What Security Techniques and Tools Are Most Effective?

Continuous Threat Management

• Adaptive defense, predictive defense, prevention technology to be ready for timely incident response. We call this continuous threat management. Visibility into how the hacker got in, how they moved, and attack replay so you can build a predictive defense. Even then hackers will get through. How can we use automation and information sharing to prevent future attacks? Engagement-based solutions do not miss what the attacker is doing.
• The most effective product we use is an open source product that reverse-engineers and unpacks firmware images so you can see the vulnerabilities. Some commercial tools that audit source code give a false sense of security because nothing is being checked after compilation.
• There are techniques for sanitizing malicious inputs. Use known libraries to create a secure environment. Use tools that provide virtual patching while the developing is fixing the problem. The least effective technique is blacklisting since there are too many hacks to list and keep track of.
• Data-driven approach with centralized data collection with monitoring and triggered alerts. Unified threat management, firewalls, and analyze data in real time. We get a vast amount of data from our own enterprise in a central repository. Run advanced analytics before the incident becomes problematic. Process and analyze data in real time. According to Cybersecurity Ventures, the cost of cybercrime will be $6 trillion by 2021.
• Multi-layer, rapid detection and response for prevention. Some people think firewall or network security for prevention is equivalent to a flu shot; however, you can still get the flu. You must be equally prepared for when the attack is successful to prevent breaches from having a material impact on the business. Some breaches will spend 100 to 150 days accessing different areas of your network. We’re able to reduce this by 85%-95% by identifying and tracking the intruder and stopping them before they can have a material impact. It takes the attacker time to move laterally to imprint and find the ideal time for the exfiltration of data. Most attacks don’t exfiltrate for 30 to 60 days. We’re able to see the behavior and address it.
• We focus on expedited detection and response.
• Real-time ingestion and visualization to track the intruder as they move in and around the network.
• Leverage the same building blocks or microservices and containers to enable more scalable, automated, and secure apps. Detection moves from signature to scalable analytics. Move from rule-based and adapt to changes in the environment. More flexible adapting to a variety of workloads without concerns with threat vectors up front.

Best Practices

• Encryption. A password manager that controls access. People within companies cause the most problems. Provide training on how to avoid malware and phishing attacks. The Yahoo breach was due to an employee clicking on a malicious link.
• Go back to the basics with standard components. Non-glamorous system handling, account management, continuous monitoring, and patching. Automation platform allows IT to get more done with less.
• Use well-known techniques, libraries, and algorithms. Make sure you are encrypting and salting correctly. Test everything. Unit test for open SSL. When a vulnerability is discovered, push through patches quickly for your own code and third-party libraries. Deploy, build, and test. Be ready to react when a problem arises and respond quickly to fix it.
• Look for vulnerabilities as early as possible. This is not always doable with applications built in the past or containing third-party code that’s already in the field. For those, you need to be performing dynamic code analysis security testing. Get an understanding of the risk to the applications already in production. Discover what’s out there. Dynamically test and prioritize for code scanning and software composition analysis. We find vulnerabilities in open source code in most applications since 80% of apps may be open source code off the shelf. Don’t incorporate libraries with known vulnerabilities. You have to manage applications in the field because the threat space is changing and hackers can discover vulnerabilities in the packages your applications are already using. You have to manage known vulnerabilities into the future. Subscribe to a threat intelligence service, track all open source code used, and refresh those with known vulnerabilities.
• Proper hygiene is important and effective at the application level whether internet facing or corporate facing infrastructure. Encryption, DLP, IDS but also prepare for the when. Security posture is only as strong as the number of blind spots you have. Need to see what’s in AWS and Office 365. You'll need a comprehensive view of the entire infrastructure. Data is the ability to get access to an organization. Understand where the users reach. Is where they are going safe?
• Show customers what they can do now to provide the best ROI for their security investment. Customers need awareness to what they post outside of their network and how to monitor it. Need established security processes, policies, and authentication. If you have a proper understanding of security policies and procedures you have what you need to counter most attacks.
• Standardization and visibility have emerged as important traits of any kind of security structure. There simply aren’t enough time or resources to have one person or team create security for the entire business. Instead, organizations need to adopt an API-led connectivity approach, which defines methods for connecting and exposing assets with APIs. These APIs provide well-defined entry points and exit points to organizational data and assets and ensuring that standards for authorizing, authenticating, securing and sharing data, etc. are documented and shared broadly across teams. And the APIs themselves also contain reusable fragments (e.g. security schemas) that once verified by security teams can be shared and reused across the organization.
• API security for any device in the cloud.

