RSA: Building an Application Security Ecosystem

At F5, we talk a lot about concepts like the changing threat landscape and the dissolving perimeter – that applications and user identities are increasingly the primary targets of malicious attacks because these are the new gateways to valuable corporate data. This is why we are focused on what we call application-centric security. We believe that security solutions need to be an integrated, intrinsic, dedicated part of application protection, access and identity management.

We recognize this is a huge shift for customers. To adapt in this new world, they need to first understand the nature of the new threats they face, then conduct a full assessment of where they are vulnerable and prioritize the highest risk areas. And finally, find the right people, obtain the right tools and establish the right processes to ensure they are protected. It’s a monumental task undertaken by security teams performing in high pressure environments, and as vendors we need to work together to help them address these challenges.

That’s because every company has unique challenges that require unique solutions. Put another way, there no such thing as a one-size-fits-all approach to security. There is no way for F5 – or any other vendor – to solve every challenge for every customer. This is why our solutions are platform agnostic, why we use open APIs and why we are so committed to building a strong ecosystem of security partners.

Our mission is to help these security teams protect their applications – wherever they are – and ensure users can access them securely from any device. All of our partners are equally committed to this mission and together help us deliver what we consider the three essential elements of application security:

• Visibility. A fundamental principle of security is that you can’t protect what you don’t know. To “know,” you first have to be able to “see.” That means you need visibility into all your application traffic.
   
• Context. Visibility is essentially meaningless without context—an understanding of all the characteristics of the applications you’re protecting and the “outside forces” that can affect your ability to protect them. Context is what enables insight.
   
• Control. Once you have context, it’s essential you have the ability to apply the right security controls. Without control, it doesn’t matter how much visibility or context you have.

We view our partnerships as true extensions of our work – as parts of a whole that delivers these critical elements to our mutual customers. Take visibility. Our recently launched Herculon SSL Orchestrator, a product purpose-built to eliminate SSL blind spots and integrate with a vast number of popular standalone network security and advanced threat management solutions to enhance enforcement capabilities, heighten detection capabilities, and improve network operations and orchestration. This is just one example of how work hand-in-hand with a broad range of partners. Partners like FireEye, to enhance visibility into encrypted traffic to better mitigate persistent threats; Webroot, to provide broader context and insight into those threats, and Oktato deliver even greater levels of control over access to applications and data.

As I look forward to RSA next week, this is what I’m most excited about. It’s a chance for us and our partners to connect with customers, talk about how they are tackling this shift and the challenges they face. Our F5 Labs team will be on the ground and our booth will feature compelling threat intelligence presentations from people across F5 and a number of our partners. It’s going to be a great week. You can find us in booth #S1515 or @F5Security on Twitter.