Avoiding Security Risks with Application Performance Monitoring (APM)

This is part of Solutions Review’s Premium Content Series, a collection of contributed columns written by industry experts in maturing software categories.

Business advantage is at the core of nearly every IT mission. Cloud-borne technologies add a seemingly endless number of capabilities to the organization, as well as a focus on services, applications, architecture, consumption, compliance, and a host of additional requirements. Cloud environments and the systems built upon them create a landscape of digital diversity that many enterprises are challenged with.

IT organizations require visibility and security as their operations and architecture scale up and out throughout application lifecycles. Application performance monitoring (APM) is a set of tools that monitor the performance of applications in order to ensure the best user experience possible on key metrics points such as load time, response time, error rate, and CPU usage.

Cloud services make complex systems seem much simpler than the technology that lies underneath. Every organization does its best to run as efficiently as possible, which results in significant mission-critical infrastructure across data centers, public clouds, and remote WAN-connected site locations. Before you know it, your organization could be characterized as multi-located and global in reach, hosting fresh applications as well as legacy – designed to meet high uptime and security requirements. While all this seems well and fine, a narrow focus on APM could spell disaster when it comes to security. Security needs to be at the forefront of application monitoring and not an afterthought.

Fast Is Smooth

Business is the IT department’s customer. Whether that is an end-user or an internal user makes little difference when the expectations for an application are to deliver a highly responsive and easy-to-use digital experience and to be available anytime, anywhere. Every fraction of a second counts when it comes to delivering smooth digital experiences. APM steps in to monitor all aspects of application performance within complex environments, such as:

• Throughput rates
• Error statistics
• Database response metrics
• File I/O issues
• Errors discovered in code
• Application response time variations

By monitoring and reporting on such metrics, APM systems help provide critical insights into the relationship between application performance and business outcomes. APM allows organizations to deploy, scale, and operate as efficiently as possible. Complex, critical indicators of application experience are essential to continual analysis and delivery completion. The challenge is that for APM to be truly useful, it must operate across every critical workload, across secured networks, and a mix of cloud, legacy, hybrid, and services within the target environment. This complexity can be also the vector for vulnerability.

Security in the App and the Stack

There is a tendency for standard commercial security solutions to focus solely on protecting application data across the cloud. This is unfortunate because application performance and availability are also early indicators that a security compromise may have occurred. Furthermore, APM tools have become common backdoor attack vectors in a similar way that we saw with SolarWinds, which recently became a vector for widespread attacks. One of the root considerations for the impact felt by this incident was the trusted footprint that the company established over decades. Dependence on a vendor and its technology can be another blind and numb spot.

In many ways, the two principles are converging because findings and opportunities reveal that anomalous spikes in usage, increased API calls, credential echoes across environments, and other issues can be directly linked to inadvertent or unknown code-borne security weaknesses, lapses in identity management, and unsecured data stores. Cyberthreat actors today make it a point to fly under the radar during a sustained attack, often referred to as the “advanced persistent threat.” An early opportunity to head off these attacks is in the application itself. Application-based indicators of compromise are a foundational component behind the discipline of DevSecOps, which focuses on automated security practices at the scale and speed required to work within cloud environments.

Your Environment is One World

One of the ways to mitigate security risks is to minimize focus on a single tool and gravitate to a comprehensive and compliant security umbrella. APM systems present a significant frontline approach to detecting application issues and early indicators of security issues. This is important because the vast majority of security incidents are not necessarily sophisticated as we witnessed in the SolarWinds incident.

In fact, the bulk of security incidents are caused by well-known security vulnerabilities or human factors such as employees who fall prey to phishing attacks. The only way to attain early detection is to keep eyes on issues such as:

1. Poor authentication standards
2. Insufficient policy and governance
3. Poor password management
4. Default software installations
5. Missing patches
6. Portable storage and mobile devices
7. Insider threats
8. Zero-day threats
9. Infrequent file integrity monitoring
10. Inadequate/poor configuration

A lot of this information correlates to or is directly discovered in the information found in APM systems as well as advanced, analytics-based security systems.

Comfortably Numb Operations

If you find yourself asking, “who is going to monitor these tools 24x7x365?” then you have reached a point of enterprise maturity. Continual around-the-clock monitoring is an absolute requirement and you cannot just task any operator to track and analyze performance and potential security incidents. You can easily draw the conclusion that the bigger the load, the more work it is going to take to keep on top of things.

If you’re keeping track of everything, there are a lot of potential technical and experienced-focused items to implement and characterize. The organization can easily become numb to alerts coming from various monitoring tools. The team needs to be able to tune the triggers and adjust the alerts on a continuous basis. In addition, the monitoring team needs to be highly skilled at using artificial intelligence, and machine learning tools to address the vast majority of alerts in an automated and “self-healing” fashion.

Partner, Don’t Buy

As we saw with SolarWinds, application security tools can serve as an attack vector. There is no shortage of attack vectors and a widening attack surface, with as many moving parts as environments feature today.  This is the cloud age where everything poses a real-time value. If you care enough about application experience to continuously monitor and improve components in an APM ecosystem, you must have overarching security and compliance concerns.

A full-service security solution that allows full, real-time remediation of negative changes holistically is a must nowadays. Bringing that capability internally is a very tall order, and probably an impossible feat for many IT departments. Such a program needs to incorporate holistic Application Security Monitoring, monitoring of ‘less sophisticated’ threats, and application performance.

By using compliance, policies, best-of-class security technologies, a trusted security partner can guide your security program, and you can approach vulnerabilities with the systemic ability to search and destroy zero-day risks. Through a partner, you also gain the valuable advantage of a single point of accountability.

These security threats are happening in real-time right now to someone. The technology platforms are complex, diverse and the threats are very real. Unless you already have a large staff of security experts, it is best to outsource this. This is not a capability that the vast majority of organizations can bring up alone.

Digital Edge is Total

Businesses today are seeking a flawless digital experience. APM delivers the metrics, but also can be a conduit for nefarious activity if not properly incorporated within a comprehensive security strategy. On-demand, real-time, and self-healing are key to gaining and maintaining that digital edge. The commitment to this experience is total, meaning visibility and awareness of every facet of an application is required, along with visibility of every workload on a variety of computing architectures. Similarly, you also must have a commitment to executing on a similar mission of visibility, preemptive security, and efficient operations.