DZone Research: Security Use Cases (Part 1)
DZone Research: Security Use Cases (Part 1)
Click here to read more about the tremendous breadth of use cases with 12 industries and 23 applications referenced.
Join the DZone community and get the full member experience.Join For Free
Do you know who is accessing your valuable data through your APIs? Discover how
To gather insights on the current and future state of security, we talked to 47 executives from 43 companies about security in their own organizations and for the clients with whom they are working. Given all of the breaches that have appeared in the news and the enforcement of GDPR, the response to this topic was unlike any we have seen for previous security research guides.
We asked them, "What are some real-world problems you are helping your client solve by securing applications and data?" Here's what they told us:
- A CEO was hacked and called it in after the fact. One customer in insurance found an unusual activity with someone logging in as an executive, internally. This was someone in marketing managing social media. They identified an internal bad actor. This brought up the concern over internal security. The same holds true for privileged users. You only have access to critical service under the premise that they are not on VPN. There needs to be better access and control to enforce the policy. With MFA able to be added in front of any app without any development, there are going to be external breaches. While you cannot detect "lay in wait," you can prevent exfiltration or any other nefarious activity. Identify unusual activity and stop it. Prevent credential compromise.
- Segments like aerospace and defense, consulting, and biotech.
- Alipay processes 100,000 payments every second. China telecom processes 450 million people, as well as billions of calls through subscribers. All calls are added to the graph in real time and are encrypted at rest. Type of output new fields for attributes. 118 new filed for each 450 million subscribers. Feed this into the ML tool and have it encrypted as it is sent out for fraud detection.
- A Furniture retailer implemented the full spectrum DMarc records created properly, outlying systems over six months of full protection. There was a significant increase in the amount of mail sent, how fast it was received, the level of domain reputation increased, medium to high on Gmail, inbox placement up 10 to 15 percent, open rates up six to eight percent, click up five to six percent, and all-around revenue went up as well.
- A security company providing background checks needed to collect 100 points of ID, tax returns, passport, et al, we automatically begin to think about where to store, how long to keep, and an encryption strategy. It is important to not serve as a blob in an SQL server database. Use a secure encrypted store where you can store even on a public cloud and lock down the access credentials to the public cloud. However, there is fallback mitigation if there’s a problem with the cloud provider by helping developers avoid putting credentials in code. It is also becoming increasingly common for developers to hard code credentials to access a storage account. The set-up of the credentials is separated from the code itself — it becomes a DevOps task. Developers set up a pointer and do not get access to private data.
- Cardinal Health uses Veracode to integrate with their development process and provide eLearning for developers after developers would not use a static application security testing tool because it was too clunky. VMWare is building microservices and needs a solution that could scale, know what the threat surface looks like, provide an inventory of code, and check the security of open source code on the front-end without slowing down the development process.
- Financial fraud models with customer transaction data want to move fast we can provide nimbleness and auditing directly on the data. Fraud model to respond quickly and answer auditors.
- Development workflow – similar records, similar sizes. Security is woven into everything we do. Introduce a time dimension to large datasets, like healthcare and financial services, with time flow data. Data-related defects that need to be drilled into. Ability to get the database to see what was happening before something went wrong. This creates an increasing ability to rollback datasets in the event of problems with testing or development.
- A typical example would be a global engineering company. They spend billions of dollars on research to maintain a competitive advantage, and this intellectual property is the lifeblood of the business. But, it needs to be shared with collaborators, outsourced manufacturers, lawyers, and customers — each of whom has their own security rules and systems. By enabling e-mail to be made secure, allowing files of any size the encryption of metadata and ensuring all transactions meet data classification rules and can be tracked allows clients to operate in an ad hoc manner when needed. This saves a fortune on alternative solutions and protects their IP when it is at its greatest risk. There are many other examples in government, insurance, banking, finance, education, and so on.
- 1) Financial services – build fully automated key management use case for encrypted traffic. There needs to be an end-to-end encryption of data. Automate the key management aspect of it for keys and certificates. No humans knows the password to break the code. There is no guarantee that they did it the right way. There is a policy, and, then, there is enforcement. We’ve seen customers using the tools when we viewed their process, and we saw the engineer manually create the key. There’s no way for the security team to validate it. It had a detailed process of how to move the key to another server. This resulted in a good back door, but the front door is open. We provide verifiable auditable way to manage keys without human intervention. 2) Application security for credit cards — we support web application firewall where their security team defines the policy, and the application team has the decision of whether or not to follow the policy. It can be applied across the farm of servers and firewalls.
