Why don’t your security tools work anymore?
As the internet landscape becomes more complex, more API driven, and more distributed, security and IT professionals are left wondering — why aren’t the security tools that were good enough a few years ago good enough now?
We’ve known for a while that this isn’t just hyperbole, but recent research proves it. A full half of the organizations polled in “Reaching the Tipping Point of Web Application and API Security,” a new report we released last week in partnership with Enterprise Strategy Group (ESG) Research, say web application and API security is more difficult now than it was just two years ago. Complicating matters:
82% of respondents said their organizations had suffered successful attacks against their web applications and APIs in the previous year.
64% expect most or all of their applications to use APIs but increasingly worry about vulnerabilities, malware, and data exfiltration targeting these endpoints.
45% of alerts turn out to be false positives, a problem for nine in ten respondents.
75% of organizations spend equal or more time on false positives as on actual attacks.
So what gives? Are tools not keeping up with the times? Are attackers outsmarting security teams? There are a few reasons security tools you invested in just a few years ago aren’t cutting it today.
Innovation moves fast
We’re moving faster than ever before, and part of that is due to the proliferation of APIs. Legacy security tools were built to secure web apps that talk to the database. Now though, there’s a lot of logic behind APIs, and apps talk directly to them instead of the database.
Security teams traditionally sit outside of software delivery workflows, so they might not be as exposed to the same new tech as the engineering teams that build and operate apps and services. For example, they might not be familiar with new tech for APIs, like GraphQL, nor understand how existing tools that are focused on REST will be deficient for GraphQL. And because teams are often siloed, knowledge sharing is limited. We need a more centralized approach that ensures workflows and processes are integrated.
You can’t secure what you can’t see
Shadow IT refers to the use of technology not approved by the IT department, and according to Statista, 42% of people they talked to say they engage in it. For example, in the interest of moving fast, developers may neglect to tell IT teams about every new API they create for authorization, authentication, vulnerability protection, etc., in order to skip the approval queue. A company can wind up with 20 different APIs, each with a different way of protection (for example tools built for REST don’t work out of the box for GraphQL), and attackers just try each one to see what’s most vulnerable.
Plus, most legacy security tools were built for monolithic web apps, not APIs. So not only do you need more standardized processes in place, you also need tools built for new architectures and new types of APIs. All of this is compounded by a lack of standardization and, in many cases, a lack of heavily vetted authentication patterns used across teams.
Tools don’t talk
We can spend loads of time enabling tech and security, but at the end of the day they still need to talk to each other and give you an end-to-end picture of your traffic and your vulnerabilities.
Really, tools must fit into your workflow, not the other way around. For example, your WAF should trigger a Slack message, JIRA ticket, and PagerDuty notification. It should flow into a central data analysis tool where it can be correlated with other insights. Data sitting on its own in a dashboard you have to manually pull insights from isn’t particularly helpful in getting an end-to-end view of your traffic. By integrating with your other tools and workflows, you can get a comprehensive picture of your systemic attack surface and threats that arise in it. For example, two alerts from two different tools may mean nothing when examined at different times or under different contexts, but when correlated in a central system, they might be related — far more useful for detection.
The bottom line
There’s a common thread connecting these reasons security tools feel less effective today than they were two years ago — silos. The tools don’t talk to each other and the teams don’t talk to each other, and instead of leaning into each others’ strengths, organizations buy more tools, which only adds to the problem.
We need integrated, consolidated tooling that works across teams. The path to getting there, however, is more complicated. We need to understand each others’ workflows and ensure the tools we use fit into them. Organizations must make updating and consolidating their processes and security stacks a priority, or the complexity will continue to build and the likelihood of something going wrong will grow.
Download the full report to dig in deeper on this topic.