DZone Research: The Most Effective Security Techniques (Part 1)
DZone Research: The Most Effective Security Techniques (Part 1)
DZone Researcher sat down with different executives to assess the most effective security techniques. Here is what they had to say!
Join the DZone community and get the full member experience.Join For Free
To gather insights on the current and future state of security, we talked to 47 executives from 43 companies about security in their own organizations and for the clients with whom they are working. Given all of the breaches that have appeared in the news and the enforcement of GDPR, response to this topic was unlike any we have seen for previous security research guides.
We asked them, "What kind of security techniques and tools do you find most effective?" Here's what they told us:
- Machine learning (ML), behavioral analytics, threat intelligence, and malware analysis.
- The security paradigm is upside down. 1) End-to-end encryption. 2) No passwords. All data on security is on a server and encrypted. We keep a private key stored on each device. 3) Administrators – no one administrator can bring the system down.
- Modern AppSec, DevSecOps, and security analytics tools.
- Dynamic analysis.
- Zero trust model security model — Secure the customer’s information. How do app developers protect themselves? Promulgated laws, enforcement, and setting have changed the game a lot. It's more important for the developers to do things right – it propagates through the CIO, CISO. Prevention, detection, remediation, and response. Must cover for any kind of security architecture. We undergo an SOC2 audit every year. Compliance and best practice are very important. Most companies in a SOC audit today will fail. An amazing process to go through for preparation. It changes the security mindset of the company. SOC dictates how you hire, security screen, signed disclosures executed, and kept on file. Security is a cultural facet of our business. The average cost of a data breach is now $3.5 million.
- 1) Sender policy framework helps recipient domains validate if the mail server sending is approved. 2) Domain keys for identified mail cryptographic solution public-private key pair that content of the message hasn’t changed since sent. 3) DMARC (domain-based message authentication, reporting, and conformance) allows the domain owner to set policy that requests the recipient domain, if something fails, can do nothing, put the message to spam, or don’t access the message at all.
- 1) Assisting in protecting data by using our platform with tools. 2) For those in enlightened organizations, a security data platform isn’t any different than a data platform. Get rid of silos. Data security should not be different than data management. Data loss prevention needs to get beyond data analyst with different jobs.
- 1) Discovery tools. Look at the data and see what and where it is. Capabilities to go through the data sets. Codify a policy to scrub records before they are shared. 80 to 90 percent are OK to share but need to hide the 10 to 20 percent. 2) Data masking with algorithms in a cryptographically secure way. 3) Auditing data movement and access for governance. Audit records.
- We believe in using tools readily available to anyone — tools that are ad hoc to send or share anything with anybody at any time. Obscure or ‘sign in’ technologies get in the way and are the root cause of shadow IT where consumer-grade tools are used for sensitive content.
- How do we make DevSecOps part of the normal cadence of the pipeline? You do this kind of testing for security to make sure this happens every time. Equifax and struts you can’t stop doing vulnerability testing after you ship. You must continue monitoring for things in your supply chain after you make it live. Open source library already in production with vulnerability. Test before and after your ship.
- Data security at rest database encryption. All data is encrypted. None of the data is in the clear. We suggest encrypting an entire database or NoSQL to encrypt only the confidential data for a leaner approach. Data in transit TLS ECDIT keys improves performance, compatibility challenge, and inter-device communication to adapt to new browsers.
- Visibility — scan everything and then triage. If you don’t scan, you’re not sure what’s not covered. Start with finding out what you don’t know and then decide what you are going to fix.
- Finding ways to automate and do in real-time. Manual intervention for patching and malware cleanup if you can’t respond automatically to block, patch, and fix. Multilayer is also important.
- Fingerprint a user. Identity is key but is easily spoofable. Malware is prevalent. Security threats can be using malware from real devices. Mobile traffic with malware. Use a third-party security platform to manage security.
- To be effective, first, a tool must provide differentiated capabilities, but more importantly, it must easily integrate into the continuous integration pipeline with strong API support. We have been successful in finding strong tooling both from the closed and open source community.
