Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. Adding in sometimes hundreds of third party dependencies and multiple services coordinating across a variety of technologies exponentially increases the impact and likelihood of these threats. Thankfully, Splunk AppDynamics (AppD) reduces the risk of application security exposure and additionally provides many features and capabilities to optimize hybrid and on-prem application performance. To name a few, AppD offers:
- Features to help identify application issues in real-time and tools to then prioritize how to tackle those issues based on business metrics and impacts
- Root cause analysis from anywhere in your stack with AI-driven anomaly detection
- Business iQ Business performance monitoring to understand how application performance directly influences critical business metrics
- Digital Experience Monitoring (DEM) complete with Real User Monitoring (RUM) and Synthetic monitoring for insight into how end-users interact with our applications and observe availability and performance of web apps and APIs
- Network monitoring to quickly isolate network performance issues with complete visibility into owned and unowned network, ISP, API, SaaS, and third-party services
- Application security from inside your runtime environment with the detection of vulnerabilities, blocking of attacks, and insight into potential business impacts
In this post, we’re going to dig into the capabilities provided by Splunk AppDynamics with Cisco Secure Application and check out how they help enhance application security with real-time threat detection and prevention.
Splunk AppDynamics with Cisco Application Security
With Cisco Secure Application, you can easily get complete security insight and protect your applications at runtime. Typically, security scans take place before an application is deployed to production, and scans continue to take place on a monthly or quarterly basis. But Cisco Secure Application continuously detects and blocks attacks. It also reveals the potential business impacts of these attacks and vulnerabilities so you can see and fix what matters to minimize business risk and easily prioritize issues.
Cisco Secure Application features are built into Splunk AppDynamics APM Agents for:
- Java
- .NET Core
- Node.js
Note: to monitor the application security, you must first enable security for the application using the Cisco Secure Application dashboard.
Overview
The Cisco Secure Application home page provides a comprehensive and quick view of attacks and vulnerabilities.
Business transactions provide details about the vulnerability risk of a business transaction and the overview of vulnerabilities, attacks, and applications helps you quickly identify and respond to security incidents.
Applications
The Applications page provides details on monitored nodes that are registered with Cisco Secure Application for the managed applications. Here, you’ll find a centralized view of all security-related details for your applications. This real-time data allows you to detect and respond to any applications that might not have security enabled for complete application coverage.
Stats on the nodes of managed applications are also available in this view. Nodes are categorized as:
- Active: the number of nodes that are actively communicating with the AppDynamics Controller
- Supported: the number registered with the Cisco Secure Application
- Ready: the number of nodes that can be successfully registered
- Enabled: the total number of nodes that have security enabled for the applications
- Secured: the number of secured nodes
- Trend: the number of supported, enabled, secured, active, and ready nodes against the day of the month
You can also quickly navigate to the flow map by clicking on the map icon to get a holistic view of the overall application performance.
Libraries
The Libraries page breaks down details for existing libraries used within applications that require remediation.
Applications that use the corresponding library along with Tier (the application tier that is vulnerable because of its relationship to the corresponding library) are also easily visible. You can again click the map icon next to an application to view the application flow map in the AppDynamics dashboard.
This view also provides quick insight into:
- The Highest Cisco Security Risk Score – an estimate of exploitation based on real-time events of the vulnerability in the wild
- A score based on the Highest Common Vulnerability Scoring System (CVSS)
- Total vulnerabilities or the number of vulnerabilities based on severity
- Remediation – the recommended version of the library that can be used for remediation
- Status of the vulnerable libraries
Libraries that are categorized as "Critical" are potentially exploitable by a bad actor, which could disrupt your services or worse give access to customer data. These items should be prioritized for immediate triage.
You can also click on a specific library to view vulnerabilities for that library:
Having this information easily visible means teams can quickly identify and prioritize the most critical vulnerabilities and threats. Impacted applications, version tracking, and remediation candidates provide insight into the impact and the actionable steps to take in order to keep the application secure.
Vulnerabilities
The Vulnerabilities page provides a complete view of the security of your services, focusing on the types and instances of vulnerabilities instead of on each library. It includes a real-time trend graph that shows the number of both fixed and open vulnerabilities.
Vulnerabilities are displayed by severity level, and the Severity Trend chart summarizes the trend of fixing open vulnerabilities. There’s also a Days Since First Detected chart showing the number of days the vulnerability is open versus the severity.
All of this detailed vulnerability information provides fast impact analysis and in-depth information on each vulnerability along with suggested fixes through remediation candidates.
Attacks
The Attacks page is critical to providing information about attacks against your services. With real-time threat detection, you can get a high-level overview of security threats and the applications that they impact.
Attacks By Outcome represents the total number of attacks based on their states, and the Top Applications chart displays the top 10 applications based on attacks per application.
Attacks are also categorized for clear breakdown of the nature of the attacks. Attack types include SQL Injection, where an attacker is attempting to use unsanitized input to execute custom SQL statements to expose or manipulate private data, Remote Code Execution (RCE), where an attacker is attempting to gain access to a system and execute custom code, and others like:
- DESERIAL
- LOG4J
- SSRF
- MALIP
You can dig into specific attack details to view things like stack traces, source details, and the impacted business transaction:
Note: If you have Configure permission for Cisco Secure Application, you can create or customize policies for vulnerabilities and attacks to specify which runtime behaviors to ignore, detect, or block.
Cisco Secure Application Architecture and Installation
How does this all work and how do you get started with Cisco Secure Application? According to the Secure Application Architecture documentation:
- Install the supported APM Agent and then add the Cisco Secure Application license.
- The APM-managed application runs and the APM Agent retrieves the data to send to the Controller.
- The Cisco Secure Application service retrieves the application, tiers, and nodes data from the Controller.
- The APM Agent communicates with the Cisco Secure Application service to check if the security is enabled for the application.
- If the security is enabled, then the agent downloads the configuration along with the policies from the Cisco Secure Application service.
- Based on the configured policies, the agent sends the security events to the Cisco Secure Application service.
- The service collects all the data, analyzes the application behavior, and then provides the analyzed data to the Cisco Secure Application dashboard.
Wrap Up
Splunk AppDynamics with Cisco Secure Application provides real-time insight into the security health of your applications. Instead of waiting for a deploy to get visibility into vulnerabilities, Cisco Secure Application provides visibility at runtime and continuously detects and blocks attacks. This helps you quickly see and fix what matters to minimize business risk and easily prioritize what to work on.
If you’re ready to get started with Cisco Secure Application, you can first check out the requirements, install the agent that supports your environment, and then contact Splunk AppDynamics sales representative or email salesops@appdynamics.com to have a Cisco Secure Application license provisioned. More info can be found in the Application Security Monitoring Getting Started docs.
