How do you win the web security game when the rules keep changing?

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

web security gameSuccessfully protecting against web-based attacks is like trying to win a game that keeps changing its rules, only nobody tells you what the new rules are. With a rapidly evolving threat landscape and protected assets shifting constantly, conventional cloud security services based on static policies cannot win the web security game.

Defending against today’s threat landscape is harder than ever. Zero-day attacks, exploiting newly discovered vulnerabilities for which patches and signatures are not yet available, more than doubled in 2015 and are now launched on a daily basis. Moreover, attackers now commonly hide their attack vectors behind content delivery networks (CDNs) and dynamic IPs, thus avoiding any simple IP blacklisting technique trying to block them.

In this dynamic battleground, static cloud security solutions will not protect your applications. They use negative security models that identify attacks based on known signatures of attack vectors and block attackers using IP blacklisting mechanisms. That can’t help you with zero-day or dynamic IP attacks.

Meanwhile, the assets you’re trying to protect are also constantly evolving. Continuous delivery techniques now allow developers to introduce changes into existing applications on a weekly basis, potentially introducing new vulnerabilities into protected assets.

With static cloud security services, launching new applications or introducing changes into existing ones means you must test them for new vulnerabilities and manually change your security policies accordingly. This manual process quickly gets out of control as developers release new versions every week. As a result, your protected assets are constantly introduced to new vulnerabilities that static web security does not detect and mitigate.

How to win the web security game

The way around this is using automated tools that continuously and automatically adapt your protections to mitigate new forms of cyber threats in your ever-changing protected assets.

For example, organizations can better guard against zero-day attacks and attacks using dynamic IP techniques by employing advanced web security systems that use positive, automated, adaptive security models. Using advanced behavioral analysis and machine learning techniques, these systems automatically learn the profile of legitimate traffic and allow only this traffic to flow in, while blocking all other traffic.

Another example of using automation to gain better web security is found in systems that employ automated tools to identify changes in the protected assets, launch focused vulnerability scans, and then automatically adapt the security policy to mitigate any new vulnerability found in the protected assets.

This way, by using automation, you can keep pace with the changing rules of the game and assure your applications remain protected. While new threats rapidly evolve and your protected assets keep changing, that’s the only way to win the web security game, fight fire with fire.