75% of Companies Spend as Much Time on False Positives as on Real Security Events

A new ESG report found that nearly half of all cybersecurity alerts are false positives, and 75% of companies spend an equal amount of time, or more, on them than on actual attacks.

In addition the report found that 46% of all application downtime being caused by false positives.  The report also asked organizations about their move to cloud and use of API-based applications, which have been making security more complicated than it was in the era of on-premise computing.  Organizations reported they had an average of 11 web app and API security tools costing the typical business close to $3 million a year.  The report found that those tools are ineffective and largely impede growth due to the false positives and the time spent trying to resolve them.

Current security tools have failed to work for many companies, leading to them either running in log and monitor mode (in 53% of cases), being disabled completely (12%) or both of the above (26%). An astounding 91% of businesses are either disabling or reducing the capabilities of their security software in response to too many false positives.

The high prevalence of false positives should be a good indicator that security tools need to evolve and offer proof an actual vulnerability being exploited when a report of an attack occurs.  Reporting on an attack that causes no damage, is actually blocked by a security tool, etc., should be reported as informational rather than as a serious or critical security event.

Organizations need to take a fresh look at how applications are secured that live in the cloud, especially ones that have known vulnerabilities that continue to be unaddressed and are the subject of real verifiable attacks. This is where RASP (Runtime Application Self-Protection) really shines as a security solution.  A RASP solution like the one from K2 Cyber Security is based on a revolutionary approach. K2’s RASP solution, K2 Security Platform is the first to truly detect zero day exploits as well as attacks on known vulnerabilities, while at the same time providing proof an a vulnerability is exploitable.  Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or Artificial Intelligence, the K2 Security Platform uses a deterministic approach to detect true zero-day attacks. Traditional security approaches are limited to detecting attacks based on prior attack knowledge (often causing false positives) or require weeks or months to learn behavior (also prone to false positives when one-off events happen).   K2’s Security Platform can detect new zero day attacks within seconds of application startup and provide proof of vulnerability to reduce the concern around false positives.

K2’s Security Platform’s deterministic security is based on a unique, patent-pending technology called Optimized Control Flow Integrity (OCFI).   OCFI uses application execution validation as the primary source of attack detection.  K2 maps the application as it is running in memory and verifies the function calls and API calls within the application are executing the way the code is written and intended. There is no use of any prior attack knowledge, and no use of signatures, patterns, or behavioral rulesets. K2’s unique approach has virtually zero false alerts, due to the ability to validate the execution of the code, providing proof of exploitability, and can help dramatically reduce security costs.

K2’s Security Platform issues alerts based on severity of the vulnerability and includes actionable alerts that provide complete visibility to the attacks and vulnerabilities.  By providing the location of the vulnerability within the application, as well as details like file name and line of code where the vulnerability exists, and the proof of exploitability, security organizations can quickly address the vulnerability and remediate the problem.

K2’s Platform is easy to install and can be deployed in the cloud, on premise or in hybrid environments, making it ideal for today’s move to the cloud, including IaaS and PaaS environments.

Take a Page from NIST to Improve Application Security

Don’t just take our word for it, the National Institute of Standards and Technology (NIST), just finalized their Security and Privacy Framework, SP800-53 and released on September 23, 2020.  The new security and privacy framework standard now requires Runtime Application Self-Protection (RASP) and Interactive Application Security Testing (IAST) as added layers of security in the framework.  It’s a first in recognizing these two advancements in application security by now requiring them as part of the security framework.

In addition to using K2’s RASP to protect a production CI/CD environment, we’ve also written previously written about adding a RASP agent to DAST testing to get IAST results from security testing.  Our RASP solution sits on same server as the application, and provides continuous security for the application during runtime for CI/CD environments. By running on same server as the application, RASP solutions provide continuous security for the application, even when it’s under DAST testing.  For example, as mentioned earlier, a RASP solution has complete visibility into the application, so a RASP solution can analyze an application’s execution to validate the execution of the code, and can understand the context of the application’s interactions, giving RASP the ability to provide details like line of code visibility, proof exploitability, and a full payload to replicate an exploit.

IAST is the other new recommendation for application security coming from the NIST revised draft, and if you haven’t heard of IAST, there’s a good definition available from Optiv

“IAST is an emerging application security testing approach which combines elements of both of its more established siblings in SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing).  IAST instruments the application binary which can enable both DAST-like confirmation of exploit success and SAST-like coverage of the application code. In some cases, IAST allows security testing as part of general application testing process which provides significant benefits to DevOps approaches. IAST holds the potential to drive tests with fewer false positives/negatives and higher speed than SAST and DAST.”

With these two new requirements (RASP and IAST) for application security being added to the NIST framework, it’s really time to rethink how your organization is doing application security and get security that works for a CI/CD environment.

We’ve also recently published a video, The Need for Deterministic Security.  The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs) fail to prevent zero day attacks and how deterministic security fills the need for detecting zero day attacks.  The video covers why technologies like artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of attacks where these technologies work, and where  they fail to detect an attack.

The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security.  Watch the video now.

Change how you protect your applications, include RASP and check out K2’s application workload security.

Find out more about K2 today by requesting a demo, or get your free trial.



The post 75% of Companies Spend as Much Time on False Positives as on Real Security Events appeared first on K2io.

*** This is a Security Bloggers Network syndicated blog from K2io authored by Pravin Madhani, CEO and Co-Founder. Read the original post at: