Observe your app security with Sqreen

Beyond protecting your applications, microservices, and APIs from malicious attacks, Sqreen offers real-time visibility into the behavior of the apps across your network infrastructure.

  • Observe the big picture: Sqreen leverages its placement inside your apps to catalog and make available information about apps and assets in the App Inventory. The App Inventory compiles and displays a table with details about each app -- environment, security risk, technology, frameworks, ORMs -- so you don’t have to pick each app apart to discern its behavior and stack. Then, you can search across apps in multiple environments for answers to security questions. For example, you can use Sqreen to search for all apps in production that are performing database requests but not using an ORM. Read more: Observe the big picture.
  • Observe and take action: From inside your apps, the Sqreen Microagents send security signals (metadata about app traffic) to the Sqreen Platform. The platform uses the information to monitor and protect your app, but you can use it to get to know an app. Use the security signals to hold a magnifying glass up to an app: learn what it does with Personally Identifiable Information (PII) for example, or which third-party applications it calls, or the exceptions it threw when it was under attack. Then, you can use the built-in incident heuristics to review an anomaly, a timeline for its occurrence, and the actions Sqreen suggests taking to resolve or mitigate the threat or vulnerability. Further, you can create an In-App WAF custom rule to log or block specific kinds of requests. Read more: Observe and take action
  • Observe and prevent: Use Sqreen’s built-in or integrated User Monitoring feature to observe suspicious user activity and take steps to prevent an attack before it happens. Sqreen uses a risk score to identify users that warrant monitoring such as users who have accessed the Darknet, or users with unusual geographic locations or shared accounts. Drill into a user’s details to examine their activities over time and use a Security Automation Playbook to arrange to block a malicious user from accessing, or further attacking, your app. to Read more: Monitor users
  • Integrate and streamline: Integrate Sqreen with third-party technologies to alert your team (email, Slack), or hook into other tools to build custom workflows. Use Security Automation Playbooks to streamline and automate your response to security events. For example, you can create a playbook that automatically blocks or redirects a malicious user, then sends a notification to a SecOps channel in Slack. Read more: Integrate and streamline

Observe the big picture

Installed inside your app, the Sqreen Microagent dynamically instruments the functions and systems your app uses in order to monitor and protect it from attacks. You can leverage this insider information to gain visibility into the apps in your infrastructure. Without reading the code of each app or trying to discern what an app does from its behavior within a system, you can use the metadata the microagent collected to “un-black box” your apps.

With this un-black boxed information available to you in the App Inventory, you have the opportunity to observe the “big picture” of all the apps in your infrastructure.

The following table lists the information you can see, and search, about your apps.

App Inventory section Application details
App information name, environment
Security information risk, incidents, security weaknesses, blocked actors, first connected at
Sqreen configuration status rasp, in-app waf, csp, security headers, is sqreen enabled
Stack information technology, frameworks, packages, ORMs, templating engines
  • Use the App Inventory as a source-of-truth list of your infrastructure’s apps, assets, and dependencies.
  • Search across multiple environments for answers to security questions, like which Node.js apps are most vulnerable to attack?
  • Create and save searches to facilitate frequent status assessments.
  • Use the Security Flowmap view to help you visualize your infrastructure and how the parts interact with each other.

Observe and take action

The main Monitoring feature in the Sqreen Dashboard is the primary source for real-time data about your app’s security status. Monitor the volume of malicious requests and blocked attacks over time, assess the app’s security risk (low, medium, high), and review recent security incidents all in one place. Notably, Sqreen’s In-App WAF limits the volume of false positives security incidents. This allows your team to focus on addressing signals (true threats) instead of noise (false positives).

From inside your application, a Sqreen Microagent sends security signals (metadata about the app’s behavior) to the Sqreen Platform. The platform aggregates and analyzes data across multiple instances of the application to detect security incidents. But beyond its primary use to monitor and protect your app, you can use the security signals to learn about your app. Use the Events Explorer to minutely examine what your app is doing, which third-party tools it is calling, the way it handles PII, or the way it behaves when it is under attack that might reveal a bug or vulnerability.

