When it comes to availability, organizations strive for infinite nines—99.9999…%. SecOps is the latest attempt to overcome the often dysfunctional relationships between different teams inside the same organization. Initially inspired by the more mature world of DevOps, SecOps has been learning from the cloud. Just as cloud migration has torn down the traditional network perimeter, SecOps should work to dismantle the boundaries between teams and tools that hinder their effectiveness.
In their most effective incarnations, DevOps and SecOps encompass an effective, automated, and rationalized application of cultural change and professional practice—and the tools designed to make those effective. The goal? To deliver higher-quality outcomes in rapidly changing environments. The key difference between the two is that DevOps was effectively born in the cloud, whereas SecOps bears with it a whole slew of challenges to overcome just to be able to catch sight of the cloud.
The Ideal Role of SecOps
SecOps teams hunt, detect, prevent, and mitigate threats to an organization’s assets. But when teams and tools operate in different silos, this can severely diminish the timeliness, agility, and effectiveness of any response to risk (let alone to an attack).
IT operations teams prioritize innovation, speed of deployment, and the infinite nines of uptime. It wouldn’t be accurate to say that IT teams don’t care about security, but it would be fair to say that it’s not a priority for them. These competing priorities between ITOps and SecOps are a major issue, but there is a greater one: the entirely disconnected tool sets and workflows across the teams. This separation means that information, recommendations, and configurations must be translated, validated, and negotiated between teams before any action can be taken.
But, as ever, the greatest challenge often represents the greatest area of opportunity.
In a DevSecOps or CloudSecOps environment, the DevOps and security teams have forged a much closer partnership than security and IT operations have managed to date. This isn’t by accident. The extensible and highly automated DevOps lifecycle provides opportunities for security practitioners to define and integrate security policy as code. Integrations such as these enable teams to automate and orchestrate real-time policy enforcement in response to asset deployment or risk detection.
While CloudSecOps remains an evolving field, it is arguably already more mature than enterprise SecOps because of its cloud-native nature. Similarly, DevSecOps tends to have a native, automated capability for security to directly enact change on affected workloads (for example, by committing code updates from dev to test environments to fix software vulnerabilities).
This is the type of closed-loop process that SecOps must strive to achieve. Silos within silos, like cloud security within enterprise security, are not the path to success.
The Path Forward
Attackers couldn’t care less about your silos. It makes very little difference to them whether they are moving laterally within your organization or vertically from your network to your cloud and back again. In fact, these silos typically create gaps in coverage for these attackers to leverage.
You cannot secure what you cannot see. From the defender’s perspective, any time an adversary steps outside of your field of vision or interdiction, the reconstruction, analysis, and response to a security event moves to somewhere between complicated and impossible. Visibility is fundamental to effective security.
Whether in a traditional enterprise, remote, cloud, or mobile network environment, you’ll need to know what is connecting to your network. But visibility is not synonymous with periodic snapshots of compliance. Organizations must audit assets, access, and privileges on an ongoing basis; risk should be continuously assessed.
Even then, visibility is not everything. Timely and accurate security decisions also rely on rich context. In an enterprise scenario, this means both the aggregation of data and the standardization of data to a single system of record. An event considered in isolation might appear benign—but it can take on an entirely different cast when considered in the context of all other related data.
Putting the R in XDR
Visibility and context, however, remain nothing without policy and action. And a security policy without an enforcement capability is little more than a wish list. The enforcement of policies, mitigations, and responses must be:
- Policy-based
- Dynamic
- Real-time
- Continuous
When the risk level of an asset falls outside of an acceptable range, automated responses and mitigations should take effect.
Traditional responses to security events often fall short of enacting real environmental or operational change. SecOps teams need the ability to take coordinated action—from immediate quarantining of compromised assets through remediation and closed-loop, sanitized reporting. Remediation means more than simply wiping and restoring affected systems; it means doing effective root-cause analysis, determining the blast radius, and then cleaning and restoring systems—and doing it all at speed, with minimal interruption.
This requires processes and tools that enable security teams to identify issues and implement fixes. At the same time, integrated processes must still give operations teams the ability to test and monitor proposed fixes—and their potential impact on the infinite nines.
Without the tools to empower these processes, any effort to move to a SecOps model is set up to fail. If the silos separating security from operations can be broken down, however, then this new model can thrive—meeting security policy and operational goals alike.