Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™

ESG TECHNICAL VALIDATION

Zero Trust Application Security With Truefort Fortress

Leveraging Behavioral Analytics to Secure On-premises On-premises and Cloud-native Applications

By Alex Arcilla, Senior Validation Analyst
MARCH 2022

Introduction

This ESG Technical Validation documents our evaluation of TrueFort Fortress. We reviewed how the platform can help organizations to implement a zero trust application security posture. We specifically observed how TrueFort can help to establish a baseline of allowed workload behavior, identify deviations from baseline, and automate response to identified threats and vulnerabilities.
Figure 1. Top Cited Reasons for Increasing IT Complexity

What do you believe are the biggest reasons your organization’s IT environment has become more complex? (Percent of respondents, N=329, five responses accepted)

Source: ESG, a division of TechTarget, Inc.

With applications deployed both on-premises and in the public cloud, relying on traditional and modern architectures, securing these complex IT environments is more difficult. Bad actors use more sophisticated cyber security attacks since they can leverage the increase in attack vectors. This is especially true with cloud-native applications that are no longer contained within a static IT network perimeter. Subsequently, policies and technologies for securing cloud-native applications differ from those used for on-premises applications.
The lack of consistency in current application deployments and security controls forces organizations to face increased operational complexity, efficiency and, most importantly, security risk. To reduce such risk, organizations are exploring how they can establish a zero trust posture to secure applications, regardless of how or where they are deployed. Rather than solely preventing bad actors from accessing applications, a zero trust security posture prevents cyber security attacks from moving laterally across all layers of an application’s architecture.

TrueFort Fortress

The trend towards decentralization continues to shape the IT strategy of many organizations. More than ever, applications and data are cloud-resident, and the users accessing those resources are likely to be somewhere other than in corporate offices.
Yet despite these foundational changes to network architectures, many organizations continue to rely on traditional perimeter security approaches. These are often predicated on back hauling traffic from remote users to the on-premises security stack for inspection. The issues with this approach are numerous:
Figure 2 highlights TrueFort Fortress’ capabilities. To gain full understanding and visibility into applications, the platform leverages micro segmentation and application behavior profiling. While micro segmentation enables end-users to identify and visualize application dependencies across code, the underlying infrastructure, and connections with other IT resources (e.g., data stores), TrueFort Fortress profiles runtime application behavior and monitors application processes.
TrueFort Fortress then uses machine learning and advanced behavior analytics to assess 160 unique application runtime parameters and build a complete view of applications and runtime behavior. The result is an Application Trust Profile, a baseline for secure application behavior. As TrueFort Fortress continuously monitors application behavior in real time, the platform uses Application Trust Profiles to either authorize allowed behavior or act against behaviors that deviate from the baseline, such as triggering an alert or blocking the action. Because cyber attacks and threats evolve over time, TrueFort updates Application Trust Profiles as it continuously monitors application behavior.
Recommended actions generated by TrueFort can be automatically deployed to enforce cyber security policies, which are updated in real time based on changes to application behaviors, vulnerabilities, or threat profiles. With more accurate and targeted policies, organizations can reduce time to value, minimize false positives, and lower ongoing operational costs. More importantly, the business faces fewer negative impacts due to cyber security incidents.
Figure 2. TrueFort Fortress

Source: ESG, a division of TechTarget, Inc.

To ease integration into existing security operations, TrueFort Fortress can work with third-party products working in an existing application environment. TrueFort partners with other vendors such as CrowdStrike, VMware, and Fortinet to support application observability and policy deployment.

ESG Technical Validation

ESG evaluated the TrueFort Fortress platform via testing sessions conducted at TrueFort offices in New Jersey. We observed how the TrueFort Fortress platform can help organizations to understand application behavior comprehensively, establish detailed application security controls, and decrease time to detection and response.

Understanding Application Behavior

Before an organization can secure its applications, it is critical to obtain a granular understanding of the entire application architecture, including interactions between software application modules and underlying processes. Using this knowledge helps the organization to understand how the application operates, or behaves, in production networks.

