Security Application Use Cases

To understand the current and future state of the cybersecurity landscape we spoke to, and received written responses from, 50 security professionals. We asked them, "What are some use cases you’d like to highlight?"

Here's what they told us about application use cases. We'll cover industry use cases in another article.

Data

• Sensitive data systems that aren’t properly protected today include: 1) Homegrown and proprietary systems, 2) Production Servers, 3) Critical IT infrastructure: Hypervisors, DCs, IaaS, network devices, 4) Financial systems: SWIFT, PCI-DSS CDE environments, 5) Healthcare systems: EMR/HER, PACS, Medical equipment, 6) Databases and file shares, 7) SCADA, IIoT and IoT devices, 8) And many more.
• The norm for most enterprises is using a VPN and a direct link. This has been around for 20 years but implementing it effectively can cost a bundle. We create highly available solutions to protect the data. We move the VPN stack and make it cheaper. It’s a more cost-effective and secure solution. Moving the stack closer reduces the cost. VPN routers can be expensive. We do not require hardware devices; we make it a software stack. Scale up or out in software stack. Turn your commodity server in your own router, closer to your environment and data.
• 1) Secrets Management: Customers are using our Vault product to centrally store, access, and distribute dynamic secrets such as tokens, passwords, certificates, and encryption keys. 2) Data Encryption and Protection: Customers are keeping their application data secure with centralized key management and simple APIs for data encryption across clouds and data centers using Vault. 3) Identity and Access Management and Privilege Access Management: Customers are authenticating, protecting, and granting access to different clouds, systems, and endpoints with Vault. They use our product to leverage trusted sources of identities across clouds and data centers.

GDPR

• In Europe, around GDPR, we’ve helped our client with a data catalog to delete 70 percent of their documents because they’re obsolete. This reduces risk exposure tremendously. We’re a society of information hoarders. Most companies have been storing information for years. We collect information and never clean it up. To clean up hoarding you need to throw things out, store things securely, and identify high-value and high-risk data and documents to create order out of chaos.
• The largest use case is, of course, the impact of the European Commission (EC) Directive 2016/679 General Data Protection Regulation (GDPR), which has forced a detailed look at the state of security for data.
• With GDPR, there is the right to be forgotten as well as privacy rights. Most companies are overwhelmed when requested to be forgotten by a customer. By knowing where the data resides, companies can query, purge, and adapt. We are seeing more blending of multinational companies carrying out requests regardless of location.
• Clients need to meet privacy compliance mandates. The end game is data protection. We’ve taken aspects of the portfolio and combined it into an integrated solution. We look at the security needs from end-to-end. We combine the best of data discovery and classification to provide a single pane of glass. We are able to discover threats and integrate with other resources to explore risk. We deliver value so identities, applications, and data come together.

Insider Threats

• We did catch both malicious and unwilling insiders. People are not always malicious. Just careless or ignorant of the policies. In many cases, we were able to detect a breach that was undetected for a while and prove the origin of the breach and identify the damage that was done. A significant number of people don’t mean bad but do not practice good security hygiene. Technology helps to keep the enterprise healthy by identifying problems and the user. Detect violations and correct as soon as possible. You cannot detect an abnormality if you do not have policies in place. One customer asked to detect exfiltration cases in their network. We asked, “what is allowed, what can employees do with data?” There were zero restrictions with regards to email, downloads, and cloud usage. You need basic security policies and procedures for users to monitor and prevent malicious activities.
• In terms of website security, a competent web application firewall (WAF) is often the first security technology deployed by businesses. This is an important step in securing your web applications, but it's important to also make sure that there are eyes looking not just outward, but inward as well. Should anything ever find its way onto your systems, you're going to want to know about it. Monitoring for file changes and using file-based malware scans are some of the most effective ways for introspective auditing.

DevOps

• Some of the most important use cases that CISO/CSOs are focused on are multi-cloud security, API-security, DevSecOps, SecOps automation, and EDR.
• Classic and most common is using adaptable pipeline functionality to drop new scanning technology into the DevOps pipeline. This used to take a year. However, processes have been modified to accommodate new tools. When a client has a software pipeline it shouldn’t take more than a few hours to add a stage to scan containers. You need to know what you have in production. Software pipeline automaton should give you insight into this. Dealing with hundreds or thousands of dependencies, you need to know what you have and what you are running. You have to know your bill of materials so you can tell if you are vulnerable.
• Security in development infrastructure - build servers, for example - is something that is commonly overlooked by security teams but is a critical piece to comprehensive application security. In a highly automated CI/CD pipeline, the build server is a critical transit hub with access to lots of sensitive information — Source Code, Code Signing Keys, Infrastructure Keys, etc. If an attacker is able to access the build environment and compromise the integrity of an application before it even reaches a production environment, it is extremely difficult for security teams to effectively secure the application.

APIs

• We’re seeing organizations rapidly deploying (or hoping to deploy) new applications that give their customers better features within customer-facing applications, portals, and API-based services. These need to be secured for any business-critical, financial, or compliance-driven use case, and that’s where we help.

