Rajiv Gupta, CEO at Skyhigh Networks, points out that IT teams have little patience for security products operating in a silo, nor should they. "Nearly a third of IT security professionals ignore alerts because they are overwhelmed by too many tools and too many false alarms," he says. Security teams don't want to log into multiple dashboards and opt for platform versus patchwork solutions whenever possible, he explains.
A new trend in the industry, he says, calls for persona-based security tools, which provide workflows for different roles in the security organization to detect, enforce control and remediate incidents.
Cloud, and specifically API security, also has never been in a better position to transform business, Gupta adds. "We are starting to see organizations use security to empower IT to provide visibility, compliance and data protection without disrupting the breakneck speed of modern commerce. This new security stack is integrated and frictionless, with minimal footprint for the customer, enabling collaboration between security tools across billions of user activities."
In this case, convenience and efficacy go together, he says. "By correlating information from as many sources as possible, it cuts down on false alerts, making security tools more meaningful and accurate when they work together, and by extension are having far-reaching implications for how applications are built, how data is architected and managed, and how entire industries are using the cloud to build and re-build core business processes and operations."
Still, simplifying security tools and services is more complicated than it sounds and it will take time to sort out newer technologies working with legacy systems in place, says Joram Borenstein, VP marketing/partners and alliances at NICE Actimize.
Moreover, he says, most organizations don't do a sufficient job of keeping their tools up to date. "That being said, the best way for simplification to occur is for organizations to help drive standardization in user experience expectations, workflow requirements and general business needs."
Unfortunately, Borenstein (left) says, many organizations like to pursue things on their own and this desire often hinders the ability to encourage vendors to build things in a consistent manner, even within individual industries.
Vendors can keep their security implementations strong by adopting – and then continuing to maintain – their own secure software development lifecycle, Borenstein says, and that includes threat modelling, static analysis, testing and more.
Phil Neray, VP of industrial cybersecurity at Cyber-X Labs, points to three key ways to simplify security. The first is interoperability and integration. "One of the biggest enemies of better security is complexity," he says. To effectively address defense-in-depth, most organizations have by necessity implemented multiple security products, at different layers of the IT stack, from multiple vendors. "The trick is to have all of these products easily share data and insights in order to simplify the workflow for security analysts, such as by correlating anomalies and IOCs across endpoint, network monitoring and threat intelligence solutions."
Second on the list, Neray says, is behavioral analytics and machine learning. In the past few years, he explains, huge strides have been made in evolving or monitoring and detection capabilities beyond simply looking for signatures. "Behavioral analytics and machine learning technologies are essential for detecting anomalies faster, with fewer false positives."
And, third, Neray (right) points to continuous versus what he terms "snapshot" security. Driven by compliance requirements (such as PCI), some organizations have focused primarily on quarterly scans and quarterly audits to ensure security, he points out. "But cyberattackers are continuously probing our defenses for weaknesses – so relying on "snapshot" security means attackers can slip in between scans, establish beachheads in your infrastructure, then move laterally and hide their tracks so you can't even see them by the time you perform your next quarterly scan."
Modern security, Neray says, requires continuous, real-time monitoring and detection to quickly spot targeted threats and malware.
"From an identity verification and access management standpoint, we feel that the way to strengthen security is by giving users as much control over the verification process as possible," says Chris Luttrell (left), SVP product management at IDology. "The problem with fraud is that criminals are constantly adapting their attack vectors, so a system needs to be flexible and able to adapt to those shifting patterns," she says. "Creating a system that doesn't require multiple implementations is going to save everyone time and make them more efficient at fighting fraud. Some feel, from a revenue perspective, that creating solutions that are more of an inflexible black box can add up to more implementation fees down the road, but it really doesn't help your customer solve their problems."
How API are designed is key too, she says, using a simple REST interface that has a flexible xml response allows customers more options if needed, when their needs change. "And, by giving your customers a way to configure the behavior of your API in real time, without requiring you to make custom changes, gives them a way to optimize your API and quickly respond to the evolving threat landscape."
Any added security measures should be as simple as possible for customers to integrate, says David Busby, information security architect at Percona. Vendors should remember that simple integration methods mean a higher adoption rate, and a subsequent higher ROI for security investments, he says.
"Internet of Things (IoT) vendors should consider a simple firewall for their firmware," Busby says. "It can be the easiest method to protect products (regardless of zero-day exploits) from becoming the subject of a scathing news article. No one cares if the firmware is highly exploitable if no one can easily get to it."
The point is that businesses should seek to provide several options, says Busby (right). "Two-factor authentication, for example, could be provided by Google Authenticator, DUO Security, Authy, etc. The latter two providers are a simple API hook away. Though there are some minimal cost considerations, implementing simple logic in an application can allow for many possibilities."
IT admins should also think about the methods used for the second authentication factor, he adds. "Don't just assume a smartphone is enough. DUO, for example, can support a multitude of options – like Universal Two Factor, a standard published by the FIDO Alliance. And don't underestimate the humble hardware token! More often than not, these are considered a far easier solution, and there are many options available.”