SIGNAL SCIENCES WEB PROTECTION
PLATFORM: BUILT FOR MODERN
APPLICATIONS
Protecting Applications. Connecting Teams.
SIGNAL SCIENCES
PG. 1
SIGNAL SCIENCES WEB PROTECTION PLATFORM:
BUILT FOR MODERN APPLICATIONS
© 2017 SIGNAL SCIENCES
SIGNALSCIENCES.COM
Web Applications Have Changed
When it comes to web applications and the way they are architected, developed and deployed,
everything has changed dramatically over the last decade. This is apparent as businesses today are
pursuing practices around Agile and DevOps and unloading the previous era’s waterfall
methods. These changes have spread across the organization, changing the delivery cadence to
orient around the customer. This means more frequent deploys and increased ability to deliver
customer value.
Along with the changes in development practices, there has been an increased demand for more
performant web applications. This has spurned a huge growth of frontend frameworks and a move
to make data access faster. Most companies are decomposing their monolith stacks opting for a
microservices approach that allows for decoupling and an API-centric design.
Today we have a completely different application landscape. This new world is much more dynamic
and more challenging to defend than before, however not much has changed in application
security defense. Which makes you wonder, if applications are designed, developed, and deployed in
a way that looks nothing like they did a decade ago, why are we using the same application security
playbook?
Application Security Has Stayed the Same
The legacy playbook for application security was written for a period when things were slower and
more static, and when silos were the accepted standard. Take secure SDLC programs, for example.
They used to require the security team to manually review every code change before it was shipped
to production. When release cycles were weeks or months long, security was able to do this without
causing a bottleneck. However, as the business prioritizes speed to market and release cycles become shorter, security teams will more than likely be routed around if they try this approach. While
there have been significant improvements in automated security testing to allow for better
PG. 2
SIGNAL SCIENCES WEB PROTECTION PLATFORM:
BUILT FOR MODERN APPLICATIONS
© 2017 SIGNAL SCIENCES
SIGNALSCIENCES.COM
integration into a DevOps approach, there has been a gap in protecting web applications.
According to the legacy playbook, security teams might rely on manually reviewing application logs
or perhaps on a point solution like a legacy web application firewall. Both of these solutions aren’t
able to keep up at modern speed and scale. Manually reviewing logs is time consuming, error prone,
and gives an incomplete picture. Point solutions like legacy web application firewalls are also expensive to operate, inhibit agility, don’t provide broad threat coverage, and often end up doing little
more than ticking a compliance box. FInally, the legacy playbook doesn’t even begin to touch rapid
feedback loops that help break down silos between development, security and engineering teams.
A New Way Forward For Application Security
To succeed at security in the modern application era, teams must adapt their approach to align with
the realities of the modern application environment.
Old Way
New Way
• Security as a binary event
• Continuous feedback loops
• Compliance & checklist driven defense
• Attack driven defense
• Security as an organizational blocker
• Security as an organizational enabler
• Single point solutions
• Platforms
Security Is Not A Binary Event, Embrace Continuous Feedback Loops
For many organizations, when it comes to understanding what’s going on in production, it is currently like piloting a plane without any instruments. Sure, you can fly, but when there are bumps
along the way you have no idea if it’s because you’ve just hit some turbulence or because your engines are on fire. In other words, it’s like living in a binary world where things are either fine or they’re
not, when of course it’s never really that black or white.
One of the hallmarks of the most forward-thinking organizations today is that they recognize that
security isn't a black and white notion of "fully breached" or "not breached at all," but rather a constant state of the gray area in the middle. Toward that end, these forward-thinking organizations are
constantly refining their process of detecting and disrupting attacks earlier and earlier in the attack
chain.
PG. 3
SIGNAL SCIENCES WEB PROTECTION PLATFORM:
BUILT FOR MODERN APPLICATIONS
© 2017 SIGNAL SCIENCES
SIGNALSCIENCES.COM
As a result, they are more likely to find and resolve issues earlier, before they impact customers.
Additionally, they are able to better measure success using metrics such as mean time to detect
(MTTD) and mean time to resolve (MTTR) a security issue.
Attack Driven Defense Outshines Compliance Driven Defense
Progressive teams approach security less from a compliance or checklist mentality, but instead ask,
"How do attackers actually target my business?" Defensive actions that made a lot of sense 15 years
ago and still exist in compliance checklists today may not make sense for a business operating in a
modern environment. As we’ve already outlined, the way applications are developed has changed
dramatically, while many compliance checklists haven’t changed at all.
