Gad Elkin, security director, EMEA, F5 Networks
Gad Elkin, security director, EMEA, F5 Networks

A strong performance lives long in the memory. It is the ticket that ensures audiences return wanting more. In business, every company survives on delivering complete customer satisfaction. Yet, one bad experience can undermine confidence and trade can quickly head for the nearest exit. With threat actors committing some of the largest data breaches in the last year, analysts have reported that more than one billion customer records have been accessed globally. This trend is on the increase and shows no sign of slowing down. With cyber-crime challenging traditional operational practices, now is the time for app security to take centre stage to protect vital data and safeguard business performance. 

Time to act 

Credentials are the big prize for threat actors. Once the data has been successfully stolen, hackers monetise the information and then sell it on the black market. Additionally, hacktivist groups, such as Anonymous, use tools employed by financially motivated cyber-criminals to detect website vulnerabilities and gain unauthorised access or carry out distributed denial-of-service (DDoS) attacks. The problem for many firms today is that the digital economy is moving at a rapid pace where managing security and risk presents numerous challenges. 

Analyst firm Gartner recently stated that by 2020, 60 percent of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk. Predictions also include corporate data traffic to flow directly from mobile devices to the cloud and completely bypass enterprise security controls. Significant shifts in culture, behaviour and technology are required throughout organisation chain. 

The stage is set for security executives to operate more like intelligence officers and trusted advisors. A comprehensive overview of the threat landscape delivers valuable insights. Understanding how all the players play their part is crucial to ensure that the right skills and systems are effectively working in harmony to tackle a major breach. The key is to keep your audience happy. With a robust ecosystem of app security and cloud solutions in place, firms can ensure their customers' data is safe and comprehensively managed. 

Interestingly, 90 percent of today's security budgets are still spent on protecting everything except user identities and vital applications. Now is the time to take a different approach and shift cyber-security investment towards detection and response. By moving away from trying to protect all IT areas, it is more effective to focus on what matters and tackle malicious behaviours and incidents. From a place of knowledge, organisations can focus on those threats that are most vulnerable to the operation. 

Top tips to keeping the show performing to schedule: 

  • Gain full visibility into critical data. Ensure business-critical applications remain up and running by protecting against comprehensive network and application-level DDoS attacks to minimise business impact from volumetric and encrypted attacks. Cheap-to-rent bots with plug-and-play attacks, through to the new reality of IoT botnets, are easy for hackers to make and launch terabyte-per-second attacks. Visibility brings value. 
  • Comprehensive protection. Use an ecosystem of advanced security solutions that cover mitigation from L4 on upwards, including flaws or weaknesses in business logic that are exploitable by bots (anti-fraud) and DDoS Vectors. Take immediate action on new DDoS threats by leveraging customised code to mitigate traffic based on any type of content data; Detect and defend against zero-day exploits. 
  • Implement and monitor strong access management controls. Manage the volume of user identities by enabling single sign-on to reduce the number of passwords that are stored insecurely across multiple critical systems. Validation and authentication of users are vital to ensure that bad actors or unknown people are not able to access applications. 
  • Implement multifactor authentication (MFA). This is for accessing the network and applications, because identities get compromised. One or more users will get phished and without MFA, the network, applications and data will be breached. 
  • Implement fraud protection. Encrypt user input as information is typed into the browser (application) - Real-Time Encryption of sensitive fields hides the actual user inputs defeating browser-based key loggers. 
  • Do not use weak or default username and password combinations (admin: password). Prevent brute force exploits by implementing account lockouts after six failed login attempts. Hashed passwords provide virtually no protection. 
  • Automate web application vulnerability management. There is always time between detection and mitigation in which a web app firewall (WAF) can patch a vulnerability automatically. A WAF requires routine attention by an experienced engineer. Many organisations are opting for managed WAF services versus hiring in-house expertise that must support 24x7x365 operations. 
  • Implement a culture of security. Attitudes to risk and a firm's culture of care to security are often equally as important as having robust technology in place. A data breach is not always determined by a threat actor. In fact, any unencrypted personal information acquired by an unauthorised person can be classified as a breach. 

Finale 

Cyber-security is a continuous process of identifying, assessing and remediating threats and weaknesses, as well as analysing, modelling and simulating potential impact. Securing applications is the solution to safeguarding data and protecting business performance. The true measure of an organisation is how it responds to threat actors and cyber-crime. With an effective ecosystem of security solutions and services, we can all bring the curtain down on cyber-crime quicker to enjoy a much better performance from our daily operations and keep our audience safely protected. Now that's worth a round of applause.

Contributed by Gad Elkin, security director, EMEA, F5 Networks

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.