Other

• We help clients across the board. We try to get them to implement vulnerability management programs. It’s the only way for them to protect themselves. The security landscape is evolving quickly. We work with them to run scans weekly or monthly and have the ability to scan during regular business hours (Daylight Scanning Time) so it doesn’t slow down business and you can identify and remediate issues quickly. In a perfect world, you will run scans on a weekly basis.
• We are a product company for cyber threat platform. Use cases are derived for what we do. We drive intelligence to trust and verify to pivot against emerging threats. Do you understand your brand? Are you having the right level of monitoring to prevent the threats? How quickly can you extract the information and make it actionable to defend against imminent attacks?
• We constantly hear “the perimeter is dead.” But this DOES NOT MEAN that companies should contemplate deploying systems which were designed to be INSIDE a perimeter WITHOUT a perimeter. Modern, secure systems that are designed to be secure in a perimeter-less environment, for example, Apple’s iOS, are deployed as a service, with automated updates and massive investment in security-by-design, vulnerability discovery, disclosure and remediation. If a system’s vendor doesn’t provide a service to maintain an always-up-to-date system, then don’t put it on the internet; place it inside a perimeter. While awareness is growing, we continue to see businesses ignore the security associated with embedded/headless/IoT devices and systems.
• 1) IoT cameras have been compromised (e.g. Nest baby monitor kidnapping threat, other Nest hacks). The malware moves laterally through the network and compromises the home computer. We prevent that from happening. 2) We also enable parental controls — to be able to keep kids safe from security vulnerabilities from Internet access and inappropriate content. As well as connected home management, allowing users to manage their connected home devices and optimize Wi-Fi performance.
• Some customers have a fragmented application security testing program. Internally developed applications are managed in different repositories than business applications managed in other asset inventories. Consistent risk management practices are needed to bring all of the applications together and identifying SLAs making sure they are all enforced across the application stack. We’ve helped customers implement holistic, comprehensive application measure across the software stack from risk analysis to remediation. We set up rule-based ticket creation mechanisms to create tickets consistently based on rules and policies and pushing out them out to external ITSM systems like ServiceNow or JIRA to do the lifecycle management. Comprehensive risk-management from end-to-end – identification, prioritization, remediation, and reporting.
• Developer training on security best practices is incredibly useful to improve application security. Security teams can’t watch everything that happens, so by enabling the development team to ask the right questions, the security team can ensure it’s a consideration throughout the process. Our teams can offer tools to run security tests on company products and share this data back to the developer. This sort of process provides valuable data to the developer, and also gives the security team insight into product development and risk posture. I’d also remind everyone to consider rewarding employees that demonstrate positive security behavior. If an employee falls victim to phishing and we make that individual complete a training, it promotes the idea that security is there to punish employees instead of helping them. Positive reinforcement, such as when someone follows the incident response process and reported the incident, is just as important to recognize.
• A broad range of applications: 1) Behavior Analytics; 2) Insider Threat Detection; 3) Threat Detection and Hunting; 4) Exfiltration of Data; 5) APTs; 6) Compliance — NIST, PCI, HIPAA.
• AppSec teams face a constant struggle to keep pace with security testing and are often unable (or unwilling) to allow development teams to operate in the rapid DevOps environment. As a result, it takes 4-7 months to fix detected security vulnerabilities (if security tests have been conducted at all). Pressure mounts, and the clock ticks. At that point, it becomes too easy for developers to skip critical security risk assessment procedures.
• 1) Since its beginning, ransomware has mainly been focused on financial gain. In the past few months, there has been an interesting shift that many companies may not be aware of: In addition to the ransom request, varying from 0.5 to 5 Bitcoins per device, the attackers also exfiltrate sensitive data from the network and sell it on the Darknet for the highest bid. In most cases, the data leakage is only detected as part of the ransomware investigation. The combination of the two (ransomware and data breach) can cause a much more devastating impact on the brand’s reputation. 2) Also, every year between March and April, companies fall victim to fraudulent tax filings with the US Internal Revenue Service (IRS). Attackers use targeted phishing emails to gain access to employee W2 data and submit their tax returns on their behalf. The incident is usually detected when employees submit their returns, only to learn they have already been submitted. In most cases, the wages and the withholding information in the fraudulent filings were accurate and aligned with their W2 information.
• The previous answer was more focused on network security models, but application security needs to be part of a security team’s focus. For example, many organizations likely have backlogs of security vulnerabilities that have yet to be reported, or has been reported, but not yet mitigated. It is worth focusing on developing a process to triage security vulnerabilities that have been reported with appropriate severity levels, based on user impact. When vulnerabilities are triaged with severity (impact) and priority (SLA) designations, then prioritization is achievable. With prioritization, metrics can be gathered to show mitigations over time based on severity, etc.
• Our customers turn to us when they have a business initiative — project and/or strategy — that require our unique capabilities. These include adopting cybersecurity frameworks, compliance audits, reducing the attack surface, building zero trust, endpoint cleanup, and lifecycle modernization, and, of course, reducing the cost of security. Many customers shrink their security budgets because they leverage us to restore any broken, disabled or ineffective controls—reducing the need for more tools and specialized personnel to run them. We help reduce costs by tracking hardware and software utilization, pinpointing areas of opportunity during vendor negotiations.
• In software development, we often see the same coding mistakes being made repeatedly over the course of a project's lifetime. These same mistakes can even show up across multiple projects. Sometimes, there are a number of simultaneously active instances of these mistakes, and sometimes there’s only ever one active instance at a time, but they keep reappearing. When such mistakes lead to security vulnerabilities, the consequences can be quite severe. There have been several high profile cases in which the same bugs have reappeared over and over again. Take for instance this vulnerability found by Tavis Ormandy of Google’s Project Zero. His comments demonstrate that this is not the first bug he’s found in Ghostscript. He was reviewing the fix for a bug that he had reported previously and discovered that they hadn’t fixed it properly. Following that trail to issue 1690, we see a comment referring to a previous bug. And if you continue to follow the links, you can see the bug reappearing in time. The same bug is repeatedly being discovered month after month in different parts of the codebase. Each time one instance is fixed, another variant of the issue is discovered. This demonstrates how bugs are rarely unique. They crop up in different locations as a project evolves over time, often in slightly modified forms or variants. In 2017, we announced a remote code execution vulnerability in Apache Struts: CVE-2017-9805. Within days of that announcement, Equifax disclosed that records containing personal details of 147 million consumers were breached because they had failed to patch a similar Apache Struts vulnerability that was published earlier that year (CVE-2017-5638). Equifax estimated that the total cost of the breach amounted to “well over $600 million” at the time. A year later, we identified yet another vulnerability in Struts (CVE-2018-11776), very similar to the one that affected Equifax, which had escaped all previous methods of detection. These two instances demonstrate just why the same mistake in the code should never be made twice. The need for variant analysis across a code base, a portfolio, and the entire ecosystem is blindingly obvious.

