SecOps (Security + Operations) is a movement created to facilitate collaboration between IT security and operations teams and integrate the technology and processes they use to keep systems and data secure — all in an effort to reduce risk and improve business agility. In this post, I outline the security challenges facing businesses today, explore how SecOps uses culture and technology to address them and identify SecOps best practices every organization can use to improve their security posture.
If you’d prefer to listen instead of read, I define the new interplay between IT security and operations teams on this webinar as well.
The benefits of a well-developed SecOps environment
- Fewer configuration errors are made.
- Changes in application code are tied together with rules for deployment.
- Known vulnerabilities can be proactively managed.
- Policies for compliance with appropriate standards are automatically checked and enforced.
- Key security procedures are automated.
The origin of SecOps
To understand the origin of SecOps, it’s useful to look at the movement that gave it its name: DevOps. Much like DevOps, SecOps was born in response to the challenges and risks perpetuated by dysfunctional relationships between two teams. In the case of DevOps, development and IT operations teams needed to align priorities and communication and use integrated automation to push software out faster and more reliably. In the ten years since its invention, DevOps has been widely adopted and its impact is hard to overstate. Suffice to say the vast majority of software advances in the last ten years were made possible because of it.
Similar to the relationship between development and IT operations before DevOps, the majority of security and IT operations teams often operate in a state of dysfunction that leads to ineffective and inadequate IT security measures. Despite the similarities, SecOps offers unique challenges that can’t be solved with DevOps solutions. In fact, and somewhat ironically, the proliferation of DevOps-driven application deployment tech has been known to contribute to and exacerbate security issues, not reduce them.
DevSecOps has gained significant popularity and attention in the last year. Indeed, several thought leaders have declared 2020 the year of DevSecOps. As the term comes into popularity it is sometimes used interchangeably with SecOps and, while there can certainly be overlap, there are important fundamental differences.
As illustrated in the diagram below, DevSecOps was invented primarily to integrate security practices into software development instead of tacking them on as an afterthought. Some DevSecOps proponents will include provisioning secure infrastructure (day 0) into the definition. However, the crucial difference is how DevSecOps typically omits ongoing (day 2) IT system security and optimization.
DevSecOps integrates security into the application development cycle whereas SecOps maintains security and compliance for the IT systems on which those applications and their data reside.
The need for SecOps is probably best illustrated by the fact that, according to Gartner research, 99% of the security vulnerabilities exploited in 2019 will continue to be those known to the organization at the time of exploit. In another recent survey by Voke, 79% of the companies that experienced a security breach indicated it could have been avoided with a patch or configuration change.
79% of the companies that experienced a security breach indicated that it could have been avoided with a patch or configuration change.— Market Snapshot / Secure Operations Automation, Voke
An outside observer would be forgiven for looking at those statistics and wondering why companies don’t just fix the known issues. Here are a few reasons:
There aren’t enough humans (and there never will be)
It’s true that security and IT engineering professions are both experiencing massive talent shortages. Even an unlimited supply of talented humans, however, could not solve today’s security challenges. Systems are too complex and criminals are only getting faster.
Speeds and tool adoption are prioritized over security
Operations teams absolutely care about security but they live in a world ruled by innovation, growth and five-nines uptime. They are responsible for not only maintaining rapidly growing and increasingly unwieldy environments — often made up of tens of thousands of individual systems — but also using them to deliver more and more value to the business and its customers.
Beyond prioritization, security and operations teams work with completely separate tools and workflows that require information to be translated each time it’s passed back and forth between teams. This makes closed-loop verification and reporting nearly impossible.
Innovation has outpaced security
While business innovations push forward at breakneck speed, security lags painfully behind. This isn’t to say there haven’t been any security innovations, but most of them have been in reaction to the vulnerabilities and gaps created by the changing IT landscape, rather than proactive efforts to help shape it in a secure way.
The average time to exploit a known vulnerability has decreased four-fold in recent years: from 45 days down to 3.
The average time to exploit a known vulnerability has decreased four-fold in recent years: from 45 days down to 3.— Gartner, IBM, Sonatype
SecOps Is The Path Forward
The mantra of SecOps is deceptively simple: get security and operations teams to work better together and actually fix the things they already know are broken. This article has already identified just a few of the challenges that make this easier said than done, but getting there is not impossible — it just requires security and operations teams to change the way they interact and implement new technologies and processes that give IT security a fighting chance.
Technology Enables Cultural Shift
Early proponents of DevOps were quick to emphasize it was a movement about people, not technology. While people are important, the truth is that culture changes don’t happen (in DevOps or otherwise) without technology to enable them. For DevOps, this was automation, infrastructure-as-code (IaaC) and the availability of cloud resources that gave both teams access to the speed and precision they needed to “do DevOps.”
In the same way, once security and operations teams have decided they want to “do SecOps,” they must find or build tools that enable them to do so.
SecOps Tool Requirements
SecOps teams should seek technology solutions that allow them to define “security policies as code” that can be automatically and globally applied to each new IT resource provisioned.
These policies should be rigid enough to protect the business against threats and ensure proper compliance but dynamic enough to allow business innovation to continue.
SecOps teams must also standardize security incident tracking in a format that is actionable. In an ideal world, this means that scanning, prioritization and remediation occur on a single platform. At a minimum, data from security and operations tools must funnel into a system of record. This will allow teams to shorten the time to resolution and ensure that, first, an identified threat is legitimate and, second, it has actually been resolved to the security team’s standard.
Automate, Automate, Automate
While security automation solutions such as SOAR (security orchestration, automation and response) have improved the security team’s ability to streamline workflows and identify threats faster, they stop short of crossing the chasm to actually enact change on IT systems.
SecOps teams must use existing tools and new solutions to coordinate automated action all the way through to remediation and closed-loop reporting. This requires both teams to coordinate closely and enact fine-tuned role-based access controls that allow security to identify issues and apply approved fixes quickly, while still giving operations the oversight and control to test and ensure proposed security fixes don’t hinder critical business operations.
At SaltStack, we work closely with some of the largest, most complex IT organizations in the world to help make SecOps a reality. While SecOps is still in its early days, companies employing it are reporting these promising gains:
- Integration: between operations management and security controls
- Automation: of key security tasks
- Better Cloud Security: SecOps is less tied to specific, hardware-based solutions. Rather, it focuses on well-defined security practices that can be automated in cloud environment(s)
- Better communication across teams: cross-team collaboration means fewer instances of key security information going astray
- Better security auditing: automated processes easily generate trustworthy records
- Return on Investment: security expenditures yield better results faster than conventional approaches
Ready to Learn more about SecOps?
- SaltStack Protect and SaltStack Comply products automate the work of SecOps and harness event-driven automation technology to deliver full-service, closed-loop vulnerability remediation and continuous compliance.
- To help digital business achieve continuous compliance, a SecOps solution should deliver intelligent and scalable automation and orchestration.
- See a demonstration of SaltStack SecOps.