Listen to post:
Many security vendors offer automated detection of cloud applications and services, classifying them into categories and exposing attributes such as security risk, compliance, company status etc. Users can then apply different security measures, including setting firewall, CASB and DLP policies, based on the apps categories and attributes.
It makes sense to conclude that the more apps are classified, the merrier. However, such a conclusion must be taken with a grain of salt. In this article, we’ll question this preconception, discuss alternatives for app counts and offer a more comprehensive approach for optimizing cloud application security.
Stop counting apps by the numbers, start considering application coverage
Discussing the number of apps classified by a security vendor is irrelevant without considering actual traffic. A vendor offering a catalog of 100K apps would be just as good as a vendor offering a catalog of 2K apps for clients whose organization accesses 1K apps that are all covered by both vendors.
Generalizing this statement, we should consider a Venn diagram:
The left circle represents the applications that are signed and classified by a security vendor, the right one represents the actual application traffic on the customer’s network. Their intersection represents the app coverage: the part of the app catalog that is applicable to the customer’s traffic.
Instead of focusing on app count in our catalog, like some vendors do, Cato focuses on maximizing the app coverage. The data and visibility we have as a cloud vendor allows our research teams to optimize the app coverage for the entire customer base, or, upon demand, to a certain customer category (e.g. geographical, business vertical etc.).
Coverage as a function of app count
Focusing on app coverage still raises the question: “if we sign more apps will the coverage increase?”. To understand the relationship between app count and the app coverage, we collected a week of traffic on the entire Cato cloud to observe classified vs. unclassified traffic, sorted the app and category classification in descending order by flow count, and then measured the contribution of the applications count on the total coverage.
To focus on scenarios of cloud application protection, which are the main market concern in terms of application catalog, our analysis is based on traffic of HTTP outbound flows collected from Cato’s data lake.
Figure 1: Application coverage as a function of number of apps, based on the Cato Cloud data-lake
From the plot above, you can see that:
- 10 applications cover 45.42% of the traffic
- 100 applications cover 81.6% of the traffic
- 1000 applications cover 95.58% of the traffic
- 2000 applications cover 96.41% of the traffic
- 4000 applications cover 96.72% of the traffic
- 9000 applications cover 96.78% of the traffic
It turns out that the last 5K apps added to Cato’s app catalog have contributed no more than 0.06% to our total coverage. The app count increase yielded diminishing returns in terms of app coverage.
The high 96.78% app coverage on the Cato cloud is a result of our systematic approach to classify apps that were seen on real customer traffic, prioritized by their contribution to the application coverage.
Going further than total Cato-cloud coverage, we’ve also examined the per-account coverage using a similar methodology. Our findings:
- 91% of our accounts get a 90% (or higher) app coverage
- 82% of our accounts get a 95% (or higher) app coverage
- 77% of our accounts get a 96% (or higher) app coverage
Since app coverage is just a function of the Cato coverage (unrelated to customer configuration), the conclusion is that if you’re a new Cato customer, there’s a 91% chance that 90% of your traffic will be classified. Taking it back to the Venn diagrams discussed above, this would look like:
App count is an easy measure to market. App coverage is where the real value is. Ask your vendor to tell you what percent of the application traffic they classify after they show off their shiny app catalog.How to Best Optimize Global Access to Cloud Applications | Download the eBook
The holy grail of 100% coverage
Is 100% application coverage possible? We took a deeper look at a week of traffic on the Cato cloud, focusing on traffic that is currently not classified into a Cato app or category. To get a sense of what it would take to classify it into apps, we classified this traffic by second-level domain (as opposed to full subdomain).
We found that 0.88% of the traffic doesn’t show any domain name (probably caused by direct IP access). The remaining part, which makes up 2.34% of the coverage, was spread across 3.18 million distinct second-level domains out of which 3.12 million were found on either less than 5 distinct client IPs or just a single Cato account.
This explains that there will always be an inherent long tail of unclassified traffic. At the vendor level, this makes meeting the “100% app coverage” unachievable.
Dealing with the unclassified
Classifying more and more apps to gain negligible coverage is just like fighting against windmills.
For both vendors and customers, we suggest that rather than chasing unclassified traffic, the long tail of unsigned apps needs to be handled with proper security mitigations. For example:
- Malicious traffic: malicious traffic protection, such as communication with a CnC server, access to a phishing website, and drive-by malware delivery sites must not be affected by the lack of app classification. In Cato, Malware protection and IPS are independent from app classification, leaving customers protected even if the target site is not classified as a known app
- Shadow IT apps: unauthorized access to non-sanctioned applications requires:
- Full visibility: It’s good to keep visibility to all traffic, regardless of whether it’s classified or not. Cato users can choose to monitor any activity, whether the traffic is classified into an app / category or not
- Data Loss Prevention: The use of unauthorized cloud storage or file-sharing services can lead to sensitive data leaking outside the organization. Cato has recently introduced the ability to DLP-scan all HTTP traffic, regardless of its app classification. Generally, it would be recommended to use this feature for setting more restrictive policies on unknown cloud services
- Custom app detection: This feature introduces the ability to track traffic and classify it per customer, for improved tracking of applications that are unclassified by Cato
We have shown the futility of fixating on the number of apps in the app catalog as a measure of cloud app security strength. The diminishing return on growing app count challenges the prevailing notion that more is always better. Embracing a more meaningful measure, app coverage, emerges as a crucial pivot for assessing and optimizing cloud application security.
Effective security strategies must extend beyond app classification, acknowledging that full coverage is unfeasible. Risk must be mitigated using controls such as IPS and DLP to address the gap in covering g the app long tail and is a more feasible approach than the impossible hunt for 100% coverage.
In navigating the complex landscape of cloud application security, a nuanced approach that combines right metrics with the appropriate security controls becomes paramount for ensuring comprehensive and adaptive protection.