Hybrid Solutions

• A hybrid or ensemble method of detection is necessary. It’s always better to have a talented analyst to perform the last 15% of all work; however, talented analysts are few and far between. While I’m a fan of AI and detection to provide high-quality intelligence to understand and prioritize vulnerabilities, there are no “silver bullets.” We need multiple solutions. We do not have all the answers. An ensemble of solutions and best practices allow you to see what’s happening in real-time so you can do something about it. We’re focused on detecting and reacting down to machine time activities. While this generates loads of data, it’s not particularly useful for stopping attacks. You must identify a source of truth that will provide full clarity to validate or invalidate your assertions.
• We believe in a holistic approach to security. No tool or technique will be effective unless it is used properly. Most tools require upfront configuration and we rarely see companies who have configured the tool properly, let alone kept up with the updates. Companies tend to ignore the results of their tools because they are too noisy. Static and dynamic analysis tools can be effective if configured and used correctly. We spend time helping clients configure their tools and teach them what to do to benefit from the tools they’ve invested in.
• Security based on layers. While no single security layer can provide 100% protection, it is a known fact that the earlier you implement security, the better the ROI. While application security has multiple ways it can be addressed (SAST, DAST, pen tests, and others). Initiating security at the beginning of the development process using static application security testing solutions can significantly reduce the cost of your pen tests and DAST iterations by reducing the number of cycles required and enabling developers to immediately address issues in their code.

Strategy

• A strategy is more important than tools and techniques. Every tool has its own limitations and you’ll need multiple tools. Design, check model, code analysis, dynamic testing, compliance testing. We automate with Jenkins and send issues to JIRA. Auditing is key.
• Security by design. Companies are worried about how much money they can raise from V.C.’s, building the best game, collecting and selling consumer analytics. The C-level needs to be thinking about security first and understand that the lack of consumer privacy will backfire. Google acquired AdMob which geolocates consumers without their permission. There will be a backlash regarding creep ware. Facebook was calling the GPS function every second. Apple asked them to stop because it was wearing down iPhone batteries.
• Provide security professionals with continuous integration tools like Jenkins to automate security tasks. Use DevOps tools to allow security professionals to get more done in less time. The pitfall is when looking to solve problems you don’t look at how it fits with your overall strategy. Look at how the tool fits into your entire practice. If the tool requires a person to run it, it cannot be automated. You need the tool to be a process enabler rather than the other way around.

What else can you think of that's a particularly effective security technique or tool?

Following are the executives that shared their perspectives on this question:

• Kevin Fealey, Principal Consultant and Practice Lead Automation and Integration Services, Aspect Security
• Carolyn Crandall, CMO and Joseph Salazar, Technical Marketing Engineer, Attivo
• Amit Ashbel, Director of Product Marketing & Cyber Security Evangelist, Checkmarx
• Ash Wilson, Strategic Engineering Specialist, CloudPassage
• Paul Kraus, CEO, Eastwind Networks
• Anders Wallgren, CTO, Electric Cloud
• Alexander Polyakov, CTO, ERPScan
• Patrick Dennis, President and CEO, Guidance Software, Inc.
• Craig Lurey, CTO, Keeper Security
• Boaz Shunami, CEO, Komodo Consulting
• Eric Tranle, Global CMO, Darrin Bogue, Senior Solutions Engineer, LogTrust
• David Waugh, V.P. Sales, ManagedMethods
• Mat Keep, Director of Product Marketing and Analysis, MongoDB
• Aaron Landgraf, Senior Product Marketing Manager and Kevin Paige, Head of Security, MuleSoft
• Fred Wilmot, CEO, PacketSled
• Gary Millefsky, CEO, Snoopwall
• Wei Lien Dang, V.P. of Product, StackRox
• Cody Cornell, Co-founder and CEO, Swimlane
• Terry Dunlap, Founder and CEO, Tactical Network Solutions
• Chris Wysopal, Co-Founder and CTO, Veracode
• Yitzhak Vager, V.P. Cyber Product Management and Business Development, Verint
• Prabath Siriwardena, Director of Security Architecture, WSO2