ESG Testing

ESG first navigated to an application map, created by TrueFort, of a hypothetical online retail ordering system (see top of Figure 3). The map illustrated individual applications that comprise the ordering systems and how those applications communicate with each other. Lines between applications represented connections, or how applications, such as the “ECOMMERCE” and “INVENTORY” applications communicated with each other.
Figure 3. How TrueFort Maps Applications and Related Granular Detail

Source: ESG, a division of TechTarget, Inc.

We then examined granular application detail by first right-clicking on the “INVENTORY” application and selecting “Application Details.” Another map appeared displaying INVENTORY application modules communicating with one another (see middle of Figure 3). We found that TrueFort could also depict application process details of individual modules by simply right-clicking on the application module “INVWEB1” and selecting “Go to Process.”
As we viewed application details, ESG noted how a security analyst can easily visualize the applications existing in the organization and how those applications interact with each other. This would help save time and money when manually documenting applications and the underlying architectures, especially when multiple applications exist.
ESG also viewed how TrueFort Fortress displays connections in tabular format (see Figure 4). Using this view, we could determine additional details about these connections at the process, identity, and network levels. Having these details added context to application behavior, such as the type of connection, network port accessed, and number of times encountered.
Figure 4. Displaying Connections in Tabular Format

Source: ESG, a division of TechTarget, Inc.

Why This Matters

Obtaining a detailed understanding of the makeup and runtime behavior of an application is key to ensuring application security. If they don’t understand application behavior, organizations cannot effectively monitor and control trusted versus untrusted application behavior.
ESG validated that TrueFort Fortress helps organizations to comprehensively visualize and understand application behavior by helping end-users to visualize applications, their individual modules and processes, and the manner in which these components interact with one another to fulfill specific business needs, such as online order fulfillment. Mapping this level of detail helps the organization to begin establishing a zero trust security posture.

Establishing Security Controls

To establish a baseline of trusted application behavior, an Application Trust Profile, TrueFort Fortress runs machine learning (ML) algorithms against applications. Once the profile is defined, it can guide organizations to define and implement fine-grained security controls to monitor and control deviations from the baseline.

ESG Testing

ESG proceeded to view how TrueFort Fortress leverages the Application Trust Profile to highlight suspect or untrusted application behavior. We navigated to the same map from Figure 3 and observed both green and orange lines connecting select modules. The green lines denoted trusted connections, as identified by TrueFort using the established Application Trust Profile. Orange lines denoted application behavior that deviated from the Application Trust Profile. TrueFort Fortress deemed those connections to be untrusted behavior (see Figure 5).
Role-based trusted and untrusted application behavior could be displayed in tabular format (see Figure 6). Green checkmarks denoted trusted or compliant connections between applications, application modules, or application processes (depending on the level of detail being viewed), while red Xs denoted the untrusted connections.
All Application Trust Profiles were combined to form an Application Trust Graph. The graph acted as the baseline of all application behavior within an organization.
Figure 5. Detecting Trusted and Untrusted Application Behavior

Source: ESG, a division of TechTarget, Inc.

ESG then proceeded to review how using the Application Trust Graph was used to implement targeted security controls for establishing a zero trust security posture. We first examined its Center for Internet Security (CIS) hardening capabilities. Using the CIS benchmarks included in TrueFort Fortress, ESG saw how organizations could compare application behavior against these benchmarks to detect drift, or behavior not complying with the benchmarks. To illustrate, we compared how applications operated on servers running Red Hat Enterprise against CIS benchmarks to determine non-compliant application behavior, denoted by the red Xs (see Figure 6).
Figure 6. Reviewing Application Behavior against CIS Benchmarks

Source: ESG, a division of TechTarget, Inc.