- In a fast-moving world, you need techniques that don’t require a lot of translation across teams. Attack trees, for example, are a great idea but they can be difficult to explain or create in a scalable way. A list-based approach (Top 10, frameworks, or standards) which address common security issues can help you get a base level of security much quicker. You also need to try and remove variability as much as possible. If any output is going to differ based on team composition or experience, look for ways to minimize the difference. This could be through injecting controls or training.
- Security by design from day one.
- Security platform and the framework. Help customers discover risk assessment and management. Everything has security built into it. Either hire the right kind of developers or train to look at security as a design problem.
- Key drivers for security solutions is about availability and making sure whatever the app is it will be available when a customer attempts to access. Infrastructure availability and performance. Directing end users to the website route to best-performing web applications. Digital protection make sure site is available through DDOS, web app firewalls, content caching, and acceleration.
- The most effective tool is one that allows you to be proactive in spotting potential weaknesses and threats without being too maintenance- or admin-intensive. Tools and services are becoming more and more advanced and use some of the latest technologies, machine learning (ML), for example, to their advantage. An example that I would like to highlight here is the Amazon Macie security service, which provides an automatic method of detecting, identifying, and classifying data stored in your AWS account. The service is backed by ML, allowing your data to be actively reviewed as different actions are taken within your AWS account. Using ML, Macie analyzes CloudTrail event data, which makes it possible to spot any unusual or irregular user behavior or access patterns. Any findings are presented in a dashboard, which can trigger alerts. Amazon Macie also uses natural language processing (NLP) methods to help classify and interpret different data types and content. The service can automatically assign business values to data that is assessed in the form of a risk score. This enables Amazon Macie to prioritize findings so that users can focus on the most critical alerts first. This enables Macie to identify critical and sensitive security data such as API keys, secret keys, personally identifiable information (PII), and protected health information (PHI). It can detect changes and alterations to existing security policies and access control lists that affect data within your S3 buckets.
- Our IT security solutions suite helps customers stay current with critical patches, identifies security misconfiguration in real time, and provides anomaly detection and threat mitigation.
- 1) There are a lot of security techniques and tools that are useful. Cloudflare's k-Anonymity (https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/) is an excellent tool for validating that user password have not been breached when paired with a service like Have I Been Pwned? (https://haveibeenpwned.com/). The practice of preventing users from using breached passwords is now an official NIST recommendation and using k-Anonymity is really the only "safe" way to implement NIST guidance and help protect casual web users from picking poor passwords. This is also what our tool, PassProtect (https://www.passprotect.io/), relies on under-the-hood. 2) End-to-end encryption is a design pattern that is now more important than ever which we hope more providers will adapt. Applications using end-to-end encryption guarantee that the service provider providing a service can't actually see or access any customer data. This is what protocols like Signal (https://signal.org/) use to make messaging secure and private. All other forms of private communication aren't exactly private as providers can still access user data. When you read online that Google stores emails encrypted, that means they're only encrypted at rest when Google stores them — but Google can still access these emails and process them. With end-to-end encryption, the provider has no possible way of ever "decrypting" the content they store, thereby giving the power over the content to the user directly. With more focus on privacy and security in the web world, I expect to see more services adopting end-to-end encryption. 3) In the realm of storing passwords, in the last several years, a lot has changed. The old recommendations to use the bcrypt hashing algorithm have been outed in favor of more modern hashing algorithms like scrypt (https://en.wikipedia.org/wiki/Scrypt) and argon2 (https://en.wikipedia.org/wiki/Argon2). Scrypt provides significantly more security than does bcrpyt when storing passwords, and Argon2 goes a step further and provides what is widely considered to be the best possible security for storing passwords. These algorithms are important to adopt and keep up with as time goes on as a lot of people don't realize that when a company stores your password, the format in which they store it is a ticking time bomb. As computers get faster, attackers are more and more likely to be able to "crack" password hashes. Continuously updating your hashes and storing them using the current best practices is incredibly important in providing user security. This is why tools like Okta's API platform (https://developer.okta.com/) are so useful — they handle these upgrades seamlessly and transparently.
