In the next three years, software as a service ‘SaaS’ is likely to grow by around 23%. That’s according to reports by Cognizance. It’s growth rests on the adoption of cloud public, private and hybrid.

Without the cloud applications can’t truly pervade an organization, nor can operational or customer benefits be derived. But there’s no point in adopting the cloud if it’s not secure - the proliferation of SaaS demands security, none more so in a GDPR world.

Large cloud environment

But modern applications are difficult to secure. SaaS based, web, mobile, or custom made all work on different platforms and frameworks. It’s a headache managing all the APIs needed to automate and sync tools. This introduces risk. The greater the number of apps the broader the attack surface and therefore the greater the chance there will be blind posts.

Keeping up to date with updates and new security policies is never easy

There are also added hazards. Applications are always changing. Keeping up to date with updates and new security policies is never easy, but especially hard in a large cloud environment. Failure to adopt changes puts the organization and customers at further risk. But the biggest obstacle is keeping applications and APIs out of harm’s way. It’s a near on impossible task when attack methods and sources are constantly changing.

More advanced threats

To be specific there are four emerging challenges when it comes to protecting apps. Firstly, managing the good and the bad bots and spotting which is which, secondly securing APIs as IoT adoption intensifies, thirdly the relationship between securing apps and DevOps and ensuring ownership of security, and finally denial of service attacks that use newer tactics such as brute force.

Basic security hygiene dictates that security teams refer to the OWASP Top 10. It’s considered the ‘ten commandments’ in security circles, providing a starting point for ensuring the most common threats and vulnerabilities are managed, detected and mitigated. Web Application Firewalls also come into the fray with guidance on testing for the ways hackers exploit vulnerabilities. However, though the basics are good to have in place, there are always more advanced threats to take care of. Bots being a big one.

Bot management

The more sophisticated bots will go as far as to mimic human behaviorAstonishingly about half of internet traffic is bot generated. Half of it is from bad bots. Discerning the good from the bad isn’t easy though and explains why around 80% of organizations can’t make a clear distinction between the two.

Bad bots can do a lot of damage like take over user accounts and payment information, scrape confidential data, or hold up inventory and skew marketing metrics. The more sophisticated bots will go as far as to mimic human behavior and bypass tools like CAPTCHA and even device fingerprinting based protection ineffective.

Securing APIs

Then there’s the complications derived from machine-to-machine and internet of things (IoT) communications. The more integrated ‘things’, the more data there is, the more events there are report on, and the more activity there is reliant on APIs to make the ‘things’ useful and agile.

That’s what makes them a target and the threats to API vulnerabilities include injections, protocol attacks, parameter manipulations, invalidated redirects and bot attacks. There’s the risk that business will grant access to sensitive data, without inspecting nor protecting APIs to detect cyberattacks.

 

Astonishingly about half of internet traffic is bot generated
There’s the risk that business will grant access to sensitive data, without inspecting nor protecting APIs to detect cyberattacks

Denial of service (DoS)

You might think there’s little to add to the swathes of denial of service warnings. Yet when businesses are still being targeted and feeling the ill effects it’s worth mentioning again that different forms of application-layer DoS attacks are still very effective at bringing application services down.

Even the greatest application protection is worthless if the service itself can be knocked down

This includes HTTP/S floods, low and slow attacks (famous examples being Slowloris, LOIC, Torshammer), dynamic IP attacks, buffer overflow, Brute Force attacks and more. The IoT botnets are the culprits and have made application-layer attacks so popular that they have become the preferred DDoS attack vector. Even the greatest application protection is worthless if the service itself can be knocked down.

Continuous security

It may seem easy to say but for modern DevOps, agility is valued at the expense of security. We see time and again examples of where development and roll-out methodologies, such as continuous delivery, mean applications are exposed to threats each time they are modified.

There’s no doubt it is extremely difficult to maintain a valid security policy and protect sensitive data in dynamic conditions without creating a high number of false positives. But we now find that this task has gone way beyond the capability of humans. Organizations now need machine-learning based solutions that map application resources, analyse possible threats, and create and optimise security policies in real time. Reaching this level in security planning should be a big wake-up call that security automation is an essential not a nice to have.

Running security plans

The board needs to know that investment is critical to protect their profits

It’s critical that the security solution your company adopts protects applications on all platforms, against all attacks, through all the channels and at all times. The board needs to know that investment is critical to protect their profits. As such there are six things they need to know:

  • Application security solutions must encompass web and mobile apps, as well as APIs.
  • Bot management solutions need to overcome the most sophisticated bot attacks.
  • DDoS mitigation must be an essential and integrated part of application security solutions.
  • A future-proof solution must protect containerized applications, severless functions, and integrate with automation, provisioning and orchestration tools.
  • To keep up with continuous application delivery, security protections must adapt in real time.
  • A fully managed service should be considered to remove complexity and minimise resources. No amount of human power will beat the bots.

