Most Effective Security Techniques (Part 1)

We're excited to announce Trend Reports by DZone beginning with Application Security! Everyone involved in building applications — from developers to CTOs — should think about security ramifications. This Trend Report will explore what developers feel are the most prominent threats, where corporate priorities lie, and how secure coding practices are being implemented. Keep an eye on your inbox and our homepage on July 22nd to learn more.

To understand the current and future state of the cybersecurity landscape, we spoke to, and received written responses from, 50 security professionals. We asked them, "What are the most effective security techniques?"

Here's what they told us about culture and the elements therein. We'll cover the other things they shared with us in part two. 

Culture

• This is a broad question that’s difficult to answer but if we narrow our scope to business organizations, then I would say it starts with culture and leadership. Companies with the most effective security capabilities tend to have strong executive-level support in security, a board of directors who wants to see security metrics improving over time, and a culture of security is a shared responsibility across the business, engineering, and IT functions.
• Rather than iterate a list of well-known techniques, which invariably compete for cyber budgets, attitude and mindset are key. Very few companies can afford to maintain in-house expertise or even self-managed systems, which requires they leverage industry expertise through tools and services. There is a great danger that outsourcing leads to an arms-length attitude to cyber resilience and potentially abdicating rather than delegating corporate responsibility. Remain engaged, curious, vigilant and paranoid. If your attitude to security is right, then how you spend your budget on the security techniques are far more likely to be best suited to your circumstance.
• Openness and transparency are a big deal. Everyone needs to worry about the security of data, at rest and in transit. Ports that are open serve as backdoors into containers. When you circle the wagons, worry about the inside as well as the outside. Make sure all of the doors are locked, and if attackers break in, they are unable to find anything of interest. Organizationally, the head of security needs to report to the CIO, not the CEO. It’s everybody’s problem and responsibility.
• Successful security strategies focus on promoting a culture of security. The entire leadership team needs to value security and incorporate it into the way their function operates. In fact, our CEO, Jaspreet Singh, recently wrote a piece for DarkReading talking about lessons he learned from a rather rigorous prospective customer security review. The take away from the piece is that a company that does not approach security holistically as part of its corporate culture will continue to put itself, its technology, its customers, and its partners at risk. An important piece of this is to consider that successful techniques include partnering with the business to help teams understand the risks related to their actions and ways to better align teams. Security tools or policies that block the business will be circumvented by employees with incentives to hit targets or objectives, but by working hand-in-hand with the larger business, you can help address these early and build a strong security posture. 
• What we’ve seen in our client base is that the customers that have the best security programs focus on internal alignment. A weekly status meeting with the project management office to review every single project that’s being introduced in the company is the one commonality we’ve noticed across customers that do have good security programs. The exact same principle holds true in product management, so security teams should be involved in the product lifecycle to determine the risk register for both the product and the company.

Training

• Training for staff. Staff is the weakest link in the security chain. Implement a vulnerability management program ongoing and perpetual to maintain the security of the network. Use active threat sweep looks for malware and ransomware. Enterprise-grade clients with 10,000+ computers are finding it very challenging to stay on top of everything. 
• Employee training can have an outsized impact on the effectiveness of security systems, and solutions for implementing that training are more available than many organizations realize. Another powerful technique is to ensure data backups are in place and highly secure so sensitive data isn’t truly lost when incidents occur. This is a highly effective technique for thwarting ransomware in particular. In a typical scenario, attackers will lock an endpoint and ask for a ransom to decrypt its data. If that data is safely backed up, there’s no need to pay the ransom. Because of this, data backup solutions and attackers are now playing a long game of cat and mouse, where attackers actually go after data backup systems as part of their attacks. 
• 1) Continuous Asset Management for entities, users, and vendors. 2) Implement all security controls defined in CSF, NIST 800-53, 800-171. 3) Security awareness training for all employees in the enterprise. 4) Good security monitoring tools which can capture all the data in the network and provide actionable insights.

Hygiene

• Getting your general security hygiene with complete coverage and plumbing in the right places is just a baseline. When looking at DevSecOps, you need the external data to understand what’s happening.
• Focus on the foundation with good cyber hygiene. Change default passwords have a patching program in place. The time between vulnerability and exploit is shrinking from 22 days. MFA, good password policy, access, and authorization. Layer on additional security afterward. Understand the risk profile of the company.

