Blog post

2012 Redux: What Is Application Security Monitoring?

By Anton Chuvakin | July 05, 2018 | 4 Comments

securitymonitoringapplication

Now, when you hear a phrase “application security monitoring”, what picture comes to mind? For me, nothing does…

As I said in February 2012, “the industry has not yet figured out what application security monitoring (ASM) is.” Hey, guess what? We still haven’t! And half a decade has passed.

This discussion starting point is obvious: there is no specific technology or a product type called “ASM.” Is ASM a practice? Is ASM merely a SIEM use case [many think so]? Is ASM another term for RASP, as implied here?

Frankly, I am not sure. And this makes me sad.

As we are working on our updated modern SOC paper, we are realizing that application security will again get the short stick, and be booted out into the cold, and then thrown out with the bath water….

But what can we do? Sure, we can get the application logs flowing into a SIEM and/or UEBA. And …ahem… some vendors ship some use case content, but not much. Unimpressive 🙁

We can focus on one type of application like web application (WAF –> SIEM), databases (DCAP/DAP –> SIEM) or ERP (some niche monitoring tech –> SIEM). But it would be narrowly focused on this type alone. Not great 🙁

We can go obsess about RASP, but seriously – have you even seen RASP (“Hey man, do you believe in Bible?” – Hell yeah! I’ve seen one!”… but RASP… not so much). Nope, not this one either 🙁

Perhaps you can help? How do you monitor applications for security issues? How do you detect application – level threats that bypassed your preventative controls? Does your SOC “do appsec?”

There you have it … this came out as a true #incompletethought …

Related blog posts (some half a decade old, but hey..):

Comments are closed

4 Comments

  • Andrew Johnson says:

    For the most part, I just look for authentication logs and flow/volume (whether network flow or just raw low volume) data. I can at least do some basic user behavior with that. Application teams are usually able to provide me with that level of context with minimal-moderate effort.

    Analysts are also more likely to effectively respond to those sorts of alerts. Are there any SOCs that can effectively respond to DCAP/DAP alerts that aren’t just jockeying the alerts to database teams?

    • Thanks for the comment. Indeed, in the absence of better data, I will also fall to “auth logs” and “connectivity logs of some sort”

      However, we both probably realize that this does not really look deep into the app….

      Re: DCAP – apart from my mild disdain for DCAP [too fuzzy, by a mile]. you are mostly correct. Just as with DLP [where the data owner often must help], much of database alert analysis may need a DBA to triage.

  • Matthew Schofield says:

    Popquiz: Business fraud in or out as a use case for Application Security Monitoring?

    • This is a VERY painful question, indeed. Frankly, I am not sure. Perhaps fraud Is part of ASM…or not. Seriously, cannot answer this one 🙂 This probably means it IS a very good question.