Please see the follow-up article for industry-specific use cases.

Here’s who shared their insights:

• Josh Mayfield, Director of Security Strategy, Absolute
• Jim Souders, CEO, and Anne Baker, V.P. of Marketing, Adaptiva
• Steven Aiello, security and compliance solutions principal, AHEAD
• Gadi Naor, CTO and Co-founder, Alcide
• Omer Benedict, Senior Director of Product Management, Aqua Security
• Tom Maher, CTO, Asavie
• Gaurav Banga, CEO and Founder, Balbix
• Nitzan Miron, V.P. Product Management, Application Security Services, Barracuda
• Cam Roberson, Director of the Reseller Channel, Beachhead Solutions
• Anurag Kahol, CTO, Bitglass
• Syed Abdur, Director of Product Management and Design, Brinqa
• Laura Lee, Executive Vice President of Rapid Prototyping, Circadence
• Andrew Lev, CEO, Cliff Duffey, Founder and President, Bethany Allee, Vice President Marketing, Cybera 
• Brian Kelly, Head of Conjur Engineering, CyberArk
• Doug Dooley, COO, Data Theorem
• Jason Mical, Cyber Security Evangelist, Devo Technology
• OJ Ngo, CTO, DH2i
• Tom DeSot, EVP CIO, Digital Defense, Inc.
• Chris DeRamus, Co-founder and CTO, DivvyCloud
• Alan Weintraub, Office of the CTO, DocAuthority
• Tom Conklin, CISO, Druva
• Anders Wallgren, CTO, Electric Cloud
• Satish Abburi, founder, Elysium Analytics
• Sean Wessman, Americas Cyber Markets, Sectors and Business Development Leader, EY
• Ambuj Kumar, Co-founder and CEO, Fortanix
• Josh Stella, co-founder and CTO, Fugue
• Kathy Wang, Senior Director of Security, GitLab
• Amith Nair, VP Product Marketing, HashiCorp  
• Mike Puglia, Chief Customer Marketing Officer, Kaseya
• Nathan Turajski, Director of Product Marketing, Micro Focus
• Gary Duan, Chief Technology Officer, NeuVector
• Gary Watson, CTO and Founder, Nexsan
• Stephen Blum, CTO and Co-founder, PubNub
• Chuck Yoo, President, Resecurity
• Roey Eliyahu, CEO and Co-founder, Chris Westphal, Head of Product Marketing, Salt Security
• Sivan Rauscher, CEO and Co-founder, SAM Seamless Networks
• Igor Baikalov, Chief Scientist, Securonix
• Oege de Moor, CEO and Co-founder, Semmle
• Dana Tamir, VP Market Strategy, Silverfort
• Logan Kipp, Technical Architect, SiteLock
• Albert Zenkoff, Security Architect, Software AG
• Tim Brown, V.P. Security Architecture, SolarWinds
• Todd Feinman, Co-founder and Chief Strategy Officer, Spirion
• Tim Buntel, VP of Application Security Products, Threat Stack
• Andrew Useckas, Founder and CTO, ThreatX, Inc.
• Joseph Feiman, Chief Strategy Officer, WhiteHat Security
• Vincent Lussenberg, Director of DevOps Strategy, XebiaLabs
• Robert Hawk, Operations Security Lead, xMatters