What Are the Most Important Elements of Security?

We asked this question of 25 IT executives involved in application, environmental, and data security. Here's what we learned:

Security Fundamentals

• Worry about the fundamentals. Ensure only desired parties have access to secure, encrypted data where the integrity and structure are maintained.

• Ongoing monitoring to ensure everyone is following best practices and continuous integration process from early stage design, implementation, and deployment.

• Think security by design. Today firewalls do not auto-patch and are exploitable at the root level. Network gear is vulnerable. You need to be performing security audits of source code.

• Software bugs become critical vulnerabilities. MITER has the top 25 code violations. Be aware of them and ensure your code doesn't have them.

• Almost all hacks involve compromised credentials of some sort. Make sure applications are written with security in mind first. Enact security as a tenant in the applications being built. We still believe in a security program where all endpoints are protected and you have rapid surveillance and response. Most companies have at least a dozen security solutions on board. Layering in security – in network, intrusion detection, security event management, antivirus, more holistic security tools, and end-point detection and response (EDR). It’s not unusual for our clients to have 10,000 security events per day. There’s an order of magnitude of events based on the industry. Government, infrastructure, and financial services may have 100,000 per day while retail and gaming may have 10,000. It’s all crime and the cost of conducting crime has come way down while the potential returns have increased as the amount of data has increased.

• Areas which are not controlled, like shared environments on Android and iOS – the flashlight app, fore example, is watching along with the emoji keyboard downloaded from China. Assume you are owned or powned. Launch an encrypted keyboard. Don’t trust then verify. There are 50 billion polymorphic malwares.

• Start to code securely. There are too many insecure coding practices. We will have a significant reduction in attack vectors if we follow secure coding best practices. Trendnet was part of a class-action lawsuit for hackable cameras. They now must submit all code for security review for the next 20 years. This may give them an advantage over other remote camera manufacturers. You’ll know their cameras are more secure than their competitors.

• Employ common security controls on a consistent basis. Practice good hygiene. Implementing and acting in a secure manner. HTTP apps are like network apps but are written in their own way without good hygiene practices. Users are inherently flawed. Think about who you authenticate, empower, and provide access to.

• Risk management. There are so many different issues and threats that companies must prioritize what’s most important to secure based on company or industry.

• We see common patterns across 1000+ enterprise customers. IT leaders must increase the clock speed of their business with a limited number of resources, and with the demands of the business for technology solutions growing ever more quickly, have to figure out how to make IT scale to match. Security professionals need to prevent against bad actors gaining control of systems, but are hampered by poor visibility, shadow IT, and the reputation as the blocker to innovation. IT teams and security teams must partner to develop security and agility together, but often their goals seem misaligned. Any IT and security framework, therefore, needs to have elements of agility (enabled by self-service and reuse) as well as control (enabled by visibility and governance).

• Applications, whether web or mobile, are the main business driver for many or maybe even most organizations in the world today. These applications allow users to interact with the organization’s backend servers and data. Making sure that these applications are developed without exposing vulnerabilities that can expose users to data they aren’t supposed to see is a critical aspect of securing data. Application security is based on the idea of reducing the risk of a breach even before the application has gone to market. The earlier the issues are addressed the easier it is to solve them and the more profitable it is in the long term.

Security-First Mindset

• Developers and companies need to think about security as a tier one feature. You cannot treat security as an afterthought – something to be squeezed in at the end of the SDLC for every release. Are your encrypting data at rest properly? Hashing passwords?
• Inspect code for vulnerabilities during development. The earlier in the process, the easier it is to see, and fix, vulnerabilities. Integrate static code analysis into the SDLC. Shift as far right as possible – cheaper remediation and a lower likelihood the fix will negatively impact the schedule. Companies in highly regulated industries must fix vulnerabilities or risk delaying the release.
• Take a holistic approach to security – have a full-blown process. Use an external company or an internal team. Security is not a plugin, it must be maintained and established, find security bugs in the development stage is much cheaper than finding it in the production stage. Do real team exercises attempting to penetrate and see how far we can get into your organization in three months using social engineering, targeted attacks, open systems, GitHub code.
• Have critical security controls in place and ensure they are being used and the results are understood. Application security needs to start working with security considering the DevOps pipeline. Examine security code before the apps get into production.
• Awareness and collaboration among people developing and securing code and applications. Anyone involved in the application must be educated about best practices of security. We need to overcome people working in silos. Strategies for security based on the criticality of the data.

