- Why Detecting Web Attacks Is Important
- Coverage of Attacks Against Known Vulnerabilities Through IDS
- Deep HTTP Inspection
- Machine Learning for Complex Web Attacks
- Additional Resources
With the rapid rise of web application attacks, which are now the number one source of data breaches, securing web applications is a challenge. Alert Logic® is invested in continuously improving our ability to detect these types of attacks with high confidence to help you address this challenge.
To provide effective detection of these complex attacks, Alert Logic invests in three main capabilities for Alert Logic Cloud Defender™.
- Detecting attacks against known vulnerabilities through our network intrusion detection system (IDS)
- Inspecting HTTP requests and responses to provide deep HTTP inspection with anomaly detection
- Detecting multi-stage SQL-injection (SQLi) attacks using machine learning
This article discusses why Alert Logic invests in coverage of web application attacks and provides an overview of the techniques we use to provide this coverage.
Based on third-party reports and indications within Alert Logic’s customer base, web application attacks are now the primary source of network attacks and have increased up to 300% since 2014. With web applications, a long tail of exposures is inherited from 3rd party components and libraries in addition to potential vulnerabilities within your own code. As a result, a wide range of attacks is possible at every layer of your application stack with the potential for lateral movement. Vast attacks over time can be especially difficult to detect with traditional technologies.
Due to the complex and ubiquitous nature of web application attacks, Alert Logic provides multiple techniques to detect these attacks – from providing IDS coverage for attacks against known vulnerabilities to using machine learning to detect multi-stage SQLi attacks.
Alert Logic continuously improves our network IDS to cover attacks against known vulnerabilities in web application assets. New signatures and incidents are added on a continuous basis to provide coverage of these attacks and allow us to alert you when we detect attacks.
Our incident coverage is targeted to known vulnerabilities in applications that we have identified our customers are using through scanning. We cover threats against applications such as Wordpress, Joomla, Drupal, and Magento; libraries and frameworks such as Apache Struts; development frameworks such as Java; and web/application servers such as JBoss.
Most this coverage is available for customers with Alert Logic Threat Manager™, and we consistently roll out this coverage to our entire customer base on our appliances and in our centralized incident logic.
While continuously improving IDS coverage for known web application vulnerabilities is important, providing IDS coverage only is not a complete solution to detecting web attacks. Alert Logic layers IDS coverage with other advanced techniques to provide more complete detection of the general attacks on web applications that might not have been discovered yet, including attacks on your own custom-written applications.
To provide advanced detection for web application attacks, Cloud Defender includes deep HTTP inspection – an out-of-band HTTP inspection capability. With this detection capability, Alert Logic provides real-time detection accuracy for attacks on unique flaws in off-the-shelf and custom web applications, such as those outlined in the OWASP Top 10. To provide confidence in detected threats, both HTTP requests and responses are inspected, with support for HTTP response signatures and HTTP response anomaly detection.
Layering deep HTTP inspection as part of the Cloud Defender service provides minimal noise and actionable context in detecting layer-7 attacks.
For more information about how deep HTTP inspection works and what it provides, refer to our Deep HTTP Inspection for Cloud Defender article.
In addition to IDS coverage and HTTP inspection, Alert Logic Cloud Defender uses machine learning to achieve high accuracy in detecting multi-stage SQL-injection (SQLi) attacks on web applications.
A typical SQLi attack is performed through repeated trial and error by the attacker and can cover a long period of time. From a detection perspective, these attacks create a lot of noise and make identifying successful attacks difficult with traditional methods. With the Cloud Defender machine learning capability, successful attacks are identified with 97% accuracy, providing you with confidence in incident creation.
For more information about why Alert Logic is focused on SQLi attacks, how our machine learning works, and how customers can view these incidents to get value, refer to our How Cloud Defender's Machine Learning Improves Web Detection article.
For an overview of Alert Logic’s detection techniques for web application attacks in a webinar format, watch our Improvements for Web Application Attacks webinar. This webinar covers the investments that Alert Logic has made to improve our ability to detect web application attacks with high confidence, including machine learning and deep HTTP inspection.