Web Application Security Executed at the Endpoint

It’s no secret that users and endpoints are great targets for cyber attacks. One errant click, one opened file, one redirect to a malicious website where the user enters valid credentials, and the attacker has all the information he needs to execute an exploit. The primary interface for these attacks, web applications, earned the top spot for attack vectors in the 2019 Verizon Data Breach Investigations Report[i]. What’s more, a new report by Venafi[ii]—released just in time for holiday shopping season—revealed that fake retail websites outnumber legitimate sites by 4-1.

Online shopping is easier than ever, and using a mobile device to tackle holiday errands while on the go helps reduce the hassle and hustle of the holidays. That said, these factors combined highlight an important cybersecurity problem: Security teams need better ways to stop attacks at the browser before they reach web applications and propagate, affecting sensitive data or transactions in a substantive way.

With identity management platforms, web application firewalls, bot mitigation tools, dark web intelligence, geolocation data, and the countless cookies and agents heaped on users’ systems, security practitioners have no shortage of technology to help prevent web-based attacks or stop the spread of an attack if the user has accidentally triggered an exploit. But, according to Malcolm Harkins, Chief Security and Trust Officer at Cymatic, the problem with these technologies is that they’re siloed. And this is why web applications continue to be the top attack vector and why human actions are the initiation exploit in 90% of breaches.

Removing silos

The issue with security silos, Harkins told me during a call, is that “there are a bunch of disparate tools that work, but each has its own interface, reporting, configuration management, integration capabilities, licensing, and levels of complexity for use. There’s no in-line, real-time streaming between them, so it’s up to the security team to try and stich these together to hopefully create the right correlations. It does nothing to smooth the user experience. Siloed products, on top of the credential defenses, captchas, cookies, and forced MFA, amplify user friction and increase complexity, cost, and (ultimately) risk to IT teams and organizations.”

Friction has long been a sore spot with users based on the legacy security approaches. Yet, security teams still employ outmoded solutions. While users care about the privacy and security of their devices, actions, and data, they care more about ease of use and overall experience. This is why password reuse is rampant, MFA hasn’t gained traction inside enterprises as broadly as it could, and DevOps continues to fly past security teams without their input. Executives will almost always side with productivity and efficiency over kludgy security, thus security teams must look for solutions that are invisible to the user as much as possible.

Control at the beginning of the kill chain

Harkins told me he joined Cymatic after a long and impressive career because the founders, Jason A. Hollander and Paul B. Storm, demonstrated to him that their platform could deliver frictionless results, at the beginning of the kill chain, and answer the fundamental questions he and fellow chief security officers had been asking for two decades: Who are my users? Which ones pose a risk to my business? How can I ensure my web application (and thus my business) is secure?

Cymatic “does for WAFs what Apple did for smartphones—it reimagines and ultimately rearchitects the way we think of and use WAFs to deliver better overall security," said Harkins. “It offers web application security at the client and in the browser, without agents or cookies, and without proxy or network changes. It is one line of code that a web developer adds into a web page.”

Here’s the high-level overview of how it works: When a user hits a website, Cymatic’s SDK[iii] automatically deploys, regardless of device, OS, or browser is use. This architecture achieves a few things: First, an automatic scan of the device in use is executed. The scan determines the device’s “cyber hygiene” and answers questions such as: Is the device vulnerable? Are the credentials vulnerable? Is this a person or a bot? Have passwords been re-use across multiple domains? Were passwords part of previous credential breaches? What is the physical location of the user and device?

Next, depending on the results of the scan (which happens in microseconds), adaptive controls can take action by, say, blocking a device to avert a bot attack or account takeover, or invisibly issuing step-up multifactor authentication. If the data and activity fall within the risk parameters the organization has set, controls can simply allow the user to continue.

While the above is happening, the behavioral engine analyzes user keystrokes and mouse movements in real time to determine if the user is who they say they are. Cymatic uses behavioral biometrics with machine learning and heuristics to detect in-session hijacking and kill commandeered connections before they can reach into a company’s web application or internal data and transactions.

Privacy and next steps

All of this might sound a bit sketchy from a privacy perspective, so I asked Harkins how the company deals with privacy issues, given that part of their message is focused there. “From a privacy point of view,” he told me, “there is no persistence on the device and all data sent to our cloud is encrypted, then anonymized. The capability activates when a device lands on a web application but dissolves as soon as the device leaves. And without cookies and agents pushed to the device, privacy risks are reduced. “

The description of the product sounds promising, and though I’ve yet to see a demo to see how this all ties together technologically, Harkins tells me that new Cymatic employees are asked to test the product for themselves. He was shocked—in both a good and bad way—at how many vulnerabilities the platform’s cyber hygiene tool revealed about his personal devices. That’s a good first step! So I am excited to see and hear more from this promising new company.

If web-based attacks are a concern and you're looking for ways to block attacks at the endpoint, give the team at Cymatic and shout and schedule a demo for yourself.


[i] https://enterprise.verizon.com/resources/reports/dbir/

[ii] https://www.venafi.com/blog/holiday-shoppers-beware-look-alike-domains-are-targeting-your-wallet

[iii] Software development kit