ESG also saw how TrueFort could generate alerts for non-compliant behavior against a specific network entity. The flagged behavior in the above figure is compiled into a list documenting all outstanding cybersecurity vulnerabilities uncovered, listed by Severity and Status. We could also double-click on any line item to obtain detailed information about the alert, including the recommended fix.
Another security control that ESG examined was file integrity management (FIM), which monitors configuration files, binaries, and directories associated with applications for changes in content, ownership, and permissions. Since TrueFort Fortress ran machine learning against the files and directories associated with the applications in our testing, the Application Trust Graph already noted allowable permissions, ownership, and content. TrueFort would again monitor drift against this baseline.
For example, ESG reviewed how TrueFort monitored files associated with Microsoft’s operating system (OS) out of the box. We saw all the files associated with the OS (see left-hand side of Figure 7). Using the trust graph, we observed how TrueFort generated alerts, sorting by Severity and Status, based on drift (see right-hand side of Figure 7). We could view Alert Details by simply double-clicking on a specific alert to reveal the recommended response.
Figure 7. Detecting Drift with TrueFort’s FIM Capability

Source: ESG, a division of TechTarget, Inc.

ESG also reviewed how TrueFort used microsegmentation or workload segmentation as a security control. Instead of using a rule-based approach that addresses known threats and vulnerabilities, TrueFort combines microsegmentation with the Application Trust Profile to ensure that legitimate behavior is not blocked. This is especially useful to prevent threats and attacks from moving laterally across application components. We noted the policies automatically generated from the anomalous behavior detected by the Application Trust Profile (see Figure 8).
Figure 8. Using Microsegmentation to Create Cybersecurity Policies

Source: ESG, a division of TechTarget, Inc.

These specific policies allowed incoming or outgoing traffic originating at specific IP addresses using specified ports, such as accepting incoming requests originating at IP address “MGWL” using the SSH port, regardless of protocol. Should a policy be deemed a best practice by the organization, ESG saw how that policy could be applied as a global policy to any connection with similar characteristics, such as “MGTEST” (see Figure 8).

Why This Matters

When deviations in normal runtime application behavior are identified, implementing the proper and targeted controls and policies becomes easier, helping to establish a zero trust security posture against known and evolving threats and attacks.
ESG validated that TrueFort Fortress helps in recording deviations, or drifts, from normal application behavior and leverages those drifts to implement security controls and policies. We observed how we could visually pinpoint drifts in application behavior via application maps and leverage TrueFort Fortress’ record of untrusted application behavior to ensure that bad actors could not initiate attacks or exploit vulnerabilities. We also saw how organizations can use TrueFort’s security controls to prevent threats and attacks from moving laterally across applications.

Decreasing Time to Detection and Response

Once it knows how applications behave under normal and secure conditions, TrueFort Fortress helps in reducing time to detect and respond to threats and attacks by identifying deviations from the Application Trust Graph.

ESG Testing

ESG first viewed the rulebooks that detect behavioral anomalies using the Application Trust Profile (see Figure 9). Specifically, the rulebooks monitored connections made at the application and network levels. A security analyst could also input how TrueFort should respond if such a connection was detected. ESG saw that the response “BlockIPtoIP” was assigned to the rule “IP To IP.” We could also view the anomalous behavior that the rule was designed to block.
Figure 9. Rulebooks for Detecting Anomalous Behavior

Source: ESG, a division of TechTarget, Inc.

ESG then reviewed how TrueFort facilitates detection and analysis of anomalous application behavior without the need to use multiple point solutions. We navigated the same application mentioned in Figure 1 to examine detected anomalous behavior and highlight any alerts to date (see Figure 10). The behavior detected was an attempt to exfiltrate data from an internal server.
Figure 10. Detecting and Analyzing Anomalous Application Behavior

Source: ESG, a division of TechTarget, Inc.

Focusing on an alert detected on the “APP SERVER,” we examined exactly what happened at the time the alert was generated. Using a DVR-like playback functionality, we used a slider to view application activity when the anomalous behavior was recorded, as shown in the lower right-hand corner of Figure 11.
To obtain further understanding of the anomaly, we revealed process details of the affected application module named “tfdem_ner01” (see Figure 11). At this level of detail, we could trace how a bad actor attempted to exfiltrate corporate data. To ensure that the alert was being addressed, we right-clicked on the host with IP address 10.179.155.108 and saw that a rule was already applied. Had a rule not been automatically applied, we had enough information to address the issue immediately.
Figure 11. Examining How Anomalous Behavior Occurred

Source: ESG, a division of TechTarget, Inc.

