The benefits of security behavior analytics for devops

How TrueFort’s approach to application-centric security monitoring creates a real-time feedback loop for dev, sec, and ops teams

The benefits of security behavior analytics for devops
Gremlin / Getty Images

Technologies and practices such as cloud-native architectures, continuous integration and continuous delivery (CI/CD), devops, and site reliability engineering (SRE) are enabling organizations to innovate and accelerate the delivery of software products.  But they are also disrupting the traditional software development and maintenance life cycle (SDLC) and significantly changing what enterprises need to do to successfully secure applications and business services.

To help organizations ensure the secure delivery of applications, TrueFort has developed an approach to cloud workload protection and monitoring called Application Security Behavior Analytics (ASBA). ASBA is based on three critical components:  Real-time application behavior profiling, CI/CD security monitoring, and run-time protection.

Real-time application behavior profiling

Business applications can generally be characterized by a combination of their behaviors and relationships to other entities.

For example, a typical retail ecommerce application includes communications between services using known API calls from the time zones in which customers are based, and from the networks associated with those time zones. There is also synchronized activity between web servers, load-balancers, caches, document stores, and databases.

At quick glance, an ERP system may look like an ecommerce application. It is likely to have interconnected web, application, and database servers with correlated behaviors such as increased database activity linked with increased application server activity.  But unlike ecommerce, ERP is typically accessed only by users on the LAN, and is characterized by busy, server-side-only periods associated with monthly reporting cycles and batch processing.

Malicious insiders and external attackers often do not know or care about these behavioral nuances and threat crumbs, believing that once they have breached the enterprise perimeter, anything they do will go unnoticed. Unfortunately, they often do go unnoticed.

The TrueFort platform closes this gap by profiling the behavior of business applications holistically to build a baseline model of “normal” activity in order to identify what is anomalous and a potential threat. To accomplish this, TrueFort monitors hundreds of parameters on each workload including their relationships, dependencies, processes, and temporal fluctuations and correlates this data with data from other workloads. 

Examples of captured telemetry include network connections, process details, service accounts, mounted file systems on the VM/server/container, and their relationships to other infrastructure and application tiers and upstream and downstream applications.

Based on this comprehensive visibility and established normal baselines, ASBA can uncover important anomalies, such as a database that becomes unusually busy while its front-end application server is idle — which happened during the Equifax data breach, for example. Deviation from the normal baseline may indicate a malicious insider or external threat actor gaining access to the network from an unexpected location and at an unusual time. ASBA detects incidents of this nature in real time for fast response, forensic investigation, and automated remediation.

SDLC and CI/CD security monitoring

Organizations embracing digital transformation embrace new development methodologies. In the process, they often find themselves exposed to new risks by opening up new attack surfaces.

First, the CI/CD toolchain has become an attack surface. CI/CD accesses a company’s IP (code, data, configurations, credentials) and lacks a dedicated security wrapper, yet it must be protected from insider threats, external attackers, and process leaks.

And while CI tools like Jenkins and Spinnaker are incredibly valuable and commonly used to automate development including workflow, quality gates, promotion, defect tracking, and more, a failure or attack here has the potential to inflict catastrophic damage to a business. 

For example, code push, upgrade, and recovery are increasingly automated with time to recovery measured in minutes or seconds. A compromise of the CI toolchain by a malicious insider or outsider could indefinitely halt software build activities and also prevent the recovery of failed services.

ASBA can profile, detect, alert on, and mitigate compromises in the toolchain and the business processes they deliver before damage becomes widespread. Specifically, ASBA can monitor multiple elements including who or what is accessing a source repository, who has pulled from Nexus, where changes to a Jenkins workflow were made, and so on. ASBA can also provide forensic data and ultimately block unauthorized activity.

Second, the use of third-party code presents security risks within development, especially as the use of open source components increases. When vulnerabilities in these building blocks and complex dependency trees are coupled with the relative ineffectiveness of scanners to discover exploitable flaws, security risk increases significantly. 

TrueFort and its ASBA approach provide a last line of defense and assurance for run-time application protection by detecting behavior anomalies regardless of the method used to carry out an attack, be it a vulnerability in third-party or custom code or another cause.

Third, while product teams routinely adopt test driven development (TDD) to automate software testing, relatively few incorporate adequate security validation. This includes evaluating the implementation of artifacts (containers, WAR files, etc.), code, and APIs to ensure they are secure prior to promoting them for release (Shift Left). While code quality and code analysis may provide security benefits, they cannot be regarded as a catchall.

ASBA can provide a critical feedback loop to enhance defenses in the validation phase.

For example, on July 8, 2019, a zero-day vulnerability in the Ruby library strong_password was reported. This zero-day was not recognized in vulnerability databases, so the static and dynamic code analysis tools that rely on these vulnerability feeds would be unlikely to detect an issue. Firewalls suffer the same limitations. That is, firewalls protect the perimeter and prevent data exfiltration by blocking known threats, not zero-day attacks.

ASBA, by contrast, would have detected and alerted on the POST activity to an anomalous URL, which occurred only after this library had been compromised. In this example, ASBA adds both strength and depth to the validation phase by reducing risk, impact, and likelihood.

The test phase (UAT, load, A:B) is also an ideal phase to start profiling normal behavior with ASBA, since an application is functional as soon as it is built. By observing behavior during user acceptance, stress testing, etc., security policies can be constructed to detect, prevent, and protect. For example, workload simulation and resilience tools such as Chaos Monkey generate traffic and valuable data sets that can be used to inform SRE, develop the incident response process, implement a micro-segmentation strategy, and automate response workflows.

Run-time protection

Ideally, deployed applications will incorporate all security lessons learned during development and testing. This seems obvious but is often partially or completely overlooked.

The phrase “we test in production” is often heard in devops circles. This is in fact a truism, as deployment architectures, operations, scale, and other factors in production are unique. And this uniqueness is compounded by A:B and canary testing, deployment, and operations, all of which result in different use cases.

ASBA addresses the gap between testing and deployment by providing insights within the feedback loop to help optimize site reliability engineering so that service-level objectives can be achieved.

Unlike traditional application performance management (APM) or log analytics solutions, the real-time alerting and forensic audit capabilities of Application Security Behavior Analytics provide actionable answers and eliminate the need to query unstructured data for clues and crumbs. In this way, ASBA provides visibility into threats throughout the SDLC as well as while applications are deployed and operational.

Andy Hawkins is Field CTO at TrueFort and a recognized expert in devops, IoT, software engineering, and site reliability/SRE. He has served in executive leadership roles in technical operations at leading companies like SignalFx, Chef, Pivotal, and Opsware.

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.

Copyright © 2019 IDG Communications, Inc.

How to choose a low-code development platform