DZone Research: The Most Effective Security Techniques (Part 2)

To gather insights on the current and future state of security, we talked to 47 executives from 43 companies about security in their own organizations and for the clients with whom they are working. Given all of the breaches that have appeared in the news and the enforcement of GDPR, the response to this topic was unlike any we have seen for previous security research guides.

We asked them, "What kind of security techniques and tools do you find most effective?" Here's what they told us:

Multilevel

• Defense and depth — No magic bullet. How to structure application on the edge. How to structure for communication back to the cloud. How to select the framework to make it secure.
• Encryption — Prepare to face of a fine of $5 million if you lose the data. Mitigation strategy. Multiple layers. Implement access controls with firewalls and two-factor authentication. Encryption is the last line of defense. A company can spend hundreds of thousands securing all doors and windows, but there are doors and windows you did not know existed. For a smaller investment, you can encrypt the data. Only 4 percent of data is encrypted when stolen. Potentially the biggest room for improvement.
• Multilayer – This includes mainframe, DevSecOps, and open source scanning. 
• To be prepared and not caught off guard, one has to have a defense in depth layer with multiple solutions and layers. Don’t click on phishing emails. Instead, train users. Also, be careful of compromised websites. Maintain regular backups and keep software up to date. 
• Malware analysis and detection — However, there is no one silver bullet. We need a lot of technologies and tools to protect systems and networks. This will include a combination of skills and manpower and technology. There is a huge gap in malware analysis. It can take weeks to reverse engineer malware code, but this doesn’t scale. Provide information on malware automatically. This goes with automation. No one wants to do all of the work manually. There is a never-ending pile of alerts. We need better detection, alerts with automatic analysis, and remediation and vaccination. 
• Build apps in layers — We do not trust anyone or any input. We are secure by default. Build the security system first. While it's counter-intuitive, it works. 
• Firewalls, endpoint security, application security. 
• The best approach for security is a combination of humans and machines. Highly skilled and trained developers, QA testers, and researchers are absolutely necessary in order to produce highly secured code. Automation allows Illusive to identify vulnerabilities in a hyper-efficient manner. For example, simulating attacks within networks enable Illusive to check the effectiveness of their deceptions continually, thus ensuring attackers are detected. Two-factor authentication is a brilliant tool to ensure company information remains secure if a laptop or a cell-phone gets stolen. 
• Security cannot be dependent on one tool or technique. Building security in layers will provide complete protection. The technical solutions need to be part of a holistic view, in which a well-documented process ensures activities within the organization are performed in a secure manner. The processes must be reviewed with regular controls and audits. The most effective technique is the awareness of every single thing we plan and implement, as a corporate business, as a system, and as application users. 
• Security should consist of multiple layers — building some level of redundancy is appropriate so that if one solution (layer) is ineffective at stopping an evolving threat, the other solutions (layers) will be. AI/ML is useful in identifying changing threats, but a review by live security analysts should always be part of the equation. Machine learning is good at finding anomalies that a human might miss, but, at the end of the day, only a human security analyst can think like a hacker and apply the skills necessary to uncover the full story.

