You can’t find what you don’t know about, and this is especially true when it comes to application security. Firewalls, one of the most common web application security tools, are designed to detect only what is known. In a world of increasing numbers of both new and old threats, companies are finding that, while web application firewalls (WAFs) are a foundational part of their application security program, they don't protect against everything.
In this blog post, we’ll discuss the differences between traditional WAFs and runtime application self-protection (RASP), a technology built for today’s dynamic and evolving threat landscape. You’ll walk away knowing if your current approach to application security is up to snuff or requires a new approach to keep your company and customers safe.
The problem with traditional web app firewalls (WAF)
Firewalls operate off a set of static rules or signatures designed to detect and block known security issues coming in from the web. This is called stateless WAF. The problem is that if your team doesn’t know of every possible malicious action, user, or attack vector (which is next to impossible for even the most robust security teams), you can’t possibly write rules and signatures to catch 100% of the threats that could slip past your defenses.
Additionally, rules and signatures in and of themselves are limited. Let’s say a rule is set to block all traffic that meets a set of criteria, but there are exceptions to the rule. Due to their inability to account for these, you could wind up blocking potentially benign traffic to your website or application. Another issue is that, due to the static nature of rules, if attackers were to change their approach or there is an update to your app, a traditional WAF can’t detect it. While you could update your rules, attackers are likely to update their methods, putting you in a continuous cycle of catching up.
To address some of these issues, stateful WAFs were created to search for attacks that span multiple requests and responses. It can look for things like how fast requests are coming in, whether they’re coming in from the same source, and other indicators about attack behaviors. While this approach has given security teams more useful information, it has the unintended side effect of generating an insupportable amount of alerts, making it next to impossible to zero in on issues that actually matter.
So, how can you detect and block new attacker behaviors, updates to your application, and even zero-day attacks? This is where RASP security tools come in.
Smarter application monitoring with RASP
Runtime application self-protection works a lot like a WAF by blocking bad behavior, but it does so without the need for preset rules. Rather than building a model or predicting that a request calls a database, opens a file, or starts to shell the executed command, you can watch the app at runtime to see if it actually performs those actions.
This makes alerts highly relevant because they are based on real application behavior instead of a prediction. There's no need to teach it what bad behavior looks like because you know what the app should and shouldn't be doing. When the app changes, it's no problem because your security is based on the app, not a set of preset rules and educated guesses about how it might react.
Rapid7’s next-generation cloud WAF and RASP tool, tCell, observes how your web app should and shouldn’t be behaving and can actively block suspicious behavior to keep you safe. Leveraging cloud analytics, and given that tCell intelligently monitors how your application behaves, it alerts you of only the issues that warrant the attention of your team. For example, of 10,000 attempts, it can determine that only 10 of them made it through your defenses and are a priority to address, not the 9,990 others. From there, you can dig in to see what parts of your application were targeted and the code snippets associated with the attack.
Taking the best parts of traditional capabilities of WAF, such as blocking known traffic and the ability to monitor and protect against zero-day attacks, tCell has fast become the go-to all-in-one Next Gen WAF and RASP tool for web application security.
Recently acquired by Rapid7, tCell works within the Insight platform to provide a central hub and insight into all of your application security needs with tools like InsightAppSec, InsightConnect, InsightVM, and InsightIDR. This means you can monitor, test, and protect—all in one dashboard. Within your dashboard, you can quickly zero in on alerts that require your attention and you can see trends of your most common threats, enabling you to double-down on protecting against them.
Smarter application monitoring, better response times
Today, good security is about being able to do things better and faster. It’s not just having more data—it’s about better data so you can jump into action faster. This is why tCell is a perfect addition to your application security portfolio, as it is able to monitor your live application for behaviors to ensure nothing out of the ordinary that poses a true risk occurs without you knowing about it.