Gartner Blog Network

2012 Redux: What Is Application Security Monitoring?

by Anton Chuvakin  |  July 5, 2018  |  4 Comments

Now, when you hear a phrase “application security monitoring”, what picture comes to mind? For me, nothing does…

As I said in February 2012, “the industry has not yet figured out what application security monitoring (ASM) is.” Hey, guess what? We still haven’t! And half a decade has passed.

This discussion starting point is obvious: there is no specific technology or a product type called “ASM.” Is ASM a practice? Is ASM merely a SIEM use case [many think so]? Is ASM another term for RASP, as implied here?

Frankly, I am not sure. And this makes me sad.

As we are working on our updated modern SOC paper, we are realizing that application security will again get the short stick, and be booted out into the cold, and then thrown out with the bath water….

But what can we do? Sure, we can get the application logs flowing into a SIEM and/or UEBA. And …ahem… some vendors ship some use case content, but not much. Unimpressive 🙁

We can focus on one type of application like web application (WAF –> SIEM), databases (DCAP/DAP –> SIEM) or ERP (some niche monitoring tech –> SIEM). But it would be narrowly focused on this type alone. Not great 🙁

We can go obsess about RASP, but seriously – have you even seen RASP (“Hey man, do you believe in Bible?” – Hell yeah! I’ve seen one!”… but RASP… not so much). Nope, not this one either 🙁

Perhaps you can help? How do you monitor applications for security issues? How do you detect application – level threats that bypassed your preventative controls? Does your SOC “do appsec?”

There you have it … this came out as a true #incompletethought …

Related blog posts (some half a decade old, but hey..):

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: application  monitoring  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on 2012 Redux: What Is Application Security Monitoring?

  1. Andrew Johnson says:

    For the most part, I just look for authentication logs and flow/volume (whether network flow or just raw low volume) data. I can at least do some basic user behavior with that. Application teams are usually able to provide me with that level of context with minimal-moderate effort.

    Analysts are also more likely to effectively respond to those sorts of alerts. Are there any SOCs that can effectively respond to DCAP/DAP alerts that aren’t just jockeying the alerts to database teams?

    • Thanks for the comment. Indeed, in the absence of better data, I will also fall to “auth logs” and “connectivity logs of some sort”

      However, we both probably realize that this does not really look deep into the app….

      Re: DCAP – apart from my mild disdain for DCAP [too fuzzy, by a mile]. you are mostly correct. Just as with DLP [where the data owner often must help], much of database alert analysis may need a DBA to triage.

  2. Matthew Schofield says:

    Popquiz: Business fraud in or out as a use case for Application Security Monitoring?

    • This is a VERY painful question, indeed. Frankly, I am not sure. Perhaps fraud Is part of ASM…or not. Seriously, cannot answer this one 🙂 This probably means it IS a very good question.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.