability for negligence in software architecture. "People from my tribe will be extraordinarily mad at me for suggesting regulation in the terms of negligence for software security." How negligent? Research from open source software firm Sonatype shows that 1,000 new vulnerabilities are uploaded each day from more than 7,000 software libraries used by developers to create business applications. On a global basis, the total number of reported cybersecurity incidents have increased from 3.4 million in 2009 to 59.1 million in 2015, according to PwC. Cybersecurity Ventures similarly predicts that global annual cybercrime costs will grow from $3 trillion USD in 2015 to $6 trillion USD by 2021. To illustrate just how broad and deep the current threat is, consider this: Ø Attackers breached the US Office of Personnel Management (US OPM), copying

the confidential personnel records of anyone holding a US government security clearance.

Ø Compromised credentials were used to transfer $81M from the Bangladesh Central Bank to accounts controlled by unidentified hackers.

Ø A Russian banking network was attacked using a botnet of networked consumer devices (IoT) assembled from 30 countries.

Ø At least 500 million Yahoo! email accounts were compromised, putting credentials used by consumers into the hands of malicious hackers and threatening the acquisition of Yahoo! by Verizon.

Competing Priorities A typical annual budget for cybersecurity in a large global financial institution is on the order of $200M USD, with significant pressure for growth depending on the organization’s security history. After JPMorgan Chase suffered an attack leading to the loss of 70 million personal and 6 million business records, the bank's CEO, Jamie Dimon, doubled the annual security budget from $250M to $500M USD.

3

Financial services institutions have increased investment in information security during the past three years, but the median security budget remains less than 12% of the total Information Technology (IT) spend, according to the SANS Institute. Within overall security budgets, application security is tied for 14th out of 16 priority activities in the 2016 SANS report on IT Spending Trends. Compare that low investment priority to the risk of losing control of sensitive data: Between 80% and 90% of all successful cyberattacks involve a breach at the application layer, per leading experts. This is especially true of financial services institutions. Yet, application security investment remains stuck near the bottom of the priority ranking for the following reasons: Ø Traditional security concepts based on perimeter and network defenses

continue to command the lion’s share of investment and staff attention/skill. Time and again these defenses have proven to be inadequate against the increasingly sophisticated criminal, state-sponsored and politically motivated hackers.

Ø Gartner points out that only 5% of cybersecurity staff understand application security, a proportion they recommend should be as high as 25%. This is because historically, most cybersecurity staff have come from backgrounds such as network security or encryption.

Ø To make matters worse, until recently there has been no highly effective way to protect applications, creating a black hole at the most sensitive part of the entire process.

In this discussion, we will concentrate on the effectiveness and economics of old and new types of cybersecurity, primarily in the financial sector. Note: While there are two primary approaches to providing Runtime Application Self-Protection (RASP), we will only discuss RASP by virtualization as pioneered by Waratek in this paper.

4

Traditional Application Protection Application protection as a separate effort or discipline is relatively new. Cyber defense was modeled on military strategies dating back to the Middle Ages. Perimeter defenses (a firewall) were used to keep attackers out of the castle. Breach the wall, and intruders could largely ransack the treasury (think databases with valuable customer or financial data) with few barriers. A stealth attack could go completely unnoticed until the vault was empty or the castle was lost. Just as layered interior defenses were developed for castles that worked in concert with perimeter defenses, early application security efforts were aimed at bringing the concept of a firewall down to the application level. The first attempts at creating interior defenses for applications have been limited to two approaches: 1. Write more secure software

code. Ensure the software is as secure as possible before going live, through a combination of programmer training; software testing tools known as SAST or DAST; and, the use of penetration testing teams.

2. Install a Web Application

Firewall (WAF). WAFs are a

specific type of firewall that runs on a separate server from the application, but attempts to read the incoming and outgoing data streams to determine if any cyberattacks or other dubious behavior are occurring.

Because WAFs are outside the application itself, they are notoriously inaccurate. While they “see” the inbound and outbound data streams, WAFs do not see the interaction of the data and executing software code in context. It is widely known among security professionals that WAFs are ineffective and are almost never run in blocking mode during live production. This means that they cannot stop an attack before it happens. Both approaches are extremely labor intensive, expensive and largely ineffective. With the exponential growth in application software and the sheer volume of known vulnerabilities – 2 billion downloaded from software libraries in 2015 – writing better code is a losing proposition. Likewise, WAFs are costly to purchase, difficult to operate, and generate a high level of false positives that must be investigated. A 2014 NSS Labs report comparing popular WAFs found the average Total Cost of Ownership exceeded $5 per Connections per Second (CPS) and produced an average false positive rate of .77%.

