Now, when you hear a phrase “application security monitoring”, what picture comes to mind? For me, nothing does…
As I said in February 2012, “the industry has not yet figured out what application security monitoring (ASM) is.” Hey, guess what? We still haven’t! And half a decade has passed.
This discussion starting point is obvious: there is no specific technology or a product type called “ASM.” Is ASM a practice? Is ASM merely a SIEM use case [many think so]? Is ASM another term for RASP, as implied here?
Frankly, I am not sure. And this makes me sad.
As we are working on our updated modern SOC paper, we are realizing that application security will again get the short stick, and be booted out into the cold, and then thrown out with the bath water….
But what can we do? Sure, we can get the application logs flowing into a SIEM and/or UEBA. And …ahem… some vendors ship some use case content, but not much. Unimpressive 🙁
We can focus on one type of application like web application (WAF –> SIEM), databases (DCAP/DAP –> SIEM) or ERP (some niche monitoring tech –> SIEM). But it would be narrowly focused on this type alone. Not great 🙁
We can go obsess about RASP, but seriously – have you even seen RASP (“Hey man, do you believe in Bible?” – Hell yeah! I’ve seen one!”… but RASP… not so much). Nope, not this one either 🙁
Perhaps you can help? How do you monitor applications for security issues? How do you detect application – level threats that bypassed your preventative controls? Does your SOC “do appsec?”
There you have it … this came out as a true #incompletethought …
Related blog posts (some half a decade old, but hey..):
- Why SIEMs [Didn’t Deliver] Application Log Analysis?
- More on Application Security Monitoring (2012!)
- Many Faces of Application Security Monitoring (2012 as well)
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.