CISOs Clamor for Better App Monitoring Tools

In the history of IT security, the sector’s traditional tools and solutions have rarely appeared as inadequate as they do now.

Over the past four years, the multitude of ransomware attacks resulted in scores of breaches and generated a long string of embarrassing headlines: Colonial Pipeline, JBS and Kaseya, among others. There are many causes of the current security crisis, but some of the trouble can be traced to relatively complex and interconnected cloud environments.

For all the ways the cloud has revolutionized digital business, the technology has also thrust IT security into a far more nebulous and complex environment in which detecting attacks and vulnerabilities is more challenging than ever. Additionally, at a time when companies are more dependent on applications, too few security teams are equipped to prevent the introduction of vulnerabilities into apps in production.

The many inadequacies in today’s security methods—and the plunging confidence in them—are reflected in a global survey of 1,300 chief information security officers (CISOs) conducted in April 2022 by Coleman Parkes Research. In one of the most telling revelations, the survey indicated that despite deploying multilayered security systems, 75% of CISOs said they still fear too many vulnerabilities seep into app production.

Another revealing element in the survey is the growing need for greater automation and observability in IT security. As they confront far more complexity amid the rise of multi-cloud and hybrid cloud environments and navigate multiple coding languages and open source software, CISOs say they need solutions that meld security with visibility—the kind that detects, in real-time, vulnerabilities and attacks.

IT Teams and Apps are Under Siege

Nearly 80% of the CISOs surveyed said continuous and automated runtime vulnerability management is paramount to closing the many gaps that current solutions can’t cover. Yet, at the same time, a mere 25% of security teams have access to accurate and continuously updated reports of every app and code library running in production, the survey showed. These teams operate in the dark.

Consider all the factors that obscure security teams’ ability to get an accurate and comprehensive picture of what’s occurring in their live apps today. As organizations strive to speed up innovation, many have embraced open source code, though harmful vulnerabilities lurk within many third-party libraries.

Meanwhile, demands to accelerate digital transformation at companies across the globe have generally led to less accountability during the application development process. Many developers simply lack the resources to accomplish this.

When asked to identify the factors that make it most difficult to pinpoint and resolve application vulnerabilities, 61% of the surveyed CISOs pointed a finger at third-party code. More than half of the CISOs said the speed of modern software delivery makes it easier for vulnerabilities to re-enter production after remediation.

App Vulnerabilities are Here to Stay 

While Log4Shell—a zero-day vulnerability discovered in late 2021 that affected millions of live applications using Java librariesis a serious vulnerability, this kind of threat isn’t unique.

Vulnerabilities discovered years ago are still exploited today. Patches created for those vulnerabilities were likely at times applied incorrectly. Or, the patching may have been rolled back for varying reasons. Some vulnerabilities were resurrected through code that wasn’t merged correctly, and others were introduced via new code written on some outdated version of the branch. While the media has speculated about Log4Shell’s potential to become endemic, the reality is application vulnerabilities of this magnitude are always endemic.

Like vampires, vulnerabilities rarely stay dead. Maybe that’s why 95% of survey respondents said they faced risk exposure from Log4Shell and why 35% acknowledged their risk is “high” or “severe.”

Security Teams Require Modern Tools

Eliminating or mitigating vulnerabilities in the development stage is critical, but the available tools aren’t designed for the level of complexity presented by cloud environments. They’re also woefully inadequate at evaluating and prioritizing the risk levels of vulnerabilities.

You protect applications in one of two ways: While they’re being built or by constructing a protective perimeter around them. Web application firewalls attempt to sift traffic coming into an application from the internet and check for malicious code, but there’s no way to catch everything. Most lack the runtime context needed to understand the difference between minor risks and potentially catastrophic exposure. Because of their inability to make these distinctions, current tools inundate teams with countless and largely worthless alerts—a combination of false positives, duplicates, or low priority. They’re a digital “boy who cried wolf.”

When the surveyed CISOs were asked to name the biggest benefits associated with increased use of AI and automation in security practices, 63% cited the prioritization of vulnerabilities so teams can make the most effective use of time and 44% said the reduction of alert storms and minimizing false positives so teams can focus on vulnerabilities that matter.

Zeroing in on Vulnerabilities and Attacks

In a security climate riddled with compromises and breaches, CISOs need tools that provide a topology that understands and reports on what’s running in an environment, delivers metrics’ performance and provides visibility into how different components relate to one another. It’s essential for CISOs to know exactly what’s occurring in app production, as well as pinpoint the locations of vulnerabilities and attacks.

Lastly, not all vulnerabilities pose the same level of risk. Not all are exploitable. Security teams need to determine the risk level involved with a vulnerability. Adding a layer of security that provides the convergence of security and observability is one of the most strategic moves they can make.

Avatar photo

Amit Shah

Amit Shah is director of product marketing at Dynatrace.

amit-shah has 1 posts and counting.See all posts by amit-shah