Research reveals need to block entry points to data theft

Research reveals need to block entry points to data theft

New research from Fastly uncovers a crucial need for a unified, modern and simplified approach to security. The study, based on insights from information security and IT professionals in Australia, reveals growing concerns around adequately securing the rapidly rising number of mission-critical cloud services and API-centric applications. These APIs are increasingly targeted by attackers as an entry point into the organization and a way to steal data.

Fastly, a global edge cloud platform provider, has released new research in partnership with Enterprise Strategy Group (ESG) that uncovers a crucial need for a unified, modern and simplified approach to security.

The study, based on insights from information security and IT professionals in Australia and globally, revealed growing concerns around adequately securing the rapidly rising number of mission-critical cloud services and API-centric applications introduced as part of on-going Digital Transformations.

Applications are being modernized, coded and deployed more quickly than ever before; 47% of Australian organizations surveyed expect to support more than 200 internally developed applications within two years, up from 33% of organizations today.

Most if not all internal applications rely on APIs to support the use of microservices, to share data or interconnect with other applications. Organizations are amassing large API footprints as a result.

These APIs are increasingly targeted by attackers as an entry point into the organization and a way to steal data. In response, organizations are layering multiple web application and API security tools in the hope of creating best-of-breed and defense-in-depth protection.

The result is a patchwork of incompatible tools that cause more problems than they solve. Data correlation is difficult, there are multiple ‘blind spots’, and the amount of alerts generated – and proportion of false positives – is leading organizations to disable automated threat blocking capabilities within the tools, or in some cases the tools themselves. The ESG study shows attackers are exploiting this to slip into many large Australian business environments undetected.

Nine out of ten Australian organizations experienced at least 10 attacks on their web applications and APIs in the past year that went undetected by security tools until they had a negative impact of some kind. For a quarter of Australian respondents, the negative impacts included legal problems, compliance issues, a loss of revenue or brand damage. For one in five respondents, the breaches led to downtime and customer experience impacts.

The type of attacks varied but included exploitation of the OWASP Top Ten (experienced by 31% of respondents) and zero-days (29%), malware infections (33%), account take-over 24%) and cloud service misconfiguration (21%). Outdated security offerings, alert fatigue and ineffective blocking are among the cracks in organizations’ security armour that allowed these incidents to slip through.

Australian organizations surveyed prefer security tools that can detect and block potential attacks automatically but say their existing tools block too much legitimate business traffic when in this mode of operation. The overblocking impacted customer experience (for 40% of Australian respondents), wasted time (40%), led to system downtime or undetected attacks (37%), caused loss of revenue (30%) or led to a failure to meet service level agreements (21%). Many Australian organizations chose to disable blocking or to limit its use to certain windows of time or application traffic types in order to mitigate against these potential impacts.

“One of the biggest security challenges we are seeing today is that technologies are rapidly evolving to better serve the growing demand for digital experiences, but the security offerings that protect those technologies are not experiencing that same level of transformation – and often erode the benefits of modern technology stacks,” said Kelly Shortridge, Senior Principal Technologist at Fastly.

“Security tools should fuel innovation, actively support service resilience and minimize disruption to software delivery workflows, rather than slowing build cycles and producing disjointed, unactionable or irrelevant data.”

More than three-quarters of Australian respondents recognized an appropriate long-term response would be an overhaul of their security tooling and approach, moving to an evolved and consolidated web application and API security solution from a single vendor.

Stephen Gillies, Manager – Sales Engineering APAC, Fastly, said: “The DevOps movement proved that rapid automation and testing and rapid iteration would translate into more innovation. But innovation filled with risk is not really the end game. The next crucial step is to implement security directly into the internal app and API workflow process so it is not a hurdle to work around, but a part of the process that can move as quickly as the rest if done right. Otherwise, it’s just more of the same, and security will remain elusive.”

Stephen Gillies, Manager – Sales Engineering APAC, Fastly

Research from the study also concludes:

● On average, Australian organizations surveyed spend close to AU$ 580,000 annually for web application and API security tools. Security is becoming more complex and costly as organizations are required to protect traditional architectures, in addition to new architectures and cloud environments.

● Traditional security tools are ineffective and impede business growth. Current security tools frequently block harmless business traffic, impacting the organization’s bottom line. As a result, 72% of Australian respondents configured their security tools to run in log or monitoring mode only, rather than in blocking mode; 12% shut the tools off entirely; and 16% did both. This is despite 53% preferring to run tools in blocking mode, since it would reduce manual intervention and effort – if it worked effectively.

● Nearly half of all security alerts are false positives. A majority of Australian respondents spend an equal amount or more time on false positives as they do on actual attacks, suggesting current security tools are causing more problems than they solve.

● 45% of Australian organizations surveyed believe most or all of their applications will use APIs in the next two years. Despite an anticipated increase in API implementation, organizations stated that web application and API security is more difficult than two years ago and indicated struggles to maintain adequate security across new application architectures. Driving these difficulties is the shift to public cloud and API-centric applications without a modern security solution to support those innovations.

● Distributed responsibility for security often adds complexity. Among Australian organizations surveyed, 63% of organizations have different teams responsible for securing web applications, but plan to merge and centralize these responsibilities in the future. Responsibilities may fall on developers, cloud engineers, IT ops or line-of-business owners. They rarely fall on specific security personnel. Cybersecurity typically only gets involved just before an app goes into production (35%) or when it starts to store sensitive data (28%).

“The responsibility for protecting enterprise assets, data and users from cyberthreats no longer falls solely on the security organization, even as the threat landscape becomes increasingly complex. Application security in particular, is a team sport that requires input and cross-functional collaboration across many parts of an organization,” said John Grady, Senior Analyst at ESG.

“As a result, security professionals have become frustrated with the complex and siloed nature of traditional application security solutions that fail to address these issues. Modern businesses require uniform tools and approaches that can minimize vulnerabilities between their public cloud infrastructure, microservices-based architecture and legacy applications, while supporting a variety of personas.”

Click below to share this article

Browse our latest issue

Intelligent CIO APAC

View Magazine Archive