During our review, ESG noted that the time to obtain the data to detect, analyze, and resolve this incident was relatively short, especially when considering the alternative of using multiple disjointed tools to receive the alert, uncover the root cause, and then craft the required response to eliminate the potential security threat. TrueFort minimizes that time by integrating tools that permit sharing and accessing relevant data via a single interface. Time and effort to detect and respond to cybersecurity incidents decrease, lowering costs and, more importantly, overall risk to the organization.

Why This Matters

Establishing a zero trust security posture not only requires blocking untrusted application behavior, but also requires organizations to quickly detect and respond to threats and attacks. As more time is spent on these activities, overall risk to the business increases.
ESG validated that TrueFort Fortress can help organizations to decrease the overall time to detect and respond to cybersecurity incidents. We observed how TrueFort leverages its Application Trust Graph to automatically generate alerts and apply policies when required. More importantly, we saw how the time to detection and response can be minimized by enabling organizations to drill down into details behind alerts, without the need to switch between multiple point tools.

The Bigger Truth

Securing the many applications organizations have deployed on-premises and in the public cloud has become a major challenge. ESG research cites that 87% of survey respondents agree, or strongly agree, that securing cloud-native applications requires a different set of policies and technologies than those that are used for on-premises deployments. However, the lack of consistency in securing on-premises and cloud-native applications adds unnecessary complexity to the overall IT environment, as organizations resort to using multiple tools, interfaces, and manual processes to secure the application environment. Establishing a zero trust security posture becomes tedious and costly.
With TrueFort Fortress, organizations can use a consistent and integrated platform to secure their application environments, regardless of how or where applications are deployed. Unlike using multiple point tools and technologies that address security issues differently, TrueFort Fortress secures applications using an established baseline of application behavior to drive how organizations secure applications and the underlying architecture. All tools integrated into TrueFort Fortress use this behavioral baseline to detect, prevent, and respond to cybersecurity attacks.
Throughout our evaluation, ESG validated that TrueFort Fortress can help organizations:
  • Establish a baseline of normal runtime application behavior without resorting to offline investigations and manual documentation of applications and the underlying architecture.
  • Leverage the baseline to detect anomalous or untrusted application behavior via continuous monitoring.
  • Implement targeted security alerts, policies, and controls that leverage the behavioral baseline to detect, understand, and respond to potential threats and attacks from entering and moving laterally through the organization.
With TrueFort, organizations can decrease time to detect and respond to cybersecurity incidents, lower operational costs, and, most importantly, decrease overall security risk. TrueFort Fortress can help organizations to establish a zero trust application security posture.
Yet, if your organization seeks to establish a zero trust security posture using tools consistent across on-premises and cloud-native applications, regardless of the underlying architecture, it is worth taking a closer look at TrueFort Fortress.
Yet, if your organization seeks to establish a zero trust security posture using tools consistent across on-premises and cloud-native applications, regardless of the underlying architecture, it is worth taking a closer look at TrueFort Fortress.

This ESG Technical Validation was commissioned by TrueFort and is distributed under license from TechTarget, Inc.

All product names, logos, brands, and trademarks are the property of their respective owners. Information contained in this publication has been obtained by sources TechTarget, Inc. considers to be reliable but is not warranted by TechTarget, Inc. This publication may contain opinions of TechTarget, Inc., which are subject to change. This publication may include forecasts, projections, and other predictive statements that represent TechTarget, Inc.’s assumptions and expectations in light of currently available information. These forecasts are based on industry trends and involve variables and uncertainties. Consequently, TechTarget, Inc. makes no warranty as to the accuracy of specific forecasts, projections or predictive statements contained herein.

This publication is copyrighted by TechTarget, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of TechTarget, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact Client Relations at cr@esg-global.com.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.