That last point is the most critical. Skill is essential in designing and running security plans and policies that work. But the plans can’t be executed without automated tools. There are just too many decisions to make in a split second. Combining both is the path to an effective app protection strategy and a stronger brand to boot.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

Jeff Curley Sales Manager, Online Digital, Radware

In case you missed it

COVID-19 Worries Boost Prospects Of Touchless Biometric Systems
COVID-19 Worries Boost Prospects Of Touchless Biometric Systems

Spread of the novel coronavirus has jolted awareness of hygiene as it relates to touching surfaces such as keypads. No longer in favor are contact-based modalities including use of personal identification numbers (PINs) and keypads, and the shift has been sudden and long-term. Both customers and manufacturers were taken by surprise by this aspect of the virus’s impact and are therefore scrambling for solutions. Immediate impact of the change includes suspension of time and attendance systems that are touch-based. Some two-factor authentication systems are being downgraded to RFID-only, abandoning the keypad and/or biometric components that contributed to higher security, but are now unacceptable because they involve touching. Touchless biometric systems in demand The trend has translated into a sharp decline in purchase of touch modality and a sharp increase in the demand for touchless systems, says Alex Zarrabi, President of Touchless Biometrics Systems (TBS). Biometrics solutions are being affected unequally, depending on whether they involve touch sensing, he says. Spread of the novel coronavirus has jolted awareness of hygiene as it relates to touching surfaces such as keypads “Users do not want to touch anything anymore,” says Zarrabi. “From our company’s experience, we see it as a huge catalyst for touchless suppliers. We have projects being accelerated for touchless demand and have closed a number of large contracts very fast. I’m sure it’s true for anyone who is supplying touchless solutions.” Biometric systems are also seeing the addition of thermal sensors to measure body temperature in addition to the other sensors driving the system. Fingerscans and hybrid face systems TBS offers 2D and 3D systems, including both fingerscans and hybrid face/iris systems to provide touchless identification at access control points. Contactless and hygienic, the 2D Eye system is a hybrid system that combines the convenience of facial technology with the higher security of iris recognition. The system recognises the face and then detects the iris from the face image and zeros in to scan the iris. The user experiences the system as any other face recognition system. The facial aspect quickens the process, and the iris scan heightens accuracy. TBS also offers the 2D Eye Thermo system that combines face, iris and temperature measurement using a thermal sensor module. TBS's 2D Eye Thermo system combines face, iris and temperature measurement using a thermal sensor module Another TBS system is a 3D Touchless Fingerscan system that provides accuracy and tolerance, anti-spoofing, and is resilient to water, oil, dust and dirt. The 2D+ Multispectral for fingerprints combines 2D sensing with “multispectral” subsurface identification, which is resilient to contaminants and can read fingerprints that are oily, wet, dry or damaged – or even through a latex glove. In addition, the 3D+ system by TBS provides frictionless, no-contact readings even for people going through the system in a queue. The system fills the market gap for consent-based true on-the-fly systems, says Zarrabi. The system captures properties of the hand and has applications in the COVID environment, he says. The higher accuracy and security ratings are suitable for critical infrastructure applications, and there is no contact; the system is fully hygienic. Integration with access control systems Integration of TBS biometrics with a variety of third-party access control systems is easy. A “middleware” subsystem is connected to the network. Readers are connected to the subsystem and also to the corporate access control system. An interface with the TBS subsystem coordinates with the access control system. For example, a thermal camera used as part of the biometric reader can override the green light of the access control system if a high temperature (suggesting COVID-19 infection, for example) is detected. The enrollment process is convenient and flexible and can occur at an enrollment station or at an administration desk. Remote enrollment can also be accomplished using images from a CCTV camera. All templates are encrypted. Remotely enrolled employees can have access to any location they need within minutes. The 3D+ system by TBS provides frictionless, no-contact readings even for people going through the system in a queue Although there are other touchless technologies available, they cannot effectively replace biometrics, says Zarrabi. For example, a centrally managed system that uses a Bluetooth signal from a smart phone could provide convenience, is “touchless,” and could suffice for some sites. However, the system only confirms the presence and “identity” of a smart phone – not the person who should be carrying it. “There has been a lot of curiosity about touchless, but this change is strong, and there is fear of a possible second wave of COVID-19 or a return in two or three years,” says Zarrabi. “We really are seeing customers seriously shifting to touchless.”