Where's My Data?

• Companies must know where their information is. Regardless of how much they spend on applications and infrastructure if they don’t know where their data is, they’re wasting money.

• Secure access to data.
• Secure data in transition and at rest with encryption.
• Identify the jewels that are most valuable to the company that's managing many different assets in many places. Monitor these assets inside and outside the network.
• Be aware of the storage, transmission, and leakage of data. Apps which have functions that take PII and query third parties are leaking PII to the third party. As a developer, be careful where you are leaking customer data. The Cloudflare bug was a function of leaking customer requests to the internet. Storage of PII encryption, planning, and testing data.
• Move toward data security. Need to be able to track, monitor, audit, and control all of your data. This drives a lot of noise. Deploy detection and prevention. Ultimately this goes back to an individual writing secure code.

Visibility

• Have the ability to see and control every level. Adopt a defense in depth approach. We take a tiered approach to security with authentication, authorization, auditing, and encryption.
• Look at patterns and trends. Be more distributed and scalable driven by microservices. We need to align security with threats. Build in a transparent environment in which security is integrated throughout the process.
• Provide visibility and transparency for teams managing on-premise and in the cloud. A divergent security team. Bring visibility together in a unified way, ability to pivot, hunt and go back in time.
• Have a 360-degree view of how the attacker may attack. Timely incident response when an attack takes place. A bank was attacked and lost $2 to $3 million in a couple of hours. More timely response can mitigate loses.
• Better visibility to threats lurking within the network. Automate incident detection and security with analytics monitoring and alerts. Automation is important for timely response both in the network and at endpoints.
• Have visibility into how different security flaws apply to the risk model.

APIs

• We’re going through a trend where people want to expose data and break down silos. This opens data to the rest of the world. You need to do this through APIs – a key ingredient in data transfer.
• There are gaping holes with companies failing to address security issues around the cloud and APIs accessing the cloud. Email is the number one attack vector for breaches and they have poor audit and control beyond the network. We focus on securing cloud applications through APIs. APIs are compromised because public developer APIs are not secured. Companies that use SaaS-based applications need to ensure APIs are secure.

Automation

• Adopt the principles driving change in areas distributed across the environment and be able to scale with the application. Be automated and manage the way apps are managed.
• Automation is the only way to keep up with the scale of development and atone for the lack of security professionals.

What else can you think of that's important to consider with regards to application, environmental, and data security?

Following are the executives that shared their perspectives on this question:

• Kevin Fealey, Principal Consultant and Practice Lead Automation and Integration Services, Aspect Security
• Carolyn Crandall, CMO and Joseph Salazar, Technical Marketing Engineer, Attivo
• Amit Ashbel, Director of Product Marketing and Cyber Security Evangelist, Checkmarx
• Ash Wilson, Strategic Engineering Specialist, CloudPassage
• Paul Kraus, CEO, Eastwind Networks
• Anders Wallgren, CTO, Electric Cloud
• Alexander Polyakov, CTO, ERPScan
• Patrick Dennis, President and CEO, Guidance Software, Inc.
• Craig Lurey, CTO, Keeper Security
• Boaz Shunami, CEO, Komodo Consulting
• Eric Tranle, Global CMO, Darrin Bogue, Senior Solutions Engineer, LogTrust
• David Waugh, V.P. Sales, ManagedMethods
• Mat Keep, Director of Product Marketing and Analysis, MongoDB
• Aaron Landgraf, Senior Product Marketing Manager and Kevin Paige, Head of Security, MuleSoft
• Fred Wilmot, CEO, PacketSled
• Gary Millefsky, CEO, Snoopwall
• Wei Lien Dang, V.P. of Product, StackRox
• Cody Cornell, Co-founder and CEO, Swimlane
• Terry Dunlap, Founder and CEO, Tactical Network Solutions
• Chris Wysopal, Co-Founder and CTO, Veracode
• Yitzhak Vager, V.P. Cyber Product Management and Business Development, Verint
• Prabath Siriwardena, Director of Security Architecture, WSO2