Dan Gordon
Traceable development is on a 6 week release cycle. We call those milestones and they roll up features and fixes that have been completed over that 6 week timeframe. This blog series will focus on describing the big and medium rocks that are included in each milestone release.
For this first in the series, we’ve got some catching up to do, so I’ll be covering the last two milestone releases, M6 and M7.
Together M6 and M7 brought several large advances across the product including support for observing and detecting security events for 2 popular protocols (GraphQL and gRPC), adding agent support to increase where we can collect tracing data from, moving agents to align with the new OpenTelemetry standard, helping security analysts better manage their business risk through better visibility and risk scoring, improvements in protection abilities such as immediate blocking based on IP address ranges and known bad patterns, improvements in API discovered data, such as whether each API endpoint handles sensitive PII data and if it requires authentication or not, improvements in enterprise readiness such as SAML authentication integration and usage monitoring, and more! Let’s take a closer look. . .
GraphQL is a popular protocol optimized for data, with queries which smoothly follow references between multiple resources, getting all the data your app needs in a single request. gRPC is a high-performance open-source RPC framework that can run anywhere. It is a CNCF project with wide usage by companies such as Google, Netflix, Docker, and other prominent organizations.
Traceable can now observe deep tracing details and detect and act on security events for both GraphQL and gRPC.
Traceable agents are the lightweight worker bees of the system which sit inside, next to, and around your applications to capture the tracing details of your app transactions. This rich data enables the Traceable Defense AI system to continually discover, observe, and protect your applications, services, and APIs. The more places the agents can be, the better clarity into the inner workings, and protection, of your applications you’ll have.
In these last two milestones we enhanced agent support in multiple ways:
Overloaded security analysts and the responsible engineering teams they are working with, all need the ability to focus their activities on the most risky assets first. This means helping them to narrow down all the security insights into the top priorities. The latest release of Traceable accomplishes that in a few ways.
Traceable Defense AI now takes several data points from API discovery and calculates a risk score for every endpoint in every API. This risk score is calculated using two overall sets of data points: the likelihood of being targeted by attackers, and the potential impact of an attack to be critical for the business. These data sets include information such as if the endpoint is properly authenticated, if it handles sensitive data, if it is an internal vs external facing endpoint, if it is tagged as a critical endpoint, if the endpoint has parameters, and other checks.
Traceable now allows security analysts and engineering teams to directly tag their services and API endpoints as “Critical”, “Sensitive”, and/or “External”. These tags will be used in the assessment of the new risk score to help draw attention to the more important endpoints to pay attention to.
The large number of the threats and the underlying security events can be overwhelming for busy teams and tasks frequently get preempted by emergencies. Because of this, certain threats or events can be overlooked and high severity threats can get buried behind lower activity threats or lost in the shuffle.
In addition, for the management, it is helpful to have a periodic activity summary to understand the trends in the overall aggressiveness level of the environment and how effective the team is addressing the detected threats.
To help both of these situations, Traceable can now be configured to send a daily threat status change report highlighting key summary information such as total of active threats, new threats, recurring threats, and threats with most recent activity.
The more efficiently you can narrow in on what you are looking for the easier it is to stay on top of what’s going on. To help security analysts and application engineers further focus in on the threats and risks they are managing, Traceable now has customizable column views and easier searching and filtering across the user interface.
The latest two releases have focused on continuing to add to the different ways Traceable can protect your web applications and APIs, including adding the ability to enable/disable the OWASP ModSecurity CRS (Core Rule Set) rules, which are designed to protect web applications from common vulnerabilities and exploits with minimal false positives. Additionally, the latest Traceable releases enhance the way in which you can manage .
Immediate blocking reduces attack response latency by enabling the blocking of attackers before full learning is complete. We’ve added the ability to immediately block application activity from IP address ranges and known bad patterns from the OWASP ModSecurity Core Rule Set, which are designed to protect web applications from common vulnerabilities and exploits We/ve also added the ability to define which of those rules are enabled and disabled.
Detecting possible scanners helps eliminate noise and focus on important issues. The latest Traceable release now identifies possible scanners and makes it easy to filter for them or filter them out.
The M6 and M7 releases have also added more abilities around managing security events and threats such as grouping similar security events, for a cleaner view:
allowing you to exclude the further tracking of similar events right from the event (for example, if you get a false positive):
and including location information with traces and security events (or IP if location can not be derived).
Traceable’s continuous observation and security event detection enables it to derive API specifications from stateless traffic, showing more details than what you typically see from OpenAPI or Swagger specs. In these releases we’ve added even richer information about each API and API endpoint, as well as made it easier to view that data, and to know when it has changed.
Traceable discovers and makes visible such important information about each API endpoint as it’s usage characteristics, what service is the predominant user, what the typical status codes on each endpoint are, if it is authenticated, and if it handles sensitive data. To do this Traceable also learns the entire end point definition, including details on all the parameters of each API endpoint, and makes them browseable in a Simplified tabulated API definition view.
We’ve added a float out API definition sheet to make it easy to access the detailed definition of your API endpoints from anywhere that your endpoints are listed. This makes it more efficient to explore and analyze all the details which Traceable knows about your APIs and their endpoints.
This latest release adds the ability for Traceable to track and flag any new or updated parameters in the requests or responses or API endpoints. The flags show for a configurable 7 day window. API change management helps security and engineering teams to focus on the potential risk associated with new or changed API endpoints.
The M6 and M7 releases of Traceable Defense AI also included several enhancements for enterprise readiness, including improvements to authentication, usage monitoring, and plans and verifications to help meet customer compliance needs.
Security Assertion Markup Language (SAML) is an open industry standard which allows identity providers (such as Okta, ADFS, and other enterprise SSO tools) to pass authorization credentials to service providers, such as Traceable. With this integration now in place, Enterprises can use their existing authentication systems to connect their employees to Traceable.
With the addition of usage monitoring, customers are able to view information on the number of system calls they have used to help them determine if their current usage is in line with their Traceable license.
A business continuity plan has been developed and put in place to ensure that Traceable will be able to restore critical business functions in the event of unplanned disasters. Traceable has also conducted and passed a third party security assessment. Reports are available on request.
For details on caveats to some of these additions please see the release notes, either in-product or on-line.
Watch our recorded demo and see Traceable Defense AI in action!
Recommended reads.
New tech transform dev - but with risk
New tech transform dev - but with risk
What if we could reduce the time to detect a cyber attack all the way down to zero?
What if we could reduce the time to detect a cyber attack all the way down to zero?
RASPs complement perimeter defense systems, but they also have weaknesses that can introduce their own vulnerabilities.
RASPs complement perimeter defense systems, but they also have weaknesses that can introduce their own vulnerabilities.