- We monitor log-in credentials for APIs. We're able to see if someone is using automated tools to attack your site. It corrupts your analytics data, therefore, skewing data and causing you to make incorrect decisions. We should be optimizing for bots rather than customers. What else? The flaws in the system tend to be human – using insecure passwords or reusing passwords. North Korea gave the media USB powered fans during the summit. Third-party companies manage data for hotel room availability to make sure inventory is up to date. This can be done by anyone with a mobile app. Healthcare providers have account data that is important to protect on mobile and web devices.
- A bunch of healthcare customers, providers, payers, hospitals, and financial systems need: 1) a lot of regulation 2) our customers want to be able to engage with their customers on a one-on-one basis, reulsting in real-time info to customers on their mobile phones. Customers had to open up previously back-end transactional systems via APIs — this was the right information at the right time and right context, wrapping the backend in APIs. This will test customer’s transactional systems. This will also help customers discover, create, and test APIs for security to implement B2B and B2C use cases. Taking an existing system and making it available over APIs is continuously assessed for security.
- Financial services – fraud analytics and credit card identify fraud are at an aggregated level and drill down to the fine grain, so you can get to the problem itself. Looking at transactions has resulted in case fraud. Use BI to find patterns at the high level and then look at individual transactions. This includes cloud security clients on both sides of the security issue with financial services companies. Complexity of the environments drives the need to think about security holistically. 82 percent are augmenting technology with Hadoop in the cloud. Companies are not replacing hardware and toolsets; they’re adding to what they already have.
That's all for Part 1, be sure to tune in tomorrow when we'll discuss the security use cases for applications.
Here’s who we talked to:
- Jim Souders, CEO, Adaptiva
- Murali Palanisamy, CTO, AppViewX
- Amir Jerbi, Co-founder and CTO, Aqua Security
- Andreas Pettersson, CEO, Arcules
- Dave Mariani, CEO and Co-founder, and Bruno Aziza, CMO, AtScale
- Andrew Avanessian, COO, Avecto
- Nitzan Miron, Vice President Product Management, Barracuda Networks
- Mo Rosen, GM, CA Security, Sam King, GM, CA Veracode, Mark Curmphey, CA SourceClear
- Stuart Scott, AWS Trainer /Cybersecurity Expert, Cloud Academy
- Cliff Turner, Senior Solutions Architect, CloudPassage
- Mark Forrest, CEO, Cryptshare
- Antonio Challita, Director of Product Management, CyberSight
- Doug Dooley, COO, Data Theorem
- Patrick Lightbody, SVP Product Management, Delphix
- OJ Ngo, CTO, DH2i
- Reid Tatoris, Vice President Product and Outreach Marketing, Distil Networks
- Paul Kraus, CEO, Eastwind Networks
- Don Lewis, Senior Marketing Manager, EdgeWave
- Anders Wallgren, CTO, Electric Cloud
- Venkat Ramasamy, COO, FileCloud
- Jesse Endahl, CPO, CSO and Co-Founder, Fleetsmith
- Tom Sela, Head of Security Research and Matan Kubovsky, Vice President R&D, Illusive
- Roy Halevi, CTO and Co-founder, Intezer
- Darren Guccione, CEO, Keeper Security
- Andrew Howard, Chief Technology Officer, Kudelski Security
- Rajesh Ganesan, VP Product Development, ManageEngine
- John Omernik, Distinguished Technologist, MapR
- James Willet, Vice President of Engineering, Neustar
- Gary Duan, CTO, NeuVector
- Randall Degges, Head of Developer Advocacy, Okta
- Dan Koloski, Vice President, Security and Systems Management, Oracle
- Heather Howland, CEO, Preempt
- Randy Battat, CEO, PreVeil
- Arkadiy Miteiko, CEO, QbitLogic
- Linus Chang, Founder, Scram Software
- Altaz Valani, Research Director, Security Compass
- Ed Adams, CEO, Security Innovation
- Neill Feather, CEO, SiteLock
- Oded Moshe, VP Products, SysAid
- Gaurav Deshpande, Vice President of Marketing, Todd Blaschka, COO, TigerGraph
- Matthew Vernhout, Director of Privacy and Industry Relations, 250ok
- Setu Kulkarni, Vice President of Product and Corporate Strategy, Whitehat Security
- Erik Nordmark, Co-founder and Chief Architect, Zededa
Opinions expressed by DZone contributors are their own.