Imperva’s Directors of Technology in the Office of the CTO, Brian Anderson and Craig Burlingame, recently conducted an informal education session titled Creating a Security Super Bowl Dynasty. In this presentation, they used examples of how teams create consistent, sustainable success in American football to help teams of security professionals gain some insight into how they can create a consistent, sustainable application and data security posture.
Overall, the successful execution of application and data security, like a championship football team, doesn’t depend on excellence in any single area. Rather, an organization must achieve success in all phases – offense, defense, special teams and coaching. In this post, we’ll focus on the role of defense.
Stopping next-generation offenses
As the DevOps lifecycle continues to be influenced to an ever greater degree by cloud-native technology, security cannot be an afterthought when deploying applications in the cloud. If everyone involved, from application owners to everybody in the technology stack supporting the infrastructure to the security group, doesn’t work together, you’re never going to be able to execute championship-level security as a team.
For traditional organizations using only on-premise database assets in their own data warehouses and data centers, the transition to cloud-based solutions has rendered their tactical defensive game plan obsolete. However, to be successful, the strategies behind those plans need to follow these organizations into the cloud. In addition, the tactics they develop for managing cloud-based data will need to be “audible ready”, meaning they’ll need to be agile enough to defend against as-yet unknown vulnerabilities and attacks.
Defense win championships
In application and data security, success is not always about stopping the big plays. You have to do the “blocking and tackling” and follow all the base defensive principles. For example, “stopping the run” is insights and anomaly detection in the security world. If the hackers get onto something, you have to make sure they’re not going to get very far before they’re stopped. Being able to detect an anomaly in an increasingly complex environment, gaining insights, and being able to use your data appropriately is critical. Many security teams suffer from alert fatigue – they have so much data coming in, because it’s cheap to store now – and it’s a significant challenge to make relevant use of that data.
Defense in depth
In football, your last line of defense is your safeties. In security, our safeties are database activity monitoring (DAM). You’re relying on your DAM to notify you to prevent the big play – the breach – from happening, even when there’s a great deal of data to manage.
When defending against the pass, the application security equivalent is your web application firewall (WAF). Outsider threats are the “long passes” of the security world and you need an effective WAF in place as hackers attempt to go after your data and your applications.
These strategies are part of a defense-in-depth strategy that protects against the hackers’ short and long attempts to compromise your application and data. Defense-in-depth includes protecting at the edge – whatever your perimeter is, over the network, possibly within the application itself and all the way in to your sensitive data, which is really the object from the attacker’s perspective.
Frustrating the offense (hackers)
An important part of your defensive game is to frustrate the offense, in this case the hackers. The hackers will use a lot of automation such as botnets and scanning tools to find holes in your defense. If you can obfuscate your responses or redirect hackers to honeypots that look real but aren’t, or change the behavior so they run the same attack over and over and get different responses back, that can really help to frustrate or discourage the people trying to target your infrastructure and your assets.
After you’ve stopped the drive
In football, when a defensive stand is made, you often see the defensive unit huddled around, media-reviewing what worked and what didn’t. On the WAF side, attack analytics is the security equivalent to that review. Using these analytics, you can not only see what you did right, you can also see what needs to be done differently next time – things that maybe weren’t apparent in real time. Understand the trends and identify what you need to be doing differently. If you give up some yards, it doesn’t mean the game is over. Just keep monitoring and optimizing for the changing environments. Also, bear in mind that the number and variety of endpoints is changing, you can’t protect every one of them. Keeping the defenses close to the assets and protecting them from the inside is a much more effective strategy.
Stopping the big play
Detect, mitigate, and isolate threats early. Know where your sensitive assets are. In many cases, there is a constant state of influx in organizations, through mergers and acquisitions, migrations to cloud, and other circumstances. You need to be constantly discovering and classifying what is sensitive in your environment. Once you know where those things are, you can focus and prioritize your resources. It makes it much easier to identify issues and anomalies and mitigate and isolate any issues immediately with pre-planned strategies.
User-to-data tracking doesn’t just look at the data itself with direct access, you need to be able to track users coming in through applications and APIs. Without that level of telemetry, big hacks caused by things like misconfigurations and inconsistencies in security posture don’t get noticed until far too late.
You also need multi-tiered protection. You don’t want to get obliterated by a DDoS attack which, while you spend all of your time looking at it, hackers slip in with a very targeted attack on a specific resource that might be vulnerable. Watch for the big play, but don’t do it at the expense of a small play that could turn into a big gain for the hackers.
Next time, Part 2: The Offense
Try Imperva for Free
Protect your business for 30 days on Imperva.