For example, while the OWASP Top 10 provides a useful starting point, oftentimes the biggest areas
of risk for a modern application will be in other types of attacks, such as application layer denial of
service attacks, or brute force attacks on sensitive business logic.
To contrast compliance driven defense and attack driven defense, let’s consider the following
hypothetical conversation when visibility is poor and defensive decisions are dominated by
checklists:
CISO: “I want $2M in budget to help improve security.”
CFO: “What will that do?"
CISO: “Uh...”
However, in an organization that has the right security feedback loops and has embraced attack
driven defense, the conversation might go more like this:
CISO: “We had 12 security failures across 5 systems, and our mean time to detect has been 45
days. Resolution times have been approximately 6 hours. I want $2M to expand coverage across
systems and drop times in half.”
CFO: “What if I gave you $4M? What would happen then?”
The best security teams can measure how their applications are actually attacked, which allows
them to give more accurate guidance on risk and to make more effective and efficient defensive
decisions.
Don’t Block Your Business, Enable Your Teams
The most successful security teams have made a profound shift moving security from an organizational blocker to an organizational enabler. Historically, security has focused on delaying any
change until it could be reviewed. This created a bottleneck. In today’s environment of DevOps,
PG. 4
SIGNAL SCIENCES WEB PROTECTION PLATFORM:
BUILT FOR MODERN APPLICATIONS
© 2017 SIGNAL SCIENCES
SIGNALSCIENCES.COM
changes are happening at a faster pace than ever before. In this sort of new environment, if security
tries to remain a blocker to the business it will simply be bypassed.
Security has to focus on how it can enable the business to move quickly and securely, in some
sense moving from a culture of "no" to a team of "yes”. The most effective way to approach this shift
is to decentralize and provide methods for teams to do their jobs in a secure-by-default state, rather
than security acting as a centralized gatekeeper.
When it comes to defending modern applications in production, democratizing security data is key.
A cultural component of the modern application development paradigm is that developers own
their code throughout the whole lifecycle, including in production. However, most developers have
probably never seen an actual attack on their code. This is similar to the journey engineering and
operations went on during the transition to DevOps. There was a time where engineers had never
seen what it looked like when their code was performing slowly - they didn’t have the right tooling,
and it was an operations problem anyways. Fast forward to now, and that has completely changed.
The most successful security teams must find a way to replicate this pattern for application
security.
DevOps pioneer and author Gene Kim put it like this:
“Internal security controls are often ineffective in quickly detecting breaches because of blind
spots in monitoring or because no one is examining the relevant telemetry every day. To adapt,
integrate security telemetry into the same tools that Development, QA, and Operations use. This
gives everyone in the pipeline visibility into how application and environments are performing in
a hostile threat environment where attackers are constantly attempting to exploit vulnerabilities,
gain unauthorized access, plant backdoors, and commit fraud (among other insidious things!).”
A New Way Forward For Application Security
Successful security teams avoid point solutions for several reasons. First, by definition, they aren’t
extensible and often fail to provide complete coverage in modern, heterogeneous environments.
They also don’t act as force multipliers, instead consuming scarce security time and expertise to
configure and operate. Finally, they tend to lack features like APIs and integrations with other tools
in use within the organization. Ultimately, the return ends up being too low and the cost to operate
too high.
In the web application protection space, point solutions like legacy Web Application Firewalls (and
even RASP) have significant limitations in terms of where they can be deployed, what they actually
protect against, and how well they integrate into the organization's broader toolset. Instead,
security teams must look for a platform they can deploy across multiple architectures with little
friction, that protects against modern and emerging attacks, and that integrates well with the
DevOps toolchain.
PG. 5
SIGNAL SCIENCES WEB PROTECTION PLATFORM:
BUILT FOR MODERN APPLICATIONS
© 2017 SIGNAL SCIENCES
SIGNALSCIENCES.COM
Meet The Industry’s First Web Protection Platform
SIGNAL SCIENCES WEB PROTECTION PLATFOM
Flexible Architecture
Threat Coverage & Visibility
Team Enablement
• Broad deployment
• Business logic, OWASP, App Layer
DoS, Anomaly detection
• Usability
• Integrations
• Monitor view
• Reporting
• Multiple deployment options
• Scalability
• Dashboard, analytics, search, alerts
• Better detection and
blocking approach
• Custom signals
Platform
• Central Management
• Extensibility
• Reliability
• Network Effect
Flexible Architecture
Many organizations have heterogeneous application environments, with a mix of different languages, web servers, and hosting solutions. Engineering teams teams are increasingly empowered to
make their own technology choices, meaning the mix of technologies within an organization is likely
to change over time. By providing three deployment options, Signal Sciences can support all of your
applications--regardless of infrastructure, language, or cloud deployment choice.
