Most Effective Security Techniques (Part 2)
In addition to culture, we found that automation, customization, consistency, DevSecOps, and other techniques are also effective.
Join the DZone community and get the full member experience.Join For Free
To understand the current and future state of the cybersecurity landscape, we spoke to, and received written responses from, 50 security professionals. We asked them: "What are the most effective security techniques?"
In part one, we learned about the importance of culture, including training, hygiene, and processes. The following are other techniques that were deemed to be important:
- With automated security analytics and human analysts, someone has to look and say whether it’s good or bad traffic in order to learn. It's time to start recommending similar decisions with similar cases. This helps with managing the workload to react faster to events. As it gains credibility, you can switch to automated mode. If we see suspicious IP addresses, we can stop the bad things from happening. With the complexity of the new models, there’s a benefit as we’re trying to collect subtle cues that may not be 100 percent reliable, there may some activity on the user's computer indicating there may be malware. Use the kill chance to command separate events and map into known attacks. Do risk calculations to bring to the top of high-risk advance to react and prevent the final events of the attack like exfiltration. This requires significant computer muscles and models to work with minimum false problems.
- The techniques that are most effective are to have an automated means to be able to assess and identify and remediate vulnerabilities with as little human intervention as possible so as to shorten the window. According to Gartner, the average time to discovering and resolving a vulnerability is 38 days, while it only takes 7.72 days from vulnerability is identified to when it is exploited. Speed to resolution through automation is key.
- Segment, segment, segment to limit risk by containing each application in its own network and private cloud environment. Look at automating the orchestration of all the setup and configuration. Prevent breaches from simple mistakes. Make configuration management simpler at large scale. Delivery by the cloud and automation are keys to success. It gives large centralized brands control, visibility, automation for security at the edge. A mix of IoT and back-office and retail applications.
"The most effective security techniques are those that leverage technology and address every phase of a potential attack."
- From a business perspective, it is logical to put the majority of your cybersecurity focus on preventing attacks from happening in the first place. However, it would be negligent not to address the possibility of a successful breach. It is critical that businesses design and implement an incident response plan and train their staff on execution. Automating as much of your incident response plan as possible will help to reduce implementation time.
- I think about security techniques in two buckets — prevention of vulnerabilities and in the mitigation of exploits. The most common automated security research techniques used to prevent vulnerabilities today include regression testing, unit testing, and fuzzing. There is also code analysis and dependency analysis. These techniques are valuable tools for helping to secure a codebase, but none of these methods are optimal for finding variants of known vulnerabilities. Beyond automation, you could manually review code for variants; however, on any reasonably-sized project (or collection of projects), manually combing through the entire codebase is completely infeasible, especially for anything that is more than just syntactic. Additionally, a manual process that only checks incoming code changes doesn't give you any insight into what existing vulnerabilities may exist, and, of course, is susceptible to human error. No matter what techniques are used to avoid the introduction of vulnerabilities, we have to be pragmatic: one can never eradicate all potential security problems in code. It is important, therefore, to also put technology in place limiting the impact that vulnerabilities can have. For example, systems should be monitored at runtime for the occurrence of attacks, so that they can be mitigated before they happen. Furthermore, you can apply techniques that make vulnerabilities extremely hard to exploit, such as ASLR (Address Space Layout Randomization), which mitigates the risk of common problems like buffer overruns. A generalization of ASLR is a “moving target defense” where every copy of an executable is different, again foiling attackers.
- Tailor your cybersecurity program to your key terrain. When organizations understand the critical assets and interdependencies affecting the business and develop a prioritized program to manage the cyber risk, they will be effective. Too many organizations address security uniformly across the enterprise and seek technology or policies that fit everything. That approach ends up with a dilution of funding and resources (to include people) that results in an overall weakened security posture. Establish (and practice) how you will handle a breach BEFORE it happens. In particular, contract investigative services (e.g. FireEye, TrendMicro, Crowdstrike) and settle on rates in advance. Same with legal services. Those two items can be the biggest cost drivers if you suffer a breach and you don’t want to handle it during a crisis. Establish (and practice) how PR will be handled. If you don’t do it correctly, not only can you have extra damage to your brand (e.g. Target, Equifax) but you increase your likelihood of being sued, which drives up the cost of the breach. Figure out who will release what information and review it as part of disaster preparedness! Get to know your local law enforcement (FBI/InfraGard) so you know what you need to do to protect evidence and who to notify. Again, before a breach not during one! Ensuring everyone in the organization is continuously learning best cyber hygiene practices is the most effective security technique. You can have all the tools and software in place to protect company assets but without knowledgeable and skilled staff to enforce their purpose, all is lost. Cyber is everyone’s responsibility and it starts with a company-wide cyber awareness.
