Most Important Security Elements (Part 1)

To understand the current and future state of the cybersecurity landscape, we spoke to and received written responses from 50 security professionals. We asked them: "What are the most important elements of application and data security?" Here's what they told us about visibility, remediation, and prioritization. We'll cover the other things they shared with us in part two. 

Visibility

• If we are limiting the scope to applications that are built by your organization accessing your data, then focusing on modern approaches to continuously find and remedy vulnerabilities while giving you visibility into API-services, mobile and modern web applications.  
• Catalog all APIs, eliminate blind spots, assess risk, determine sensitive data exposure, and keep them protected as they change. Differentiate between legitimate behavior and attackers. Detect targeted attacks to help security teams focus on and eliminate the source of the attack. Leverage attackers as penetration testers and gain insight into how to remediate vulnerabilities. 
• Know your environment. The majority of customers don’t know enough about their environment. We are always dealing with the issue of rogue devices in the network with unknown access to the application, unknown access privileges for users, identity management problems. Visibility into the modern complex enterprise is hard to achieve. IT doesn’t have the tools. IT turns to security to help them find the missing pieces, servers accessing the database, who are the owners, who is patching, why do these users have access? Visibility into the modern complex enterprise is more critical than security. 
• Know where the data and the crown jewels are whether they are in-flight or at rest to mitigate the risk with controls, detection, and monitoring from a security standpoint. 
• 1) Comprehensive coverage: As enterprises build and connect more applications and migrate them to the cloud, they must focus on securing a larger attack surface from ever-evolving threats with very limited resources. (i.e. all of your applications should be protected, not just the crown jewels). 2) Visibility into security data (attack vectors, responses) to inform security decisions: The last thing you want your talented security team doing is pouring over security event data just to try to ID attackers and vulnerabilities AFTER they happen - that data should ideally be continually driving optimizations to your security strategies and tools. The security team should be enabled to operate more efficiently and make more informed decisions. 
• The most important elements for application and data security include full data visibility (beyond just security data) and robust threat hunting and incident response. A strong and modern SOC should have access to all data, live; a complete logging system; as well as regular penetration test and code review of all applications and systems. 
• Visibility and contextual information are foundational pieces of security. Teams need insight into what’s happening in an application and with its data. And they need to get that insight at the right time and with the right contextual information to be able to act on it. This applies both to proactively reducing risk at development/build time and to respond to real-time threats at runtime.

Mitigation

• The most important element of application security is hardening the application against security attacks.  This can be achieved using industry accepted and best practices, such as the Web Application Security Consortium (WASC) version 2 framework [http://projects.webappsec.org/f/WASC-TC-v2_0.pdf]. For data security, the most important elements are the protection of the data using cryptographic controls for Data at Rest and Data in Transit, effective Access Control system, and effective monitoring and logging of data access. 
• To me, the most important elements are detecting and preventing vulnerabilities from getting into production environments and having real-time and runtime security that can detect zero-day application exploits. 
• There are application and data security hacks and breaches every day. With the increase of IoT devices, this risk increases, and there are more ways for them to access the network to take control of user’s applications and have access to private data. Every application can have security vulnerabilities and it is important to be able to react to them as quickly as possible. 
• Focus on speed to resolution once you identify vulnerabilities or where you are out of compliance. We have large, highly-distributed clients with highly distributed infrastructure that need to resolve boundary issues. They need tools that provide visibility, automation, and remediation to resolve things without having an IT and security person located in every facility. 
• One of the most important elements of application and data security is the ability to identify security risks in real time and take appropriate measures to address them before they're exploited. Companies need unified visibility of their infrastructure footprint, using tools that continuously monitor for security gaps and vulnerabilities such as misconfigurations, malicious insiders, account hijacking, weak authentication, insecure interfaces and APIs, abuse of cloud services, etc. These types of tools, which focus on automatic, user-defined remediation workflows to fix identified issues, are best because they mitigate the risk of human error. 
• 1) One is the need to embed security throughout the application lifecycle as applications continue to be built and deployed faster than ever. Embedding security checks and controls from development all the way to production is critical to assessing and reducing risk as early as possible. 2) The second is the need to monitor for threats in your running applications or workloads and gaining the ability to respond quickly to mitigate those threats. New, zero days are becoming more common in container and orchestration stacks and waiting for vendor updates that address these vulnerabilities, and new versions of the applications to be deployed creates a potential window of risk.