• NGWAF: Many Signal Sciences customers deploy the web protection platform as a Next-Gen
WAF module directly into the web server instance. It’s easy to install into the most common and
frequently used web application servers (such as NGINX, Apache, and IIS) and uses a safe, failopen architecture to communicate with the Signal Sciences local agent. This allows for a fast,
reliable, and secure asynchronous connection to the Signal Sciences cloud decision engine,
ensuring that your customer traffic remains stable -- no matter what.
• RASP: The Signal Sciences RASP module provides flexible, scalable, and accurate protection
for modern web applications by embedding directly into the application source code. It’s
extremely lightweight and doesn’t require any SDK-based application rewrites -- it simply drops
into your application code as a library. And because we have the broadest language support in
the industry, installation really is that simple, allowing you to be secure in minutes.
• Reverse Proxy: Some organizations choose to defend their applications at the load balancer
or proxy layer. This makes the most sense when architectures necessitate this or third-party
applications are being used. Signal Sciences has the flexibility to be run in this manner and will
protect any web servers downstream.
PG. 6
SIGNAL SCIENCES WEB PROTECTION PLATFORM:
BUILT FOR MODERN APPLICATIONS
© 2017 SIGNAL SCIENCES
SIGNALSCIENCES.COM
Comprehensive Threat Coverage and Visibility
Signal Sciences identifies common web application attack vectors like XSS, SQLi and other OWASP
Top Ten attacks, however it doesn’t stop there. Customers get in-depth coverage from these common threats as well as application level denial of service, account takeovers, sensitive business
logic attacks, and more. Signal Sciences takes a holistic approach to evaluating not only what the
attacker is trying to do, but also evaluating the attacker’s success.
Advanced Detection Engine
Signal Sciences uses an advanced detection
engine that grew out of our development of the
open source tool libinjection. Instead of doing
pattern matching with regular expressions, the
engine evaluates attacks through a tokenization
approach. Tokenization is much faster and has a
much lower false positive ratio than regular
expression models. As the engine identifies attacks,
it emits them with tags to the back-end cloud
service for graphing, alerting and further evaluation.
Classes of Attack Protection
•
OWASP Top Ten (XSS, SQLi,...)
•
Injection Attacks
•
Application DoS
•
Business Logic Abuse
•
Information Disclosure
•
Brute forcing credentials
The back-end cloud service appends additional
tags depending on additional attacks vectors it finds.
To assure Signal Sciences isn’t providing false positives,
the back-end cloud service evaluates all of the tags using a threshold approach to reach a decision.
2. Extensibility of Protection
Signal Sciences detects attacks and anomalies that other solutions simply can’t. The web protection platform comes with features that instrument application flows (e.g. user logins) with additional security protection. Using the Signal Sciences custom signals features, users can detect business logic flaws, user account takeovers, or monitor any application flow. Whatever you need to
watch more closely, you can easily do so with Signal Sciences and it doesn’t require you to change
your code or use any one particular type of deployment model.
Visibility and Context
Legacy security tools are notorious for providing very little visibility. Signal Sciences gives access
to data and metrics that are pertinent to the daily lives of team members. In fact, the platform
provides monitor views suitable for displaying in a team room or operations center. Every attack
is graphed, but in addition to this visibility, Signal Sciences provides in-depth search and analysis
across all the attack and anomaly metrics.
PG. 7
SIGNAL SCIENCES WEB PROTECTION PLATFORM:
BUILT FOR MODERN APPLICATIONS
© 2017 SIGNAL SCIENCES
SIGNALSCIENCES.COM
Using the Signal Sciences custom rules features, visibility is expanded to measure and analyze
exactly what you care about the most. Users specify custom alerts and monitoring for any
application flow or attack type bringing security visibility to right where it is needed the most.
Team Enablement
Core to Signal Sciences is the desire to
democratize security to other teams
and groups. Signal Sciences’ Web
Protection Platform provides visibility
and insight into security events to both
developers and opertions engineers
using the tools they already work with
on a daily basis.
Signal Sciences integrates into the tools
developers are using to track bugs and
collaborate. Operations engineers are provided with integrations in monitoring, alerting, and configuration management. No matter what tooling you are using, we integrate with it.
When attacks come in, alerts are generated directly to the team responsible for the application being attacked as well as the security team. With Signal Sciences integration partners, bugs get filed
and alerts are triggered in response to real attacks happening on your web application decreasing
your mean time to security incident detection and remediation.