- Basic security hygiene is one of the most overlooked but most important areas — this includes things like patching, device management for employee devices, and configuration management for the production server environment. It’s boring for IT and security teams to work on, but teams should be honest with themselves about prioritizing the process of fixing the things that are likely to get the company hacked before they spend time on the more intellectually interesting security projects.
- The customers we are speaking with have typically solved the more basic requirements for Identity and Access Management, encryption of sensitive data, and monitoring/logging of key activities for compliance reporting. However, as they develop their next generation of applications – and today we are seeing the majority of new applications being deployed in a cloud-native model – there is an opportunity to actually improve security, not simply ensure that we are as secure as we were in the past. One of the big reasons for this is that newer applications are often written using microservices architectures. By breaking an application into a set of smaller components, each of these pieces can be managed separately, making it easier to test, to update, and to scale – but also to secure. The base images supporting these apps can be reduced to include only the necessary features to run the service, thus minimizing the attack surface. And, since these services are only performing specific functions, policies can control access to the container only by authorized processes. In addition, by profiling the container at runtime, machine learning techniques can identify anomalous behavior and prevent attacks.
Here’s who we talked to:
- Jim Souders, CEO, Adaptiva
- Murali Palanisamy, CTO, AppViewX
- Amir Jerbi, Co-founder and CTO, Aqua Security
- Andreas Pettersson, CEO, Arcules
- Dave Mariani, CEO and Co-founder, and Bruno Aziza, CMO, AtScale
- Andrew Avanessian, COO, Avecto
- Nitzan Miron, Vice President Product Management, Barracuda Networks
- Mo Rosen, GM, CA Security, Sam King, GM, CA Veracode, Mark Curmphey, CA SourceClear
- Stuart Scott, AWS Trainer /Cybersecurity Expert, Cloud Academy
- Cliff Turner, Senior Solutions Architect, CloudPassage
- Mark Forrest, CEO, Cryptshare
- Antonio Challita, Director of Product Management, CyberSight
- Doug Dooley, COO, Data Theorem
- Patrick Lightbody, SVP Product Management, Delphix
- OJ Ngo, CTO, DH2i
- Reid Tatoris, Vice President Product and Outreach Marketing, Distil Networks
- Paul Kraus, CEO, Eastwind Networks
- Don Lewis, Senior Marketing Manager, EdgeWave
- Anders Wallgren, CTO, Electric Cloud
- Venkat Ramasamy, COO, FileCloud
- Jesse Endahl, CPO, CSO and Co-Founder, Fleetsmith
- Tom Sela, Head of Security Research and Matan Kubovsky, Vice President R and D, Illusive
- Roy Halevi, CTO and Co-founder, Intezer
- Darren Guccione, CEO, Keeper Security
- Andrew Howard, Chief Technology Officer, Kudelski Security
- Rajesh Ganesan, VP Product Development, ManageEngine
- John Omernik, Distinguished Technologist, MapR
- James Willet, Vice President of Engineering, Neustar
- Gary Duan, CTO, NeuVector
- Randall Degges, Head of Developer Advocacy, Okta
- Dan Koloski, Vice President, Security and Systems Management, Oracle
- Heather Howland, CEO, Preempt
- Randy Battat, CEO, PreVeil
- Arkadiy Miteiko, CEO, QbitLogic
- Linus Chang, Founder, Scram Software
- Altaz Valani, Research Director, Security Compass
- Ed Adams, CEO, Security Innovation
- Neill Feather, CEO, SiteLock
- Oded Moshe, VP Products, SysAid
- Gaurav Deshpande, Vice President of Marketing, Todd Blaschka, COO, TigerGraph
- Matthew Vernhout, Director of Privacy and Industry Relations, 250ok
- Setu Kulkarni, Vice President of Product and Corporate Strategy, Whitehat Security
- Erik Nordmark, Co-founder and Chief Architect, Zededa
Opinions expressed by DZone contributors are their own.