Prioritization

• We are staunch supporters of the NIST cybersecurity framework. We believe they got it right about overall cybersecurity, including application and data security. The NIST CSF advocates that organizations begin by identifying and prioritizing their key cyber terrain, which highlights the data and applications most important to the business. This leads organizations to quantify cyber risk and provides insight into how to protect the most important applications and underlying data. It is difficult to apply cybersecurity recommendations in a blanket form to an enterprise, but if you prioritize the key terrain, then encrypting data at rest and in transit, along with stress testing applications for vulnerabilities is quite possible. 
• 1) Ensure no information is lost and there's no data leakage. 2) Enterprise application suites need to capture all activity from the network and contextualize/transform complex data into security knowledge with actionable insights. 3) An open data model enables high-value use by onboarding any data — structured/unstructured/semi-structured. All data flowing through an open data model is contextualized and labeled for real-time scoring, machine learning, and analytics. 
• Understand what you need to protect. Don’t throw security at the wrong data. Understand what’s in the environment. Think about legacy data. There’s no excuse for not protecting data from 50 years ago. Data is a liability rather than an asset – it’s waiting to be stolen. 
• The most important elements involve a few steps — and it’s not a silver bullet. 1) Security teams should ask themselves: What are the types of events or things that could happen that would cause a significant impact to the business? What is the data that the business cares about—and how do we identify that from the CEO and CFO level? How do we identify those things and ensure our security program is built around protecting those pieces of data? 2) Once you understand what’s important to the business, then you need to understand the threats that are coming at those systems — and the threats will be different for every company. 3) The third step is “the where” aspect of cybersecurity. Now, we know what’s important and we know what threats are coming at them, but where does that data live? Is it in the public cloud, the S3 bucket, blob storage, a file share, or a database? 4) The fourth step involves visibility and mitigation. What does the team need to do to mitigate the threats to those data assets that the board believes are important — and how do they do that? Do they need visibility into network traffic? Do they need visibility into who’s accessing their S3 buckets? It’s that process that’s the most important element in data security. The most important thing is that a security program needs to have a standardized process like this.
• The most important task in securing code, and the data manipulated by that code, is an activity called “threat modeling.” We need to carefully examine not only the software itself, but the context in which it is being used. That means, for example, identifying precisely what data is sensitive and must be protected, as well as specifying what inputs into the software system potentially come from an untrusted source. Sadly “threat modeling” is frequently done on an ad hoc basis -- instead, what we need is a way to share the burden of modeling threats in all the different software components, so every user of a modeled component can benefit.

Encryption

• We believe storage company strategy can play an important part in eliminating data destruction and corruption. We provide a hardened archive for storing data completely and accurately. It's an on-prem hardware archive designed for compliance with HIPPA, FINRA, medical record-keeping, and data preservation. We create a globally unique serial number in the meta-data that's stored in a cryptographically protected system. We take an inventory of files to ensure they are all there and this is all immutable. This allows us to superimpose a layer of integrity and authenticity on top of the system. Clients can encrypt files with a different encryption key for each file without human intervention.

Please see part two for a lot more thoughts on the most important elements of security.

Here’s who shared their insights:

• Josh Mayfield, Director of Security Strategy, Absolute
• Jim Souders, CEO, and Anne Baker, V.P. of Marketing, Adaptiva
• Steven Aiello, security and compliance solutions principal, AHEAD
• Gadi Naor, CTO and Co-founder, Alcide
• Omer Benedict, Senior Director of Product Management, Aqua Security
• Tom Maher, CTO, Asavie
• Gaurav Banga, CEO and Founder, Balbix
• Nitzan Miron, V.P. Product Management, Application Security Services, Barracuda
• Cam Roberson, Director of the Reseller Channel, Beachhead Solutions
• Anurag Kahol, CTO, Bitglass
• Syed Abdur, Director of Product Management and Design, Brinqa
• Laura Lee, Executive Vice President of Rapid Prototyping, Circadence
• Andrew Lev, CEO, Cliff Duffey, Founder and President, Bethany Allee, Vice President Marketing, Cybera 
• Brian Kelly, Head of Conjur Engineering, CyberArk
• Doug Dooley, COO, Data Theorem
• Jason Mical, Cyber Security Evangelist, Devo Technology
• OJ Ngo, CTO, DH2i
• Tom DeSot, EVP CIO, Digital Defense, Inc.
• Chris DeRamus, Co-founder and CTO, DivvyCloud
• Alan Weintraub, Office of the CTO, DocAuthority
• Tom Conklin, CISO, Druva
• Anders Wallgren, CTO, Electric Cloud
• Satish Abburi, founder, Elysium Analytics
• Sean Wessman, Americas Cyber Markets, Sectors and Business Development Leader, EY
• Ambuj Kumar, Co-founder and CEO, Fortanix
• Josh Stella, co-founder and CTO, Fugue 
• Amith Nair, VP Product Marketing, HashiCorp 
• Kathy Wang, Senior Director of Security, GitLab
• Mike Puglia, Chief Customer Marketing Officer, Kaseya
• Nathan Turajski, Director of Product Marketing, Micro Focus
• Gary Duan, Chief Technology Officer, NeuVector
• Gary Watson, CTO and Founder, Nexsan
• Stephen Blum, CTO and co-founder, PubNub
• Chuck Yoo, President, Resecurity
• Roey Eliyahu, CEO and Co-founder, Chris Westphal, Head of Product Marketing, Salt Security
• Sivan Rauscher, CEO and Co-founder, SAM Seamless Networks
• Igor Baikalov, Chief Scientist, Securonix
• Oege de Moor, CEO and Co-founder, Semmle
• Dana Tamir, VP Market Strategy, Silverfort
• Logan Kipp, Technical Architect, SiteLock
• Albert Zenkoff, Security Architect, Software AG
• Tim Brown, V.P. Security Architecture, SolarWinds
• Todd Feinman, Co-founder and Chief Strategy Officer, Spirion
• Tim Buntel, VP of Application Security Products, Threat Stack
• Andrew Useckas, Founder and CTO, ThreatX, Inc.
• Joseph Feiman, Chief Strategy Officer, WhiteHat Security
• Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs
• Robert Hawk, Operations Security Lead, xMatters