- The most effective security techniques are those that are tailored to the specific environment and IT assets of an organization. For example, companies that allow BYOD need a different set of tools than those that use only managed devices. With cloud adoption and BYOD on the rise, more and more companies need a cloud access security broker (CASB), a policy enforcement point that provides visibility, identity management, and data and threat protection in the cloud. CASBs secure data wherever it goes – whether in transit or at rest – on any managed or unmanaged application or device.
- Instead of presenting security as an all-or-nothing ultimatum, the most effective security teams are working to evaluate and help each team in the organization. The bottom line is that security can only be effective when it is approached on an individualized basis. Each team has different needs and skill sets, and so, the security plans for each should be constructed with those differences in mind. Therefore, the protection is right for the type of information that the team must safeguard.
- The most important element of security is embedded in the process and automated. Anything related to security and security policies is codified. Security techniques are focused on multiple security processes – static, dynamic, and new technologies like shift left. The most effective techniques are multi-perspective. We recommend embedding that into the process from different perspectives.
- As mentioned above, consistency is key. It’s important to have a program in place that provides regular and consistent scanning, alerting and patching as this is the most effective way to reduce your risk, not the latest “AI-machine learning product.”
- Security solutions must adapt to the new reality described above by supporting three key requirements: 1) Integration into the build process, or what some call "Shift Left," to identify issues early, and prevent the vulnerable code from being introduced in the first place. Shift Left is a well-understood concept in developer circles, and it needs to become just as familiar from a security perspective in order to identify and remedy potential security issues with applications before they move into production and throughout the development cycle. 2) Implementation of tight controls at the network level, for example by using whitelisting and baselining approaches to tightly limit the ability of services to behave in a way that is not consistent with their intent. 3) Enforcement of consistent rollout and enforcement policies, regardless of the organization's choice of cloud provider or technology "stack."
- Employ security early on and throughout the application deployment lifecycle. Integrate into developer and DevOps practices. Employ segmentation and give deep security controls within the cloud environment and cloud-native application stack – containers, K8s, and service mesh.
- 1) DevSecOps workflow. Assign ownership where it actually matters and has an impact. You want the product engineering team to be responsible for the security of the code they are deploying. You don’t want an engineering and security team with different objectives. Have a unified deployment and security team. The product team is ultimately responsible for the security of the product. Security is available to help if needed. 2) Incident simulation. Where we take an employee, pretend they are rogue, send them to Starbucks to use a password and install fake malware. We then tell security about the simulated incident and have them determine what happened. Who it was, where it happened, what as compromised? Learn whether or not you have the logs necessary to track. This helps expose holes. 3) Secure coding training. Each engineer spends half a day on documentation, training, types of attacks, and how to defend. You educate engineers so they don’t make really stupid mistakes like injection vulnerabilities.
- In today’s threat landscape, everyone agrees that we can’t rely on passwords as a single means of authentication. Enforcing strong authentication, requiring users to use a second authentication factor to validate their identity, has been proven as the best way to prevent unauthorized access and identity-based attacks. Therefore, corporations are looking to strengthen authentication across all their sensitive systems.
- Encryption is by far the most effective technique. It’s based on mathematics and does not lie. The keys must be secured and controlled. Once you have encrypted your data, you don’t need to worry where the data is stored. It can also travel geographically. When someone needs to access the data, you verify the user involved, the use case, and allow them to execute the keys. Encryption reduces the vulnerability surface by many orders of magnitude.