How To Use Threat Intelligence Data To Manage Security In The Age Of COVID-19
How To Use Threat Intelligence Data To Manage Security In The Age Of COVID-19

COVID-19 has already had a huge impact on the global economy. According to Statista, GDP growth globally will drop from around 3% to 2.4% - equivalent to a drop of around $35 trillion worldwide. In sectors like oil and gas, the impact is particularly acute: IHS Markit predicted that the reduction in oil consumption due to COVID-19 has led to a first-half surplus of 1.8 billion barrels of crude oil. The macroeconomic trends around these worldwide sectors point to harsher economic conditions and recession. For companies in the oil and gas sector running complex operations around the world, this will lead directly to tougher trading environments and a lot of necessary belt-tightening when it comes to costs around operations. Indirectly, the potential recession could cause more civil unrest and security threats for them as well. To cope with these potential challenges, companies will have to look at how they can maintain security for their operations and prevent risks as much as possible. Taking a contextual approach to physical security With these two goals in mind, looking at threat intelligence data should be considered. Threat intelligence refers to a set of data that can be used to judge current and future trends around risks, from everyday crime or political changes through to larger events like civil unrest, terrorism or the current pandemic. Based on data around these issues, companies can make better decisions on how they invest and manage their security posture in advance. Behind this overall approach, however, there are a significant number of moving parts that have to be considered. This includes where the data comes from, how it is used, and who is using the data. Companies can make better decisions on how they invest and manage their security posture The first consideration for threat intelligence is where data comes from. Typically, companies with large oilfields or refinery operations will have large investments in physical security to protect these environments, and part of this spend will include intelligence on local market, political and security conditions. Using this forecast data, your security leadership team can ensure that they have the right resources available in advance of any particular problem. This data can come from multiple sources, from social media data and crowdsourced information through to government, police and private company feeds. This mass of information can then be used to inform your planning and decision making around security, and how best to respond. However, one issue for oil and gas companies with distributed operations is how much data they have to manage over time. With so many potential sources of information all feeding back in real time, it’s hard to make sense of what comes in. Similarly, companies with international teams may have different sets and sources of data available to different parts of their organizations - while each team has its own view of what is going on, they may be missing out on contextual data from other sources held by neighbouring teams or by the central security department. Without a complete picture, it is easy to miss out on important information. Making threat intelligence smarter To solve this problem - and to reduce the costs around managing threat intelligence data - centralizing your approach can make it easier to provide that context to all your teams and stakeholders. Rather than letting each team set up and run their own threat intelligence approach, centralizing the data and letting each team use this can reduce costs. More importantly, it can improve the quality of your threat intelligence approach overall. By applying a combination of algorithms and security analysts to evaluate threat intelligence centrally, you can improve the quality of the data that you have coming into the organization in the first place. This approach provides higher quality data for decision making. However, a centralized approach is not enough on its own. Local knowledge and analysis is always useful. Consequently, alongside any centralization approach you have to have better filtering and search capabilities, otherwise you risk teams not being able to get the information that is particularly relevant and timely to them. This approach of bringing together centralized management of data feeds with more powerful tools for local teams to find what they want and get that access in real time represents the best of both worlds. Planning ahead Scenarios vary from a best case return to pre-crisis revenues of $50 to $60 per barrel by 2021 or 2022 According to consultancy firm McKinsey, the oil and gas sector faces an enormous challenge over the next few years. Scenarios vary from a best case return to pre-crisis revenues of $50 to $60 per barrel by 2021 or 2022, through to a worst case scenario where demand never returns and the industry has to undertake managed decline around some assets and look for new market opportunities in others. Whatever scenario plays out in the real world, security for existing assets will be a continued requirement. Planning ahead using threat intelligence data will be essential whatever happens. To help reduce costs and improve data quality, centralizing this approach will help. Without this mix of global oversight and local detail, companies will find their operations hampered and wrong decisions are made. It’s only by applying threat intelligence data in the right context that security teams will be able to keep up with the challenges of the future.

What Are the Security Challenges of the Oil and Gas Market?
What Are the Security Challenges of the Oil and Gas Market?

Protecting the oil and gas market is key to a thriving economy. The list of security challenges for oil and gas requires the best technology solutions our industry has to offer, from physical barriers to video systems to cybersecurity. We asked this week’s Expert Panel Roundtable: What are the security challenges of the oil and gas market?