Today, we announced that we entered into an agreement to acquire Prevoty, an innovator and leader in building application security that can block attacks and monitor interactions inside application stacks using DevOps and agile development. I’m incredibly excited that the Prevoty team will join Imperva.
Our vision is to lead the world’s fight to keep applications and data safe from cyber criminals. The Prevoty product — Runtime Application Self-Protection (RASP, formerly Autonomous Application Protection) — will extend our ability to protect application services end-to-end; from the network edge, to within the applications themselves, and ultimately back to the various databases where data are stored.
Application protection within the application is key, for a few of reasons:
Executing within the context of an application provides critical context.
For example, RASP not only identifies and blocks attacks, but also has granular insight into exactly what code is targeted. This is useful for two reasons:
- First, it allows organizations to prioritize their vulnerability management programs based on actual attack telemetry coming from their production environment, which dramatically reduces the cost of managing the backlog.
- Second, knowing what code/function an attacker is targeting is highly valuable for understanding attacker objectives, and ultimately assessing risk.
Executing within the application aligns with DevOps, agile development and cloud deployment.
New application services are rolled out and updated at a dizzying rate. Large organizations will have hundreds to thousands of different services, running on thousands to tens of thousands of hosts, and deployed on-premises, in-the-cloud, and in hybrid environments. RASP was built from the ground up to be deployed as part of an agile and DevOps continuous integration/continuous deployment (CI/CD) pipeline. Once built into the stack, security is automatically deployed with the app and is agnostic to where (e.g., on-prem, in-the-cloud) the service is deployed and re-deployed.
Executing within the app provides actionable telemetry.
In the end, understanding, and then managing, the security risk — from both external attackers and insider threats — to applications services requires understanding how users, applications, and data all interact. RASP can provide additional, valuable context to our existing analytics offerings (Attack Analytics and CounterBreach), furthering our ability to provide actionable security insights.
We released FlexProtect because there is no one size fits all for application security. On a daily basis we see different technologies, different development processes, different organizational skill sets and different data center architectures. For each organization and architecture this means we can deliver security that encompasses on-prem, cloud “as-a-service,” and sometimes a hybrid mix of both.
We’ve found that many of our customers are at the point where they want — and their development processes support — building security directly into the apps. RASP allows us to combine the benefits of security built into the application with best-in-class application security applied at the edge. There are benefits to both.
DDoS mitigation is an obvious example. It makes no sense to try and mitigate a DDoS attack at the application server level. A better example is dealing with bots/automated attacks, many of which are attacks that don’t exploit vulnerabilities but rather exploit the application logic itself. Identifying and blocking these attacks requires understanding things external to the application (e.g., request source reputation), that occur over time (e.g., overall request rate across all of a services application servers), and/or across multiple targets (same activity happening across multiple sites).
Data security is critical as well. Is the data a service accesses deemed sensitive? Does how, or how frequently, a particular service accesses certain data suddenly change? Is it actually the service accessing data, or is someone “spoofing” the service (a.k.a. service account abuse)? Answering these questions requires information/context from outside of the application itself.
Combining application security at the edge, application security built into the application and data security with the telemetry from all three — aggregated across our community — is why I’m excited about the Prevoty team joining Imperva and adding RASP to the Imperva product suite. Each is valuable in and of itself. But combined, the whole is greater than the sum of their parts. Together, they can lead to better threat identification and prevention. And aggregating the telemetry can lead to insight into the true security risks facing an enterprise.
According to IDC, global enterprises will spend $1.7 trillion on digital transformation in 2019. A large part of this investment is development and deployment of the new application services that deliver a digital presence to customers, partners and employees. To a digital business, applications are the business processes. Data are the intellectual property. Together, Imperva and Prevoty will be able to protect the application and data from the network edge, into the application itself, and back to the databases.