DZone Research: Problems With Security (Part 2)
DZone Research: Problems With Security (Part 2)
Want to learn more about the modern problems with security? Check out this post on cyber attacks, insecure IoT devices, incorrect prioritization, and more!
Join the DZone community and get the full member experience.Join For Free
Protect your applications against today's increasingly sophisticated threat landscape.
To gather insights on the current and future state of security, we talked to 47 executives from 43 companies about security in their own organizations and for the clients with whom they are working. Given all of the breaches that have appeared in the news and the enforcement of GDPR, response to this topic was unlike any we have seen for previous security research guides.
We asked them, "What are the most common issues you see affecting security?" Here's what they told us:
Credential compromise is the most common use case. Companies are trying to stop attackers. A lot of security solutions in the organization — all doing detection only creates a lot of noise. Come to us because of noise, firewall to blunt, can’t do a manual analysis. Automate the potential threat in real time. Take tools with data for better context around what’s happening with every access transaction, more proactive and better threat prevention.
- Plenty of talent. How to bring the security team to the cloud? Every cloud is different. Not so much that there’s a talent gap, but it’s all different. The center for information security just has benchmarks for AWS and GCP. It is interesting to see the cloud’s maturing with their offerings w/r to security, trying to wrap our heads around consistency. It’s really difficult. We see slight convergence, but it will take a lot of time. The biggest challenge is truly understanding your side of the risk.
- Lack of encryption on the server. Admins getting hacked. Not keeping up with patches. Everything that goes along with passwords.
- Identity is huge. Everyone trying to ensure a legitimate customer can get through while a nefarious character cannot.
- Open Source Software and third-party SDKs introducing vulnerabilities and priority one exploits into customer applications without their knowledge.
- Insecure IoT devices.
- 1) Enterprise cloud proliferation of industry. 2) IoT devices. They have many camera systems with four-digit passwords that can be hacked in two hours. There is no mandate across IoT devices.
- Beyond compromise, phishing and targeted attacks are common now. With compromises comes security concerns. 100 million user profiles released per week through hackers, including Equifax and two banks in Canada. This is turning very problematic very quickly. Implementing these technologies makes it harder. Fraud has had to evolve.
- More sophisticated clients — know about issues. There's more about showing what the different pieces of the solutions are. If, from an embedded space, there is a lot more learning, take people on the journey. Here’s a platform you can trust. Don’t need to learn about certificates and passwords.
- Not knowing where it all is is a big part. We are trying to embrace automation. Once discovered, the right people in DevOps or SREs know what the policies are toward certain datasets, let alone they can codify it. You have to get executive sponsorship, and you need to endorse a cross-functional team to make it happen. CISO, DBAs, and developers agree to build a different kind of process to access data.
- The external perimeter that enterprises have right now is collapsing because of the adoption of new technologies — cloud, SaaS models, and IoT. Securing it all at the pace required by the adoption of the new technologies is one of the most challenging tasks for current security teams.
- Failure to integrate security early in the SDLC and adopting DevSecOps to accelerate speed to market with secure, high, quality code.
- Lack of a digital bill of materials. Don’t know what’s running where or what version. Car, aerospace has bills of materials to individual owner/VIN. The manufacturer can issue a recall. A famous example of struts – 40 different version of struts across the enterprise. You need an electronic bill of materials. You have to know where this stuff is running. Fannie Mae shut down over the weekend because of struts to learn where everything is running. Ran a pen test on all properties to see everywhere vulnerable struts library resided. Got to get better at the electronic bill of materials (i.e. Electric Flow).
- Two major challenges with protecting critical infrastructure are at polar opposites of the age spectrum – they’re too old, or too new. Much of the world’s critical infrastructure is decades old, developed in a time when technologies like control and safety systems were new, and there was no Internet. In many cases, it’s difficult to find and maintain engineers with skills in these outdated technologies. The original investments in time and money associated with their implementation were enormous, meaning it takes a long time for “payback periods” to be realized. Even when a critical infrastructure system is considered to have fulfilled its useful life, the cost, complexity, and risk associated with replacement of these systems are often prohibitive. The result is outdated (in some cases, literally antiquated) infrastructure systems so frail that even updating them creates enormous risk; in many cases, the infrastructure is so outdated that it’s not even possible to implement more modern security controls. On the other end of the spectrum, there are systems that are so new that their weaknesses have yet to be discovered. The newest of these technologies are often developed using cloud and agile technologies which enable extremely fast iteration and innovation but can make security a fast-moving target.
- CI/CD methodology. When done lifting and shifting things move fast, you have to bake security in. Secure the app as you’re developing it. If you’re going to scan, you need to scan production.
- Security of the APIs and ability to monitor traffic and separate bots from real people.
- Capturing the return on investment for security investments is often difficult. In a regular day, making your software or internal infrastructure safer will not make your balance sheet look better. Only when a major incident occurs does the lack of investment become obvious. It can be difficult to allocate engineering time to boost an application’s security posture and secure that critical middleware when another business feature may take precedence. Organizational structures can be an issue too. For companies working in silos, getting the right security skills at the right time is nearly impossible, leading to weak security. Breaking down those silos in order to form cross-functional engineering teams can help in boosting security by forging it in instead of just applying band-aids down the road.
- 1) Weak credentials or credential re-use — recent data breaches of websites, such as LinkedIn, exposed millions of credentials online. Many users use the same passwords for both external and internal domains, allowing the attacker to leverage those credentials dumps to breach organizations. 2) Not adhering to the best security practices for hardening your network. 3) Alert fatigue - Today’s security analysis requires the handling of hundreds of alerts a day across multiple products, making it extremely difficult to pinpoint the important issues that must get their attention.