From the Incidents feature in the Sqreen Dashboard, you can review the security incidents, such as an attempted SQL injection or Shell injection, and drill down into the details to examine the timeline, geolocation, and status of a vulnerability. Further, each incident offers suggested actions you can take to mitigate an issue. For example, if Sqreen detects a "Brute force attack on targeting multiple users", it blocks the attack and the Incident details make a suggestion to further address the incident: "It may be relevant to contact the user(s) to notify them that their account may have been leaked on another service."

With the knowledge you gain from examining events and incidents, you may wish to create an In-App WAF custom rule to log or block specific requests. For example, you can track every request that returns a 4XX status code, or block requests that are missing a particular header. Read more about custom rules in the Log or block requests documentation.

Monitor users

Sqreen offers built-in and integrated User monitoring capabilities so that you can track suspicious behavior and mitigate negative impact to your app.

  • Automatic user monitoring: Several Sqreen Microagents give you the ability to automatically monitor user activity from the Sqreen Dashboard. If your app’s HTTP authenticator is compatible with the Sqreen microagent, you can start monitoring users’ behavior out of the box.

  • Advanced user monitoring: Where a microagent does not facilitate automatic user monitoring or when you want your app to track more advanced user behavior, you can install and use the Sqreen SDK for User monitoring. Then, you can create custom events to track and record user activity specific to your app.

In User monitoring, you can review the risk scores and flags that Sqreen assigns to users that warrant careful monitoring. You can use risk scores, flags, and filters to narrow the focus of your investigtion into a particular user's activity, then drill further into a user's details.

Sqreen applies a risk score to a user identifier to indicate the potential threat the user represents. A risk score increases when:

  • an authenticated user performed an attack on your app
  • a non-shared set of credentials was used to log in from two disparate locations at nearly the same time
  • a set of shared credentials was used to log in from two locations at nearly the same time
  • a user connected to your app from the Darknet (TOR, open proxies)
  • a user's activity displays evidence of an attempted Account Takeover Attack (ATO) or other, non-human behavior

Sqreen applies a flag to a user identifier to indicate the type of suspicious activity associated with the user.

  • TOR user: The user accessed, or attempted to access, your app from a TOR IP address.
  • Lost password: The user tried and failed to connect to your app three or more times.
  • Shared account: The user credentials of a shared account were used to log in to your app from two different locations at nearly the same time. Because the credentials are known to be shared amongst legitimate users, this may not be malicious behavior, but it is worth logging and tracking.
  • Seen once: The user has only successfully logged into your application once.
  • Inactive user: The user has not successfully logged into your application in more than two weeks.
  • Disposable email: The user used a disposible email account to connect to your application.
  • Multiple geo: The user credentials of a non-shared account were used to log in to your app from two different locations at nearly the same time. This behavior could be a benign indicator of a traveling user, or it could indicate that a user's credentials have been stolen or illegitimately shared.

Drill into a user’s details to examine their activities over time such as login successes and attempts, attempted attacks, geographical location, and authenticated IP addresses. You can drill even further down into each incident to examine attack details, request details, and backtraces. For example, for an attempted SQL Injection, you can drill into the event to see the database the user was attempting to access, the query the user wrote, and the port and path of the request.

As you monitor users and begin to notice suspicious behavior and attacks that Sqreen has blocked, you may want to prevent specific users from accessing, and attacking, your app. Use a Security Automation Playbook to temporarily or permanently block a malicious user from accessing your app. Read more about blocking users in the Security Automation Playbook documentation.

Integrate and streamline security responses

Beyond observing your apps, examining security incidents, and monitoring user activity, you can use Sqreen’s built-in and integrated functionality to streamline your security responses.

  1. Turn on a Pre-defined Security Automation Playbook to instruct Sqreen to take action when it detects an anomaly or attack. For example, enable the “Reset password abuse” playbook to take action.
  2. Install the SDK for user monitoring so that you can define your own custom events to track in your app. Use your custom events to craft your own Security Automation Playbooks. Refer to the "SDK for user monitoring" and "Track custom events" documentation for your technology's Sqreen Microagent.
  3. Use Sqreen Webhooks to customize the way your playbook sends notifications. For example, define a webhook to send a `POST` request to a PagerDuty API.