For most folks focused on securing production applications this is an important question because it can be very difficult to distinguish an attack from an actual breach. Traditionally, most technologies that monitor and protect web apps in production (e.g., web app firewalls) have high false-positive rates due to lack of visibility within the application or out-of-date tuning. Which means when the alarms go off, ops teams have to research and discover if there was an actual attack, and more importantly, did they get in.

It’s that last part I want to focus on – is someone walking down the street trying doors to see what is open? If so, and my door is locked – then I don’t need to respond to it. If my door is unlocked and they are now inside, I need to get out of bed and go deal with them – right now.

Most technology focused on protecting web apps in production (again, WAFs and such, typically) can’t tell the difference. Let’s look at cross-site scripting (XSS): our experience with customers is that there might be 6,000 or 7,000 attempted attacks vs. a single success. Sure, the thousands of attempts are interesting, and if patterns emerge, they can be instrumental in improving defenses, but you don’t need to get out of bed to deal with anything – they are trying doorknobs. The one success? Get up and get moving, as somebody is in your app. Most WAFs or IDSs can’t tell you the difference because they alert on a server side, packet-based signature seeking to detect the attempt. Sure, you can de-dupe, analyze, and investigate – but then you are out of bed and lost that night of sleep. Or, more likely, you kept sleeping because it happens every night…and it’s probably fine, given the odds above. But do you really want to play the odds?

Attack vs. breach (attempted attacks vs. successful attacks) is an important distinction that we try to maintain fidelity to in our product. We find attacks interesting, but breaches actionable – and try to relay that distinction and prioritization to our users.

Attack_notification

We think, given the state of security and the ease of mounting attacks, this distinction will become an increasingly critical criterion for choosing technology to protect apps in production.

Thanks for reading!