Cloud Decision Engine
Signal Sciences’ cloud decision engine is operated by our expert team that continues to refine the
platform to maximize speed and reliability across all of our customers. As Signal Sciences adds new
customers, we are constantly improving our detection capabilities and making the product smarter
and more effective. Unlike traditional web application firewalls, there is no “learning mode” in our
product. That’s because the Signal Sciences’ web protection platform is always learning and improving our security visibility and protection for every one of our customers.
PG. 8
SIGNAL SCIENCES WEB PROTECTION PLATFORM:
BUILT FOR MODERN APPLICATIONS
© 2017 SIGNAL SCIENCES
SIGNALSCIENCES.COM
Customer Quotes & Success Stories
"Signal Sciences enables us to quickly identify when and how our applications are being attacked.
This saves our team a lot of time analyzing logs and generating the appropriate alerts. "
- Bob Wood, Head of Security at Nuna
"It’s refreshing to work with a security product that not only provides exceptional security benefits,
but also prioritizes performance, reliability, and overall operational manageability. Signal Sciences is
easy for our DevOps team to support, which allows us to focus on the security capabilities it provides, rather than fighting with basic operational issues."
- Jenner Holden VP of Information Security at TASER International
"Signal Sciences gives our whole engineering group instant visibility into where we're being attacked and how our apps are responding. This allows me to focus on enabling business growth
instead of worrying about whether we're going to detect things. We won't open any of our apps to
the internet unless we've got Signal Sciences deployed with it."
- Matt Johansen, Director of Security at Honest Dollar
"The Signal Sciences approach gives us situational awareness about where and how our applications are attacked so that we can best protect ourselves and our customers."
- Jon Oberheide, Co-Founder & CTO, at DUO
TASER International
Signal Sciences started working with the TASER security team, with support from TASER’s
engineering leadership, and quickly came to understand their need for an effective application
defense solution. The goal was to help resolve the cumbersome security triaging that the TASER
security team experienced and to free up their time to focus on actual attack events and more
strategic security initiatives. As former security practitioners, the team at Signal Sciences has
immense customer empathy and wanted to provide TASER with a solution that worked “out of the
box,” improving visibility and securing their customers’ sensitive data more effectively without
compromising operational and business needs.
Ultimately, TASER replaced their homegrown WAF solution with the Signal Sciences NGWAF
solution. The combination of Signal Sciences’ ease of install that both product and security teams
could support, along with true security visibility into attack signals that didn’t require configuration
or tuning, allowed TASER to achieve its goals of application protection without compromise.
Read the full case study here.
PG. 9
SIGNAL SCIENCES WEB PROTECTION PLATFORM:
BUILT FOR MODERN APPLICATIONS
© 2017 SIGNAL SCIENCES
SIGNALSCIENCES.COM
Etsy
Etsy found that most traditional WAFs and application security modules broke production traffic
when placed in blocking mode due to extensive false positives. Etsy required a solution that would
enable its business to grow, not hinder it.
In June 2014, Etsy acquired A Little Market (a French online marketplace). At the time, Etsy had no
visibility into A Little Market’s web application stack, but needed to gain coverage immediately postacquisition. Their primary goals were gaining be er visibility across all applications, while minimizing
any potential risks and unknowns by blocking attacks. Due to Etsy’s success in gaining coverage
over their main web application with Signal Sciences, Etsy chose to expand their Signal Sciences
deployment to A Little Market as well.
As Etsy’s marketplace expands organically and via acquisitions, Signal Sciences will continue to
provide a key piece of their overall strategy in keeping their members data secure.
Read the full case study here.
Yelp Eat24
Yelp and Eat24 faced a pivotal post acquisition issue: both companies used completely different
web application stacks that needed to be securely integrated. Before they could integrate, Yelp
needed real-time visibility into the Eat24 technology stack to better understand what inbound
attacks targeting the application.
The Yelp engineering team was focused on finding and fixing technical debt within the new
application, estimating it would take upwards of six months to fix all known flaws (based on an
initial risk assessment). With this in mind, Yelp looked to find a solution they could drop in place
quickly and with minimal engineering effort that would both protect the application and provide
visibility for their DevOps, Engineering, and Security teams into potential attacks targeting Eat24.
Read the full case study here.
Interested in speaking with Signal Sciences? Click here to contact us.
PG. 10
SIGNAL SCIENCES WEB PROTECTION PLATFORM:
BUILT FOR MODERN APPLICATIONS
© 2017 SIGNAL SCIENCES
SIGNALSCIENCES.COM