5

That translates into millions of false positives per month for a high transaction volume organization and significant labor cost / lost productivity associated with the resulting investigation. Runtime Application Self-Protection; the Next Generation of Application Security Runtime Application Self-Protection, or RASP, is a new class of solutions that protect applications and data through self-monitoring and examination of the traffic coming into and leaving an application while running. RASP can intervene in real-time to prevent illegal actions while simultaneously reporting their occurrence and forensics to the security operation center and/or the business application owner. Out of 30 cybersecurity technologies tracked by Gartner, only RASP is listed in the highest category – transformational - for its potentially positive impact on the cybersecurity market. The broad category of runtime self-protection can be divided into 4 sub-groups: 1. Business Logic Protection -

RASP prevents the exploitation of software vulnerabilities in business logic during the actual execution of

the software. This covers some of the most widespread and dangerous attack vectors, including sequel injection (SQLi), cross-site scripting (XSS) and cross-sight request forgery (CSRF). The current state of the art offers defense against seven (7) of the ten (10) major known attack vectors, with ten-out-of-ten (10-10) expected in early 2017. The high occurrence of the most common types of attacks and their severity means that risk reduction of 90% or more can be provided “out of the box.”

2. Runtime Software Stack

Protection - Modern application software is developed to provide specific business logic and functionality to end users. However, the amount of custom-written code for this purpose is often only 10% to 20% of the total software needed to run the application – the tip of the iceberg, if you will. The other 80% to 90% of the application code typically involves class libraries, open source components, imported modules from GitHub and third parties together with frameworks such as Struts, Spring, and Apache Commons; generally running on an application platform such as Tomcat, Web Logic, WebSphere or JBoss. This invisible part of the iceberg also contains potentially fatal vulnerabilities and attack

6

vectors which require protection but often goes unguarded. RASP is the first technology offering security for this vast attack surface.

3. Runtime Protection - This

refers to the actual runtime typically provided by Oracle or Microsoft which also provides a very sensitive attack surface which, if compromised, can lead to total loss of data and application integrity. In other words, to be secure, it is also necessary to protect the runtime as it runs! If the runtime is not part of the RASP solution, then any security measure implemented above this level can easily be disabled by an attacker.

4. Application Hardening - This

refers to protecting an application by locking down the estimated 90% of software components included in a standard application that are not required for the software to properly function. In a successful attack, un-needed software elements are activated to execute malicious commands. Runtime Protection can automatically lock unused components of the software stack as well as report attempts to compromise your system.

It’s important to note there is no inherent conflict between traditional defensive measures running alongside runtime security as part of a defense in-depth posture. While a car is mechanically perfect when purchased and driven by an experienced driver, we still need the added protection of seat belts and air bags while on the road – safety features that have fatalities from road accidents by 75%. Runtime protections serve the same function within application security. Gartner forecasts that, over time, runtime protection will begin to replace and eventually eliminate many aspects of the traditional methods of application security due to the significant advantages in its effectiveness, speed and financial cost.

“By 2020, 40% of enterprises engaged in DevOps will secure developed applications by adopting application security self-testing, self-diagnosing and self-protection technologies.” Gartner 2016 Top Predictions, June, 2016

7

Value of Time: Runtime Protection vs Traditional Approaches Time plays two key roles in application security: 1) the length of time a vulnerability remains unprotected; and 2) the length of time required to mitigate the flaw. Both have significant cost implications that can be reduced through Runtime Protection. Oracle, Microsoft, software developers and the security community frequently report serious flaws they have discovered (an average of one every 100 hours in Oracle’s Java), prompting software firms to issue critical patch updates for immediate action. Each new update starts a race between attackers and defenders: Can the patch be applied before an attack occurs exploiting this publicized weakness?

“It takes, on average, three to six days for an attacker to successfully exploit a vulnerability, more than 250 days to discover an attack is underway, and an additional 82 days to contain the attack.” Ponemon Institute 2015 Cost of Data Breach Study: Global Analysis

Time is the one constraint that no amount of money or manpower can overcome, making time a critical consideration in cybersecurity. In the case of remediation, a huge gulf exists between Runtime Application Self-Protection, which is effective immediately, and all prior methodologies. Approximately 10% of the world's enterprise level applications were vulnerable to attack for at least three months in 2015 while a fix was developed for the Struts 2 flaw. Companies remained open to attack until the fix was put into production. A RASP virtual fix was developed and deployed within 24 hours for Struts. In the case of Apache Commons, the built-in RASP protections defended against this new attack, inoculating the protected systems completely from that attack vector.

The traditional remediation process is outlined in the accompanying chart:

8

Except for a small number priority cases, the turnaround time in large organizations is three to six months and increasing. With the size of critical patch updates steadily rising – from an average of 128 per patch in 2014 to more than 250 per patch in 2016 – it’s not surprising that a large number of known vulnerabilities are never corrected. The constraints of limited manpower and stressed budgets are compounded by the risks of reopening old source code, where the original developers are gone and documentation may not be up-to-date or accurate. Runtime Protection, however, offers instant protection and significant cost savings opportunities. RASP is deployed in a matter of minutes without requiring any code changes to the underlying application or tuning to obtain the “out of the box” protections offered by the solution. Further, when Zero Day threat emerges (a new type of attack that has not been seen before), additional protective rules can be uploaded to the RASP rule file without needing to pull the application from production.