Engagement and Ownership

• Looking at how you can better protect your users. Provide frictionless but most breaches occur employees need to become part of the security culture. Working with customers to better train employees and show in real time, because we care about security. Provide real-time feedback. What you’re doing is being secure or insecure. Have employees engage with security. Is security training of employees effective? All think it’s important; few think its effective. Training in a vacuum doesn’t work, engage when something is happening. 
• It comes down to people — Developers, engineers, and staff. They need to be educated that security is very important. Educate your staff to at least privilege only to access things you need to access. If need elevated access provides and get out. If there is a compromise, minimize the damage. 
• The reality of the cybersecurity game is that one way or another, a modern organization will need to be dealing with some form of attack and will have to learn how to deal with a data breach. There are certain things you can do before it happens to prevent it from happening, and there are other things you can do after it happens to recover from it. On the defensive side of things, it is important to convey security as being everyone's responsibility; it should be embedded into the DNA of every employee. This is the first priority and will probably solve half of the security problem. The rest can be solved by implementing Identity and Access Management solutions, application security testing solutions, data encryption, and cloud security solutions. Once you get those things working together with some level of maturation, the next step would be to run attack simulations where worst-case scenarios occur. This will give real-time feedback about your security posture. It will not only help counter an actual breach during an invasion but will improve processes of communication with the customers and other affected stakeholders.  
• Organizations are the most effective when people, processes, and technology are all integrated into a continuous cycle that can adapt rapidly to change. When an attacker is in your application stack, once detected, response teams need to move quickly to eject the attacker and re-adjust defenses across the organization to prevent additional attacks and adjust detection mechanisms to detect the attacker and methods. Additionally, there is a change in how security teams are positioned. Security teams aren’t acting as the gatekeepers to running the application in production; but, rather, security teams are acting more as coaches and consultants to the teams deploying code. As security personal help developers organize and deploy more secure environments, the overall risk-exposure of a company goes down.

Here’s who we talked to:

• Jim Souders, CEO, Adaptiva
• Murali Palanisamy, CTO, AppViewX
• Amir Jerbi, Co-founder and CTO, Aqua Security
• Andreas Pettersson, CEO, Arcules
• Dave Mariani, CEO and Co-founder, and Bruno Aziza, CMO, AtScale
• Andrew Avanessian, COO, Avecto
• Nitzan Miron, Vice President Product Management, Barracuda Networks
• Mo Rosen, GM, CA Security, Sam King, GM, CA Veracode, Mark Curmphey, CA SourceClear
• Stuart Scott, AWS Trainer /Cybersecurity Expert, Cloud Academy
• Cliff Turner, Senior Solutions Architect, CloudPassage
• Mark Forrest, CEO, Cryptshare
• Antonio Challita, Director of Product Management, CyberSight
• Doug Dooley, COO, Data Theorem
• Patrick Lightbody, SVP Product Management, Delphix
• OJ Ngo, CTO, DH2i
• Reid Tatoris, Vice President Product and Outreach Marketing, Distil Networks
• Paul Kraus, CEO, Eastwind Networks
• Don Lewis, Senior Marketing Manager, EdgeWave
• Anders Wallgren, CTO, Electric Cloud
• Venkat Ramasamy, COO, FileCloud
• Jesse Endahl, CPO, CSO and Co-Founder, Fleetsmith
• Tom Sela, Head of Security Research and Matan Kubovsky, Vice President R and D, Illusive
• Roy Halevi, CTO and Co-founder, Intezer
• Darren Guccione, CEO, Keeper Security
• Andrew Howard, Chief Technology Officer, Kudelski Security
• Rajesh Ganesan, VP Product Development, ManageEngine
• John Omernik, Distinguished Technologist, MapR
• James Willet, Vice President of Engineering, Neustar
• Gary Duan, CTO, NeuVector
• Randall Degges, Head of Developer Advocacy, Okta
• Dan Koloski, Vice President, Security and Systems Management, Oracle
• Heather Howland, CEO, Preempt
• Randy Battat, CEO, PreVeil
• Arkadiy Miteiko, CEO, QbitLogic
• Linus Chang, Founder, Scram Software
• Altaz Valani, Research Director, Security Compass
• Ed Adams, CEO, Security Innovation
• Neill Feather, CEO, SiteLock
• Oded Moshe, VP Products, SysAid
• Gaurav Deshpande, Vice President of Marketing, Todd Blaschka, COO, TigerGraph
• Matthew Vernhout, Director of Privacy and Industry Relations, 250ok
• Setu Kulkarni, Vice President of Product and Corporate Strategy, Whitehat Security
• Erik Nordmark, Co-founder and Chief Architect, Zededa