Anatomy of a Security Super Bowl Dynasty, Part 2: The Offense

Anatomy of a Security Super Bowl Dynasty, Part 2: The Offense

Imperva’s Directors of Technology in the Office of the CTO, Brian Anderson and Craig Burlingame, recently conducted an informal education session titled Creating a Security Super Bowl Dynasty. In this presentation, they used examples of how teams create consistent, sustainable success in American football to help teams of security professionals gain some insight into how they can create a consistent, sustainable application and data security posture.

Overall, the successful execution of application and data security, like championship-caliber football, doesn’t depend on excellence in any single area. Rather, an organization must achieve success in all phases – defense, offense, special teams and coaching. Last time, we discussed defense. In this post, we’ll focus on how security teams can and should work effectively on the “offensive side of the ball”.

Just as we talked about with the “defense”, to create a good application and data security offense, you need to establish a good foundation for your security team. Overall, fundamental blocking and tackling are every bit as important as any complicated, exotic scheme you may put in place.

Your ability to make sense of your data keep hackers on the defensive

When you are on offense in application and data security, your security team is “controlling the clock” and dictating the game. The key factor in getting and staying on the offense against the hackers is being able to make sense of your data. If you can’t, this directly impacts your ability to respond and makes the clock your enemy. The longer it takes to detect something is wrong, the longer it takes to do something about it, and the more damage that can be done.

The best way to shave time off your response is through automation. Look at your logs and your attack analytics to make sure you pick up on activity you were not expecting so you can respond quickly. Using AI to see trends in your data helps you gain the insights you need to automate responses when you detect anomalies. Make integrating your automated responses to policy-violating behavior directly with your application deployment rollout processes a part of your software development lifecycle. This gives you the ability to operate at scale.

Understand your environment and identify your gaps

Situational awareness is critical to going on the offensive against cyberattackers. Classify your sensitive assets to understand what you have in your environment. This is a difficult undertaking, but proficiency in understanding where the most sensitive data is, what is being done to it, and by whom is a hallmark of a “Super Bowl caliber” data security strategy. You should also be running vulnerability scans against your applications and looking at vulnerability assessments on your database servers so you have what you need in place to address vulnerabilities effectively.

It is also important to remember in cloud and hybrid environments, you still have the same requirements from a compliance perspective. In most instances, your security team is managing all on-premise, public, private and hybrid cloud environments. However, these environments are in a constant state of influx and you need to make sure your approach to securing these architectures is actually effective, because what you do to secure your on-premise environments is probably not going to work in the cloud. To stay on the offensive, you need to take a holistic approach. Your security strategy and the technology that supports it must be effective across all these environments.

Working with peers in the industry is an effective way to build situational awareness. For example, in financial services some CISOs will periodically get together to debrief on what they are seeing from attackers, discuss breaches and learn from them. The lessons learned in these encounters can be directly applied to your security strategy in real time.

Your offensive effort against hackers cannot be static. Things change every day that will have an impact on your capacity to secure your applications and data. Even after you’ve gone through an audit, the findings and directives for improvement are quickly “yesterday’s headlines”. To stay on the offensive, you must ensure that detecting and responding to new challenges are part of an ongoing process.

Offense in depth

In addition to the defense in depth security posture to which we referred in Part 1, offense in depth is critical to keeping attackers on their heels. From perimeter edge security all the way to data security, it’s important to deal with the corresponding risks at the appropriate tier of the environment and put the right resources in place to block them. If there is an attack risk targeted at the application code itself, you must have the ability to mitigate it. Some examples of “offense in depth” strategies include: if you are dealing with an OS command injection, look at something that can actually block that from touching the OS within the application itself; have a positive security model around your API schema definition, etc.

Protect your quarterback (application)

For a security Super Bowl dynasty team, the quarterback is your application. Here again, use the concept of depth. You can deploy a RASP product that protects your applications from the inside out. Web application firewalls (WAF) and DDoS protection provide that next layer of security to stop the attack before it gets to your application. In all cases, for this strategy to be effective, you need to make sure your security team has the ability to execute the appropriate plays. That can mean having funding, authority, the right tool sets, and collaboration between the business units, whatever is necessary to make security a reality.

Perfect practice makes perfect offense in security

Periodically make sure your failover process actually works should you need it. Understand what the execution of the process needs to look like so you don’t run out of time. Don’t make your offensive game plan easy to stop. Ensure that you can use the information you have to “call audibles” and change in-game strategies so you can control the clock and keep the attackers on the defensive.

Make compliance easy and avoid time and resource penalties

Ensure you have the right tools in place to prepare for an audit without it becoming a major time and resources sink. Don’t get penalized for things that should be part of your day-to-day operations.

Next time, Part 3: Special teams and coaching