Enterprises must move quickly to address the needs of their customers and the demands of the market. That generally includes moving functionality to the digital channel at a fairly rapid pace. While this move gives customers what they want and allows the business to remain competitive, it does introduce some additional risks.
Among these risks is an increased attack surface for online applications. As more functionality is added to online applications to keep pace with the evolving demands of the market, more potential for fraud, abuse, and security breaches is also introduced. This may sound like sobering news, but there are steps that can be taken to limit the negative consequences of the digital move.
There are a number of different ways in which online applications can be compromised or abused. Rather than focus on the how (information abounds on that subject), I’d like to focus on the why. In other words, what are the attackers after, and what are the ramifications of breaches when they occur?
Common Motives
In general, attackers are usually driven by one or more different motives. While this is not an exhaustive list, here are a few of them:
- Damaging the brand or reputation of a business, including through inventory manipulation and causing downtime
- Profiting from misuse of the application and/or fraud
- Obtaining PII information, often for the purpose of either selling it or using it for fraudulent purposes
- Moving laterally to other applications and/or resources
- Leveraging illicit access to legitimate business applications for onward social engineering purposes
Regardless of the attacker’s motive or motives, the risks that businesses and their online applications face are serious. It is just as important to protect online applications from attack as it is to deploy them to address customer and market needs. Sadly, however, protecting those applications sometimes take a back seat to deploying them, even though there can be serious financial and regulatory consequences to not adequately protecting them.
How to Meet the Challenge
So, what can businesses do to protect themselves and their applications from these and other threats? First and foremost, they need to build security in from the get-go, but that does not always happen, and sometimes oversights even introduce vulnerabilities. That’s why adding protections in a layered approach around the application becomes just as important as building security in. Here are a few of those protections enterprises can consider.
Web application firewall. Web application firewalls have become an industry standard for protecting online applications. Like any part of a defense-in-depth strategy, they are not perfect protection for applications, but they are a highly effective part of an overall protection and risk mitigation strategy. They can defend against various types of attacks that might be launched against an online application.
DDoS protection. Bot networks abound, unfortunately. This makes it relatively easy for attackers to point a cacophony of requests at an online application in an attempt to bring it down. When a business ensures that it has adequate DDoS protection (at layers 3, 4, and 7), it can preemptively mitigate the risks of brand reputation damage, downtime, lost revenue, and other damages that result from these attacks.
Bot protection. In addition to the threat of DDoS, bots are often weaponized for various purposes, including inventory manipulation, fraud (such as account takeover), and data theft. That raises infrastructure costs, takes resources away from legitimate customers, and skews application metrics. Sophisticated attackers know their way around many defenses, so having sophisticated bot protection in place becomes necessary to protect online applications from these risks.
Fraud mitigation. Fraudsters know how to make money at the expense of legitimate users. Being able to reliably detect and mitigate fraud in near real time without a huge number of false positives and without introducing unnecessary friction for legitimate customers has become a must-have for businesses looking to protect their online applications.
API discovery. In complex, hybrid environments, maintaining a proper inventory of all infrastructure is a constant challenge. There will always be certain assets that will be forgotten or will otherwise fly under the radar. Having an API discovery solution in place to ensure that the business is aware of all assets and adequately protecting them is an important part of an online application protection strategy.
Telemetry. Collecting telemetry data at layer 7 and also the user layer (sometimes referred to as layer 8) is important as well. This gives businesses important insight into what is happening within the application, and also the way the user is behaving within the application. This telemetry data adds crucial context and insight that is necessary as part of continuous monitoring.
Continuous monitoring. No matter how good a business’ defenses are, continuous monitoring to detect and respond to breaches is a must. Protective controls and defenses can and will be circumvented at some point, and when they are, the business will need to fall back on detective controls and defenses to adequately protect the online application.
When it comes to data breaches, attackers have different motives that highly influence what they are after, how they attack, and what they target. Simply put, the “why” of a data breach matters, particularly when it comes to the ramifications of a breach. By understanding these different motives and how to protect against breaches, businesses can make educated decisions around the types of protections that can be installed around online applications to reduce and mitigate the risk of a breach.