- Hardware and software updates. Adopt tech that makes it harder for outsiders to penetrate. Secure data on the wire and at rest.
- API security. Identify and monitor all APIs. Differentiate between legitimate and malicious activity to identify and remediate security vulnerabilities.
- Ensuring you have robust application security, endpoint security, and firewalls in place will go a long way to avoiding and/or mitigating threats.
- For web application security: 1) A tri-fold approach is needed to ID and block advanced threats. This includes an attacker-centric model that tracks behavior, combined with application profiling to understand how applications should be behaving under both normal circumstances and when attacked, and active deception to trick and slow down attacker interactions. 2) A hybrid model can support this tri-fold approach, whereby machine learning techniques are combined with other proven and tried technologies such as contextual signatures and behavioral analysis.
- Risk-centric and knowledge-centric approaches. Make sure you make the best use of all of the tools in your toolkit. All developer tools – static analysis, pen testing programs built into the SDLC lifecycle. Risk scores based on the results from the testing tools are used as a gatekeeper for moving software along the SDLC process. Set up the threshold to go from development to testing. Another thing we’re seeing closing the loop on application security vulnerabilities. Trying to address where vulnerabilities are coming from. Reduce the volume of vulnerabilities coming in. Looking at insights from risk analysis and subtopics that generate the most vulnerabilities and targeting developer training based on those insights.
- One of the most effective security techniques is to enrich your organization’s security posture with full data visibility and robust threat hunting and intelligence. Understand that malicious adversaries are hiding in plain sight – such as in Windows PowerShell designed for sysadmins — so threat hunting must evolve to look for tactics, techniques, and procedures (TTP), instead of focusing purely on static indicators of compromise. But don’t leave old rules behind either: static information like hashes are still a relevant part of security.
- In the cloud, configuration and identity are your two big attack surfaces. That means your tools and methods need to be about establishing known-goodness of the configuration of your cloud resources and identity and access management, prior to and post-deployment. You need to analyze your cloud infrastructure configuration before deployment to know you’re within policy. Once deployed, you need to adopt self-healing infrastructure for your critical cloud resources to protect against data breaches due to misconfiguration and drift.
- A multi-faceted approach is the most successful. Protect the most sensitive data. Understand data and how to protect it so you can put better controls in place. Instead of more solutions, start to understand the strategy of how to do IT better. What do you need to protect (PII) versus not protect (public phone book)? Have a classification schema with a security strategy. Know what all of the data is and where it is. Know where the biggest risks are and prioritize minimization.
- High-performing teams focus on proactive security instead of reactive. By shifting to a proactive security posture, you can identify and mitigate potential risks throughout the software development lifecycle before an incident occurs. This leads to an overall safer environment and enables security teams to focus on forward-looking strategic shifts, rather than constantly firefighting urgent incidents.
- Although not a new idea, the Zero-Trust model is being considered by security-minded organizations now as a more effective defense-in-depth approach than the more traditional perimeter-based protection and detection mechanism. Defense-in-depth is a layered approach, and a good practitioner is able to understand what the limitations are in one layer and identify other layers to bridge the gaps.
- 1) One of the most effective security techniques is to get a better understanding of your assets without spending more money. With so much tech out there, the world has become a buyer’s paradise. But users don’t need Slack. People don’t need Dropbox. Developers don’t need JIRA. They need sharp and agile communication, accessible collaboration, and digital project management to build great things. When these true needs are satisfied, it is rare to see disaster befall your organization just because a certain logo is missing from your toolbar. Look at what’s really needed but hide the technology names. It’s not the technology itself, it is the fundamental capabilities they make possible. 2) To do so, start with a comprehensive inventory of what you have: hardware and software. It doesn’t have to be every last shard of tech in the organization, but high confidence that the list is relatively complete. See where there are license over-purchases, such as: “Hey! We have 15 percent more licenses than potential users.” Next, look at utilization: “We only have 70 percent of our people are using this.” Put those two metrics together: 1) purchased-license-to-user base and 2) hardware/software utilization, and you’ll be sure to find low-hanging fruit from bending all the way into your hand. 3) Solicit advice, take inputs, calibrate decision criteria, be transparent about the rationale, then make the decision to amputate or not. People need to believe their opinions matter, that they have a say in what goes into the decision process. They need to recognize the stepwise decision tree, but ultimately, you’ll need to make these decisions rooted in what’s best for the organization. We must never hesitate to be goal-directed. 4) I cannot count how many conversations I’ve had with IT managers and leaders who are salivating to pursue revenue-generating or market-making opportunities but can’t because budgets are exhausted by technologies that tied them down. To be sure, it can be imprudent to just start whacking away at the current technology spend, but take a lesson from Michelangelo who, when asked how he created David, replied, “I simply removed all the pieces of stone that didn’t look like David”. Chisel down your IT spending by removing what doesn’t look like where you want to be.
