Inside the Perimeter: How RASP Differs from Network-Based Protections
Cyber incidents and data breaches are constantly on the rise.
As the value of consumer’s personal data and organizations’ internal data rise, attackers are increasingly willing to break in and steal it.
Hacking has become professionalized, with organized crime, state-sponsored hackers, and other groups making a business of breaking into peoples’ systems.
Part of what makes this possible is the growing reliance on the Internet as a core part of doing business and the complexity of the resulting systems.
All software has bugs, and the majority of effort and spends in the cybersecurity field is devoted to identifying and closing these holes before hackers find them, and cleaning up the mess afterward when they fail.
RASP (runtime application self-protection) provides a more focused and specialized means of protecting potentially vulnerable applications from attack.
RASP is tightly integrated with the application that it protects, giving it greater visibility into the operation of the application.
As a result, RASP has the potential to provide more comprehensive and tailored protection to important applications that traditional, network-based defenses.
Traditional Network Security Monitoring
The traditional approach to network security is perimeter-focused. The logic is that legitimate users are on the enterprise network, and attacks originate from outside the network. By building a wall between inside and outside and deploying monitoring and defensive technology designed to detect and prevent malicious content from crossing over the border, organizations can protect themselves from attack.
In general, this approach can be very effective since many attacks do originate from outside the network. However, a perimeter-focused approach to network security assumes that the organization’s defenses are capable of detecting and blocking all attempts to infiltrate the network. If an attacker manages to bypass these perimeter defenses (or an attack originates within the network), the organization may be rendered defenseless against the attacker.
For this reason, many organizations have adopted the strategy of defense in depth. By placing multiple layers of defenses throughout the organizational network, an organization can better protect their resources and sensitive data. However, the effectiveness of this strategy still depends on the effectiveness of the defenses used.
Introduction to RASP
Runtime Application Self Protection (RASP) takes a different approach to secure applications likely to be the target of attack. According to Gartner, RASP is “is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks.” By integrating cybersecurity protections into the application itself, developers can tailor the protections to the application itself and significantly decrease the probability of compromise.
RASP defenses operate by sitting between the application code and the server running it. Every system call and the data access request is intercepted by the RASP system and analyzed for indications of a potential attack. The action taken by the RASP defenses depends upon the mode that it is running in.
In diagnostic mode, the RASP system may just raise an alert regarding a potential attack. However, RASP can also operate in protection mode and attempt to stop the attack before it executes. Potential actions that a RASP system can take include:
- Terminating a user session
- Ceasing execution of the application
- Alerting the security team
The protections provided by RASP are designed to ensure that a specific application is not exploited by an attacker. RASP protection can be built into the application from the start (allowing a great deal of granularity of protection) or implemented as a wrapper that protects the application in its entirety. Regardless of how RASP is implemented, it has the effect of protecting the application with its own web application firewall (WAF).
What Makes RASP Different?
Many organizations make use of network-based perimeter-focused defenses because they are easy to implement and generally effective. Most enterprise networks have a single point of connection between themselves and the Internet, creating a bottleneck that all traffic intended to cross the network boundary must flow through. By placing network defenses at this bottleneck, businesses have the capability to block most or all potential attack vectors against their systems.
However, all of an organization’s applications and systems are not created equal. Network-based defenses take a “one size fits all” approach to securing an organization’s applications. With RASP, an organization can develop individual defenses for each application designed to meet its specific needs. With intelligent, real-time monitoring of an application’s behavior, RASP can even detect and protect against unknown attacks.
Protecting Your Applications
An organization’s web applications comprise a significant portion of its cyber threat surface. These applications are designed to interact with untrusted users, which means that they are often the first thing that hackers try when attempting to attack an organization. They are also what cyber defenders must try hardest to protect.
A web application firewall (WAF) is an important first step in providing a high level of protection to an organization’s web applications.
However, some applications may benefit from more specialized and comprehensive protections. Runtime application self-protection (RASP) is designed to run alongside and protect an application against known and unknown attack vectors.
Using RASP, an organization can either implement defenses designed to alert the security team of a potential attack or actively prevent attacks by terminating the malicious user’s session or the vulnerable application’s execution.
Using RASP, an organization can protect vital applications against even novel attack vectors, protecting themselves from a potentially damaging incident or data breach.