Method One

The first method to obtain integration between the lines, is obtained by integrating the user interfaces (UIs) that provide access to all lines of defense. In most organizations, every technology in each line of defense comes with its own UI. This results in many different operating requirements, expertise, and expense. Most organizations today operate with dozens of UIs in their organizations.

On the other hand, there are some promising steps being made in the cloud. For example, some cloud-based web application security vendors offer a fully integrated UI, from which all defensive lines can be accessed, monitored, controlled, configured, and supported—all from a single screen. An integrated UI is one of the first steps that should take place in a modern DiD approach to better web application security.

Although integrating the UIs of the deployed security technologies is an advantage to the overall technology management, and it can give you the impression that the lines of defense are actually fully integrated “under the hood.” Unfortunately, that’s not always the case. The following is an example of what I mean by this:

Organizations often receive tactical threat intelligence from external sources in the form of threat feeds, and an integrated UI can be used to help push those threat feeds to the various lines of defense. However, one major challenge organizations face is that this is nearly always a manual process, and it does not always address the collection and sharing of internally gained threat intelligence similar to the modern military. Also, it does not address automating configuration changes on one line of defense from the intelligence gained from another line. Let’s look at different approaches.

Method Two

The next level of integration being achieved today is by way of human expertise. This concept currently holds a great deal of promise. This is beginning to be performed in various organizations. For example, many of today’s cloud-based web application security providers who offer the highest levels of security-as-a-service (SECaaS) are integrating their security technologies through integrated UIs as well as by human expertise. They’re integrating the aforementioned lines of defense with multiple security operation centers, operating 24/7 and fully staffed with highly competent security and networking experts. These experts are tasked with operating like a Central Command in the Military, integrating the lines of defense by way of proficiently utilizing automation, scripting, and API techniques.

An Approach Similar to the Modern Military

Figure 4-1 presents a comparison that highlights how similar an integrated DiD approach to better web application security is to an actual modern military, which operates under the same precepts, especially concerning integration.

Figure 4-1. Lines of integrated defenses in the cloud

The figure highlights the integration needed to gain better web application security. Reading from left to right, the lines of defense near the bottom are very apparent. At the top, the SOC, acting like a military Central Command, receives logging and alert information from the various technologies and then uses this information to disseminate the adjustments needed in an automated fashion to the appropriate lines of defense via automation, scripting, and APIs. This demonstrates the true power of integration, as all lines of defense begin to act as one cohesive defensive force, similar to a modern military approach.

The Importance of Synergy

The synergy of automation, scripting, and APIs is one of the most vital talents required for SOC teams today. When people hear the term “APIs,” they immediately think of application programmers because they are commonly involved with utilizing today’s APIs. However, in this case, APIs are an extremely powerful tool for security experts who have mastered scripting techniques. When organizations are searching for security experts to be added to their SOC teams, finding those who have extremely high levels of understanding in relation to automation, scripting, and APIs is highly recommended. Let’s take a look how automation, scripting, and APIs operate within the context of a SOC.

When a log (an alert or event, among other things) is generated by one of the lines of defense, this log is received at a centralized logging system located somewhere in the SOC. At that point, there are two approaches that can be taken. One is to have humans acknowledge the log, figure out what the log means, and then determine whether the log can be acted upon with regard to the other lines of defense. However, a more modern approach would be to receive the log and then automate the calling of a preconfigured script that takes some sort of action on one or more lines of defense, by way of making automated changes through the technologies’ APIs.

Common Example

In the case of latter lines of defense, if one of these lines generates a log or alert pertaining to a repeat offender, a script can be called to set up a blocking function at a preceding line of defense quite easily by making a simple change via an API. The concept of scripting is quite powerful due to the ability to write a script one time and then repeatedly call that script to convert a log or alert into an action with very little, if any, human interaction. To help to explain this better, let’s observe the following scenario.

For instance, let’s say the Web Application Firewall (WAF) line of defense detects a steady stream of dissimilar web requests that all appear to be malicious, repeatedly coming from the same source IP address (source). The source is not violating any access control list (ACL) rules on the upstream routers, and the source is not participating in a DDoS attack. The source is not attacking the DNS, and it is performing the required TCP three-way handshake with the upstream reverse proxy. The source has a browser with JavaScript enabled and passes all bot challenges, yet the WAF confirms that the source (likely being controlled by an attacker) is trying its best to break into the web application downstream. Can you defeat this activity upstream? Absolutely.

The best way to block this activity is to automate the calling of a script based upon the attacker source IP address, port, protocol, and behavior and then make a change to all preceding lines of defense via their APIs to block the source for a short amount of time. If the offending source eventually stops the unwanted behavior, another script can be called to remove the block and allow that source through as long as it continues to exhibit good behavior. No one would want to block the source IP address indefinitely due to the potential for IP address spoofing, which is very common. In this case, a short-term block is all that is needed.

Although in the early stages of an SOC, much of this is being performed via human intervention. As the SOC team and its support approaches mature, much of this activity can be fully automated. This is the true power being wielded in the hands of today’s advanced SOC personnel.

Value of Intelligence

Beyond the usage of scripts and automation performed by the SOC team, the value of tactical and strategic threat intelligence can be realized. The intelligence gained by “internal means” can be put into action automatically, making it “actionable” threat intelligence. This actionable concept also includes putting threat intelligence gained from external sources into combat, as well. What is achieved is sharing of intelligence across all lines of defense, from the entire edge to the core, and it can eliminate independent lines of defense once and for all.