“99% percent of all successful attacks through 2020 will exploit a vulnerability known for at least one year.” Gartner 2016 Top Predictions, June, 2016 The same is true of routine critical patch updates where protected applications continue to run with no requirement to physically update the app’s code. Known as “Virtual Patching,” this process relieves a business of significant organizational overhead and provides immediate mitigation where physical patches are not feasible or are delayed. For many legacy applications, virtual patching is the only option as installing a new patch may destabilize the application. Significant resources can also be saved by mixing virtual patching and physical updating of the application’s code, so that the cadence of physical updates can be reduced from four times to once per year, yielding significant financial savings.

9

The Value of Protection: Runtime Protection vs. Traditional Approaches Runtime protection can be easily scaled while dramatically reducing the cost of application security compared other approaches that require application code changes, customization or tuning. A comparative table of costs using these different methodologies is summarized below:

Protecting All applications The early focus of application security programs was to protect only a small number of applications with the highest levels of security risk. An institution would concentrate only on the most sensitive web-facing applications, where a breach would provide access to customer data and have a highly public impact on the institution's brand and reputation. Now, the most sophisticated attacks often start by penetrating “lower priority” unprotected applications and build credentials across the interconnected systems to finally take

control of the target application. Consequently, the best practice required by regulators is to protect all applications. A similar process is currently underway with respect to the severity of vulnerabilities against which applications should be protected. Up until now many institutions would focus only on vulnerabilities with a CVSS score of nine (9) or ten (10); other institutions would cover severity scores of seven (7) to ten (10). Increasingly, company policies and/or regulations require protection from severity scores of four (4) or above for the same reason that lower severity vulnerabilities can be stepping stones for an advanced persistent attack to gain control of core assets. Unlike traditional approaches where expanding the coverage of vulnerabilities can lead to increased costs, the cost of Runtime Protection is not impacted by the depth or breadth of vulnerabilities addressed. Runtime Protection also makes complete coverage of an application estate practical and financial feasible.

10

The Cost of Application Protection vs. the Cost of a Breach While the above sections provide potential measurement of the relative effectiveness, speed of implementation, financial costs, coverage and scalability of different approaches, the missing element for a full economic appraisal is the cost of a breach. Protecting against breaches is a form of insurance and the ultimate question is what is the value at risk when a breach occurs. In a 2016 study commissioned by IBM, the Ponemon Institute calculated the average cost of a breach has increased to $4 million USD. And that does not include intangible costs such as loss of reputation, sales, market share or shareholder value. Other cost considerations increasingly include the cost of cyber insurance premiums and deductibles, legal and other professional service fees (public relations, government affairs, etc) as well as increased budgets for marketing and cyber security. To return to the Edward Snowden quote at the start of this paper, what would happen to the security policies of financial institutions if they faced the same risks and liability as the food industry?

How would behavior and attitudes towards achieving effective application security change if banks were held accountable to the extent automobile manufacturers are whenever a defect leads to a product recall. As the risk from known, but unaddressed, software vulnerabilities grows into the tens, and even hundreds, of thousands, at what point can a financial institution and its leadership be held personally liable if a breach occurs exploiting a weakness of which they had “constructive” notice? There are no easy answers to these questions. The experience to date has been that cyber breaches may lead to billions of dollars being wiped off the valuation of public companies. Senior management, right up to the CEO, may be forced to resign. In other incidents, the financial damage to the market cap has been more limited and may recover within months. There has been no definitive finding on this subject to date, but there is general agreement that the situation is evolving quickly, and potentially for the worse.

11

Summary & Conclusion The argument for Runtime Protection is very compelling on at least three grounds: 1. It is a new form of additional and non-correlated “defense in depth” protection

that will reduce the overall risk of enterprise software applications by at least 80%.

2. It is capable of much faster and highly scalable implementation, addressing the ever-increasing backlog of identified but unaddressed vulnerabilities as well as the issue of application security measures that are viewed as “too little and too late.”

3. It is more accurate, effective and financial feasible than traditional application security approaches while providing full software stack protection across an entire application estate – not just portions of select applications.

Runtime Protection is a new technology that reduces risk, financial cost and staffing requirements, and is faster to implement at scale and incrementally in response to known and unknown security challenges. Recognized as a superior technology, Gartner considers RASP as the only approach rated as a transformational technology capable of addressing the application security challenge. This challenge is at the very heart of today's cyber security crisis. Author: Brian Maccaba, CEO Waratek Limited, November 2016