Application security, Endpoint/Device Security, Firewalls, Routers

The application blind spot: Why EDR and WAF fail to stop modern application attacks

Phishing-resistant authentication

Can standard defensive technologies like web application firewalls (WAFs) and endpoint detection and response (EDR) fully protect today's on-prem and cloud-based applications?

No, according to experts from Contrast Security, which makes an application detection and response (ADR) tool designed to make up the shortfalls of WAFs and EDR.

ADR is a way to comprehensively monitor what's going on inside an application and to take initial steps toward stopping potentially malicious behavior — a crucial ability as attacks upon applications mount.

Many EDR tools try to achieve this with a method called extended Berkeley packet filtering (eBPF) to monitor traffic to and from applications, but whereas eBPF runs from the Linux or Windows kernel, Contrast's ADR places agents inside the applications themselves.

The ADR agent is "actually part of the app," explains Contrast Security CISO Dave Lindner. "It instruments code, and it just starts listening and watches the traffic and looks at all the different functions and classes and everything that's going on in the application."

In that way, Lindner and Contrast Security Co-Founder and CTO Jeff Williams explain, an application-based ADR agent can detect anomalous behavior that's invisible to outside monitoring, such as attempted SQL injection, path traversal or malicious object deserialization.

"You can see an attempt to modify the meaning of a SQL query," says Williams. "That's SQL injection, and you can observe it, and you can stop it before that query reaches the database."

Why WAFs and EDR can't properly protect applications

According to Lindner and Williams, WAFs don't do a good job protecting applications because they're perimeter-based defenses and haven't changed in many years.

"I think the first WAF was, like, 2001," says Lindner. "Back then, we were all about firewalls, like stop things at the front and don't worry about context, block all the ports, do all the things. And so, the WAF was kind of born, and the reality is it hasn't come very far since then."

"By doing it at the perimeter, you don't have the context that you need," adds Williams. "You don't have understanding of what the application is going to do. You can't tell whether it's an attack or not."

While EDRs have evolved a lot and work well at their core functions, their focus lies elsewhere than the application.

"The EDR is focused primarily on the operating system," Lindner says. "It's outside of the app, it's looking at processes and maybe some anomalous things that are happening between processes. But it doesn't have that visibility into the context of what's actually happening in the app."

This lack of visibility has been partly addressed by eBPF, a powerful and widely used technology that runs directly from the Linux or Windows kernel and traces processes and monitors system and application traffic, behavior and performance.

"Most EDR agents are built on eBPF," says Lindner. "It's at kind of a different layer, so it's a little bit more difficult to really get that true application context."

"Things like SQL injection and deserialization and some of the very, very inherent flaws within applications are just impossible for eBPF to even detect," he adds.

While eBPF can guess about what's happening inside an application, and EDR in general does a very good job correlating what's going on in the endpoint OS, neither have the visibility to really know what's going on inside a running application.

"You can't really tell whether something's an attack just by looking at the traffic," says Williams. "It's like you can't tell exactly who's a robber by looking at people coming through the door of your bank. The attacks are hidden inside the payloads."

How ADR goes where no protection program has gone before

Like some other ADR tools, Contrast's ADR takes it to the next level by inserting its agent right into applications, where the agents can "instrument" the code, or lightly modify it to generate useful monitoring data without altering an application's behavior. (ADRs from other vendors may be "agent-less.")

According to Williams, the Contrast ADR agent doesn't do things very differently from common application-performance monitoring (APM), tracing or debugging tools.

"The same way that an APM tool measures the time that it takes to run a SQL query, they put a sensor right in the method that executes that SQL query, and that's what we do for security," he explains. "You can both see vulnerabilities and attempts to exploit those vulnerabilities."

"We know how to watch code run," Williams adds. "But traditional security tools don't do that. They look at source code, or they look at the perimeter, or they bang on an application from the outside, but they don't know what's going on inside the app."

The ADR agent, an evolution of an older technology called runtime application self-protection (RASP), can tell if something untoward is happening within an application and can even take steps to shut down the bad behavior.

"Anything that's happening in the app, anything that we think is important from the AppSec perspective, we can key in on whether it's business-logic flaws, whether it's path traversal, whether it's cross-site scripting, you know, all the different application-layer attacks," Lindner says. "An EDR would never have insight into it. Just can't. It's just not at that level."

Williams admits that there is a bit of a performance impact from inserting a monitoring tool that instruments code into running applications. But he counters that because the agent may halt malicious processes, the overall impact can be close to zero.

"If you've got a lot of attack traffic, and Contrast is stopping those attacks early before they cause extra database queries to happen, there's actually performance benefit to putting good security in place," he says.

Furthermore, while kernel-based security tools like eBPF or the CrowdStrike agent whose bad update caused the July 2024 outages carry high security risks, ADR agents like Contrast's are fairly safe to deploy and use.

"It's actually a lot less privileged than you would need to run an eBPF agent or install something in the operating system," says Williams. "Contrast only runs with the application permission, so it can just do what the application does, and so it's very safe."

Why is ADR so new?

In hindsight, the development of internal ADR agents, which have arisen only in the past year or two, seems kind of obvious.

If non-security monitoring tools like debuggers and APM tools can keep an eye on applications without much performance impact, and kernel-level security tools like eBPF can monitor system behavior with little detriment, then why does agent-based ADR appear to be such a novelty?

It's largely a matter of technological improvement, Lindner says.

"Even 10 years ago, using agents and instrumenting code was not performant. It was slow," he says. "But things have gotten so much faster. Compute is cheap, and memory is cheap. It's to the point where it's not really noticeable."

The benefits of this approach are obvious. But agent-based, or even agentless, ADR is just another addition to the security practitioner's toolkit. It fills a need that wasn't being met, and Lindner cautions that it won't necessarily replace older tools and methods that are still useful — like WAFs and EDRs.

"It's not like we're saying to get rid of EDRs and WAFs," he says. "They play their roles."

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

You can skip this ad in 5 seconds