The Willy Wonka World of Application Security Defenses

One doesn’t have to be a magician to understand how to track the hundreds, if not thousands, of applications that are running on your network. To lighten the load and eliminate the need for having supernatural abilities, let’s go over some simple tasks a security defender can take to track, detect, and even block application threats.

Finding Your Applications

Finding applications typically depends on the architecture platform and the software tracking tools available.

Some examples would be:

• On-prem or cloud-based Windows and Linux operating systems: Use an EDR like Microsoft Defender for Endpoint
• Cloud-based applications: Use a CSPM like Defender for Cloud

Determining Your Application Detection Tools

The methods for tracking these applications vary by vendor. Ideally, a query tool will be available that allows you to manipulate the search results as needed to produce useful reports and dashboards.

Some suggestions on what to track are:

• Operating System Installed applications – Your EDR may support vulnerability scanning, which can identify unpatched/risky applications, as well as malicious software planted by intruders.
• Web-based applications – Don't forget that many 'applications' are web-based and not necessarily installed on a physical/virtual machine. For example, Gmail.com or SalesForce.com are web-based applications. Nonetheless, they are just as important to monitor as a locally installed app. An EDR that shares information with a CASB (e.g., Defender for Endpoint and Defender for Cloud Apps) can track these web apps.
• Cloud/Container-based applications – A modern DevOps teams might create cloud-based applications using cloud-specific resources such as Kubernetes and serverless resources like AWS Lambda and Azure Functions. A CSPM like Defender for Cloud can help monitor these applications.

Detecting and Blocking Malicious Activity in Applications

Once the location and type of applications are identified, a strategy on how to detect malicious activity can be created. Some suggestions on what malicious activity to track are:

• Operating system-based attacks: EDRs are good at detecting thousands of malicious activities at the operating system level.
• Web-based attacks: Many web-based apps should be placed behind a WAF, which can provide many threat detection capabilities.
• Container-based attacks: Container-based apps should have their container images scanned in an operational state, as well as scanning the repository in which the images are stored. This is often performed by a ‘cloud workload protection platform (CWPP)’ feature offered by a cloud service provider.

But Wait, There’s More...

There are also ways to ‘block list’ applications. Some examples are WDAC – Windows Defender Application Control and Microsoft Defender for Cloud Apps.

For more suggestions on protecting cloud-based applications, see the ‘Well Architected Framework’ documentation for your cloud provider. You can also use a Zero Trust Network Access architecture (or SASE – Secure Access Service Edge) for protecting applications, but that’s outside the scope of this article.

Summary

Detecting and eliminating risky applications is a critical responsibility for cyber defenders. No one tool will likely be able to perform this task so an understanding of the variety of applications and how to protect each is necessary.

References

• Azure Well Architected Framework Workloads
• Blocking Applications with WDAC
• WDAC Policies

About This Blog Series

Follow the full series here: Building Defenses with Modern Security Solutions

This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.

Labs

For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.

Compliance

All topics mentioned in this series have been mapped to several compliance controls here.