Please see part one for more thoughts on the most effective security techniques.
Here’s who shared their insights:
- Josh Mayfield, Director of Security Strategy, Absolute
- Jim Souders, CEO, and Anne Baker, V.P. of Marketing, Adaptiva
- Steven Aiello, security and compliance solutions principal, AHEAD
- Gadi Naor, CTO and Co-founder, Alcide
- Omer Benedict, Senior Director of Product Management, Aqua Security
- Tom Maher, CTO, Asavie
- Gaurav Banga, CEO and Founder, Balbix
- Nitzan Miron, V.P. Product Management, Application Security Services, Barracuda
- Cam Roberson, Director of the Reseller Channel, Beachhead Solutions
- Anurag Kahol, CTO, Bitglass
- Syed Abdur, Director of Product Management and Design, Brinqa
- Laura Lee, Executive Vice President of Rapid Prototyping, Circadence
- Andrew Lev, CEO, Cliff Duffey, Founder and President, Bethany Allee, Vice President Marketing, Cybera
- Brian Kelly, Head of Conjur Engineering, CyberArk
- Doug Dooley, COO, Data Theorem
- Jason Mical, Cyber Security Evangelist, Devo Technology
- OJ Ngo, CTO, DH2i
- Tom DeSot, EVP CIO, Digital Defense, Inc.
- Chris DeRamus, Co-founder and CTO, DivvyCloud
- Alan Weintraub, Office of the CTO, DocAuthority
- Tom Conklin, CISO, Druva
- Anders Wallgren, CTO, Electric Cloud
- Satish Abburi, founder, Elysium Analytics
- Sean Wessman, Americas Cyber Markets, Sectors and Business Development Leader, EY
- Ambuj Kumar, Co-founder and CEO, Fortanix
- Josh Stella, co-founder and CTO, Fugue
- Kathy Wang, Senior Director of Security, GitLab
- Amith Nair, VP Product Marketing, HashiCorp
- Mike Puglia, Chief Customer Marketing Officer, Kaseya
- Nathan Turajski, Director of Product Marketing, Micro Focus
- Gary Duan, Chief Technology Officer, NeuVector
- Gary Watson, CTO and Founder, Nexsan
- Stephen Blum, CTO and Co-founder, PubNub
- Chuck Yoo, President, Resecurity
- Roey Eliyahu, CEO and Co-founder, Chris Westphal, Head of Product Marketing, Salt Security
- Sivan Rauscher, CEO and Co-founder, SAM Seamless Networks
- Igor Baikalov, Chief Scientist, Securonix
- Oege de Moor, CEO and Co-founder, Semmle
- Dana Tamir, VP Market Strategy, Silverfort
- Logan Kipp, Technical Architect, SiteLock
- Albert Zenkoff, Security Architect, Software AG
- Tim Brown, V.P. Security Architecture, SolarWinds
- Todd Feinman, Co-founder and Chief Strategy Officer, Spirion
- Tim Buntel, VP of Application Security Products, Threat Stack
- Andrew Useckas, Founder and CTO, ThreatX, Inc.
- Joseph Feiman, Chief Strategy Officer, WhiteHat Security
- Vincent Lussenberg, Director of DevOps Strategy, XebiaLabs
- Robert Hawk, Operations Security Lead, xMatters
Opinions expressed by DZone contributors are their own.