Processes

• The most effective security technique is more of an overarching rule: always address security from the get-go using a risk-based approach.  This means building safer processes and defined safety nets into the very fabric of the organization’s IT.  Shifting the security focus to the left of secondary measures — such as firewalls and antivirus — will enable organizations to stay ahead of threats and vulnerabilities before they inflict actual damage to the business. From a tooling perspective, security information and event management (SIEM) systems have been growing in sophistication to go beyond simple intrusion detection and act as a nerve center for monitoring.  Modern SIEMs are helping organizations correlate invaluable threat intelligence and operations monitoring data across all functions to detect, correlate, and anticipate issues before they happen.
• You need to create a data catalog of unstructured information. Understand normal properties behind the documents. Who the owner is, what are the access right, when was it created? Then, when you understand the data, put in the business context and tag for sensitivity and retention then you can make key business decisions around obsolescence and rot. What do I need to get rid of? Am I retaining the right information? Am I classifying correctly?  
• The most effective security technique always was and still is “security by design.” That’s where the security of the product is taken as the main consideration from the very beginning and failure in security remains a showstopper just like a failure in functionality would. Unfortunately, this is still rare. We can talk about the reasons at length, but the truth remains — “security by design” is the most effective thing and almost no one is doing it. 
• There is no singularly effective security technique. In fact, this type of thinking often leads organizations to conclude that they are secure or have adequately addressed cyber risk, which is far from reality. The most effective security technique is to partner with the business in managing complexity through operational discipline and process excellence. Maintaining a thorough understanding of your business processes, systems, network, and data can position you to apply security controls effectively. 
• Privileged access security is widely considered by analyst firms like Gartner as a critical priority for CISOs and security teams. It has also emerged as a business priority for customers in the face of trends like GDPR, persistent attacker innovation and escalating cyber threats, the execution of digital transformation strategies, the complexities of cloud migration and protecting hybrid environments. For these reasons, businesses increasingly recognize how privileged access security offers significant business impact and risk reduction while delivering more ROI than other solutions. To begin incorporating privileged access security into your broader security program, start by prioritizing the implementation of controls for protecting privileged credentials to drive tangible results quickly. After demonstrating the value of protecting privilege across high-risk areas to key stakeholders, take a phased approach to expand coverage to new areas, evolving these projects into long-term, business-critical cybersecurity programs. Remember that securing privileged access is not, unfortunately, a “once and done” activity. To have the strongest defense against attackers, organizations need to ensure their privileged access security program is up-to-date and continues to protect their most critical infrastructure, applications, customer data, intellectual property, and other vital assets. To proactively reduce the risk posed to privileged access by attackers, organizations need to: 1) Leverage their understanding of the most common types of attacks that exploit privileged access: how does an attacker think and behave in each case to exploit the organization’s vulnerabilities? 2) Prioritize the most important privileged accounts, credentials, and secrets, and identify the potential weaknesses and vulnerabilities in their existing privileged access security program, especially those that could jeopardize critical infrastructure or the organization’s “crown jewels” 3) Determine the most effective actions to “clean up” these weaknesses and potential vulnerabilities. Which actions are the highest priority? What can be achieved quickly vs. requiring a longer-term plan? 4) Ensure continuous, reassessment and improvement in privileged access hygiene to address a changing threat environment.

Please see part two for a lot more thoughts on the most effective security techniques.

Here’s who shared their insights:

• Josh Mayfield, Director of Security Strategy, Absolute
• Jim Souders, CEO, and Anne Baker, V.P. of Marketing, Adaptiva
• Steven Aiello, security and compliance solutions principal, AHEAD
• Gadi Naor, CTO and Co-founder, Alcide
• Omer Benedict, Senior Director of Product Management, Aqua Security
• Tom Maher, CTO, Asavie
• Gaurav Banga, CEO and Founder, Balbix
• Nitzan Miron, V.P. Product Management, Application Security Services, Barracuda
• Cam Roberson, Director of the Reseller Channel, Beachhead Solutions
• Anurag Kahol, CTO, Bitglass
• Syed Abdur, Director of Product Management and Design, Brinqa
• Laura Lee, Executive Vice President of Rapid Prototyping, Circadence
• Andrew Lev, CEO, Cliff Duffey, Founder and President, Bethany Allee, Vice President Marketing, Cybera 
• Brian Kelly, Head of Conjur Engineering, CyberArk
• Doug Dooley, COO, Data Theorem
• Jason Mical, Cyber Security Evangelist, Devo Technology
• OJ Ngo, CTO, DH2i
• Tom DeSot, EVP CIO, Digital Defense, Inc.
• Chris DeRamus, Co-founder and CTO, DivvyCloud
• Alan Weintraub, Office of the CTO, DocAuthority
• Tom Conklin, CISO, Druva
• Anders Wallgren, CTO, Electric Cloud
• Satish Abburi, founder, Elysium Analytics
• Sean Wessman, Americas Cyber Markets, Sectors and Business Development Leader, EY
• Ambuj Kumar, Co-founder and CEO, Fortanix
• Josh Stella, co-founder and CTO, Fugue
• Kathy Wang, Senior Director of Security, GitLab
• Amith Nair, VP Product Marketing, HashiCorp  
• Mike Puglia, Chief Customer Marketing Officer, Kaseya
• Nathan Turajski, Director of Product Marketing, Micro Focus
• Gary Duan, Chief Technology Officer, NeuVector
• Gary Watson, CTO and Founder, Nexsan
• Stephen Blum, CTO and Co-founder, PubNub
• Chuck Yoo, President, Resecurity
• Roey Eliyahu, CEO and Co-founder, Chris Westphal, Head of Product Marketing, Salt Security
• Sivan Rauscher, CEO and Co-founder, SAM Seamless Networks
• Igor Baikalov, Chief Scientist, Securonix
• Oege de Moor, CEO and Co-founder, Semmle
• Dana Tamir, VP Market Strategy, Silverfort
• Logan Kipp, Technical Architect, SiteLock
• Albert Zenkoff, Security Architect, Software AG
• Tim Brown, V.P. Security Architecture, SolarWinds
• Todd Feinman, Co-founder and Chief Strategy Officer, Spirion
• Tim Buntel, VP of Application Security Products, Threat Stack
• Andrew Useckas, Founder and CTO, ThreatX, Inc.
• Joseph Feiman, Chief Strategy Officer, WhiteHat Security
• Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs
• Robert Hawk, Operations Security Lead, xMatters