- 1) Ever widening gap between business and security and security and development. We need to get all three aligned around the security mission; it’s hard to drive a security agenda. 2) The technical side of the house so many tools available that help do the same thing slightly differently. We need to figure out how to get the right set of capabilities embedded into the company and the processes. Integrating with the existing toolset and processes.
- True delegation and access at the individual level. Open source implementation of protocols is inconsistent. Different instances are very different delegation doesn’t work the same on all platforms and are really doing for the first time. Hard to get a Kerberos principal.
- Integration between different security solutions. Performance degradation with endpoint fatigue. Scenarios where the need to find a broader suite to solve more problems with integration and overlay tries to make everything work together without causing performance or budget concerns.
- The most common issue today is overwhelmed by security teams. They are overwhelmed because of a shortage of experienced practitioner labor, as well as by the sheer volume and velocity of what they are being asked to deal with.
- The most common issues we see affecting security are that cyber attacks are growing and ever-changing. According to OneTrust Alliance, cyber incidents targeting businesses nearly doubled from 82,000 in 2016 to 159,700 in 2017, driven by ransomware and new attack methods. These attacks are also becoming increasingly sophisticated. Without the agility to dynamically adapt to new events as they happen and stay updated automatically, enterprises will find the preventative security barriers they put in place essentially useless.
- Security as an afterthought: This is one of the common and hard-to-hear truths in the industry. In some cases, it’s due to the lack of resources and expertise; in others, it is due to misguided thought processes and can be fixed at a later stage. We need to evangelize and incent secure coding. Building security champions: Another key factor is the lack of security expertise. We need to train people to become security champions who can proactively identify gaps in our security processes.
- Incorrect prioritization of flashy or intellectual interesting security work over more boring but more impactful work is probably the biggest problem. The second biggest problem is the lack of good computer security tracks in higher education, which leads to a shortage of security engineers. The third biggest problem is some of the negative aspects of the culture of security. Specifically: the lack of diversity and inclusion, the tendency of some security engineers to take on a condescending attitude when talking with people less knowledgeable about security (e.g. everyone else working at a company other than the security team), and the tendency to default to “no” without further elaboration. The right approach for #3 is, instead of saying “No, you can’t do that” and ending the discussion, instead of saying “Before I answer, what goal are you trying to achieve?” Then, you can begin working towards a secure solution, turning that conversation into a collaboration.
- In many cases, developers are using third-party open source components that are unvetted, often containing known vulnerabilities. Understanding where these are, and how to remediate them is time-consuming without automation. Furthermore, even images that were scanned when they were initially created, may be subject to new vulnerabilities discovered weeks or months later. Yet, many organizations fail to review existing images in their registries on a regular basis. Many applications require credentials to access other services, and managing the secrets necessary for access control is a challenge. As a result, many containers run with excess privileges (even as root), creating a potential threat. While various vault products can simplify the process of secrets management and authentication, without a means to update this information at runtime, containers must be restarted.
Here’s who we talked to:
- Jim Souders, CEO, Adaptiva
- Murali Palanisamy, CTO, AppViewX
- Amir Jerbi, Co-founder and CTO, Aqua Security
- Andreas Pettersson, CEO, Arcules
- Dave Mariani, CEO and Co-founder, and Bruno Aziza, CMO, AtScale
- Andrew Avanessian, COO, Avecto
- Nitzan Miron, Vice President Product Management, Barracuda Networks
- Mo Rosen, GM, CA Security, Sam King, GM, CA Veracode, Mark Curmphey, CA SourceClear
- Stuart Scott, AWS Trainer /Cybersecurity Expert, Cloud Academy
- Cliff Turner, Senior Solutions Architect, CloudPassage
- Mark Forrest, CEO, Cryptshare
- Antonio Challita, Director of Product Management, CyberSight
- Doug Dooley, COO, Data Theorem
- Patrick Lightbody, SVP Product Management, Delphix
- OJ Ngo, CTO, DH2i
- Reid Tatoris, Vice President Product and Outreach Marketing, Distil Networks
- Paul Kraus, CEO, Eastwind Networks
- Don Lewis, Senior Marketing Manager, EdgeWave
- Anders Wallgren, CTO, Electric Cloud
- Venkat Ramasamy, COO, FileCloud
- Jesse Endahl, CPO, CSO and Co-Founder, Fleetsmith
- Tom Sela, Head of Security Research and Matan Kubovsky, Vice President R&D, Illusive
- Roy Halevi, CTO and Co-founder, Intezer
- Darren Guccione, CEO, Keeper Security
- Andrew Howard, Chief Technology Officer, Kudelski Security
- Rajesh Ganesan, VP Product Development, ManageEngine
- John Omernik, Distinguished Technologist, MapR
- James Willet, Vice President of Engineering, Neustar
- Gary Duan, CTO, NeuVector
- Randall Degges, Head of Developer Advocacy, Okta
- Dan Koloski, Vice President, Security and Systems Management, Oracle
- Heather Howland, CEO, Preempt
- Randy Battat, CEO, PreVeil
- Arkadiy Miteiko, CEO, QbitLogic
- Linus Chang, Founder, Scram Software
- Altaz Valani, Research Director, Security Compass
- Ed Adams, CEO, Security Innovation
- Neill Feather, CEO, SiteLock
- Oded Moshe, VP Products, SysAid
- Gaurav Deshpande, Vice President of Marketing, Todd Blaschka, COO, TigerGraph
- Matthew Vernhout, Director of Privacy and Industry Relations, 250ok
- Setu Kulkarni, Vice President of Product and Corporate Strategy, Whitehat Security
- Erik Nordmark, Co-founder and Chief Architect, Zededa
Opinions expressed by DZone contributors are their own.