Cayuga Networks

Technology

Damage Control: Next-Generation Web Application Attack Detection
Delivers 100% Actionable Intelligence

According to Whitehat Security, web applications are perpetually vulnerable “40-60% of the time, making them easy pickings for hackers.” The damage caused by a successful web application attack can range from mild to extremely severe—such as, for example, using a compromised server to penetrate the rest of the organization and steal business-critical information or install ransomware.

And, despite the use of web application firewalls (WAFs), and to a lesser degree runtime application self-protection (RASP), most organizations remain exposed to significant risk. This is because these first-generation technologies rely on signatures; and this moment-in-time posture causes them to miss many threats, including 0-days. Maintaining optimal effectiveness also requires a great deal of operational overhead for configuration and management. Plus, even if these defenses could catch every credible threat, they kick out too many false positives. Faced with the resulting cacophony of alert noise, even the largest organizations find it almost impossible to recruit enough applications security specialists to investigate every potential attack.

Next-generation web app attack detection from Cayuga Networks solves these problems by providing 100% actionable intelligence. We only tell the customer there is something wrong when there is a vulnerability in their web application attacks surface and bad actors on the Internet have discovered it, are probing it, and have demonstrated that they know it exists.

Diagram: Cayuga technology working together

This next-generation technology does not rely on a single approach. Instead, Cayuga Networks applies numerous algorithms that use an overall Bayesian statistical framework. One of the key things that this statistical analysis looks for is computer code lurking in places where computer code is not expected.

The result is the ability to eliminate the noise and false positives of previous approaches and deliver customers only actionable alerts of credible threats.

For example, Cayuga Networks Code Flow Analysis™ (CFA) uses a very high-speed code detection and grammar recognizer that is able to spot a variety of different languages in parallel. The detection engine then asks “what is this HTTP request?” Is it all HTML, or does it contain fragments of SQL, which would be indicative or SQL injection. Or does it contain Javascript, which may indicate a cross-site scripting attack.

We can also sandbox suspicious requests, routing them into a detonation chamber—that has the same versions of application stack components and even the same code as the customer’s environment but lacks the important data—and replay it to see what it does. We can then combine that information into a bigger picture to determine if this request is something that the customer should be worried about in terms of an imminent threat.

All of this technology combines with the forensic and investigative skills of world-class threat experts at Cayuga Networks threat labs. The result is the ability to eliminate the noise and false positives of previous approaches and deliver customers only actionable alerts of credible, critical threats.