SecOps and IT Operations: When and How to Use Automation
SaltStack sponsored this post.
The enormous scale of the COVID-19 pandemic has businesses of every size and in every industry scrambling. Not surprisingly, cyberattacks have increased exponentially to take advantage of the situation. New digital business initiatives are putting a strain on infrastructure and there’s been a general lack of cyber hygiene too. The pressure has never been greater for businesses to do more with less and that pressure is acute for IT and security operations teams.
We can simply deploy applications a lot faster than we used to, which means the size and scope of our infrastructure gets bigger, more diverse and spread over multiple environments. But we’re well beyond traditional firewalls being sufficient; now there’s a growing gap between our ability to deliver security to infrastructure and our ability to deploy applications.
Understanding Dynamics Between Security and IT people
Who are these people and what drives them? The short answer is that security and operations teams (IT operators, server administrators, SREs, security analysts, etc.) have fundamentally different priorities, motivations and objectives. Security teams are all about visibility and understanding what’s in the deployment and infrastructure. The bulk of everything they do revolves around scans. Their expertise is centered around being able to identify explicit problems.
Subsequently, they end up with these incredible views of the infrastructure. Security teams start by gathering a significant amount of data and information. This data helps them understand if files have changed in ways they shouldn’t have, illustrates if we’re in compliance with our hardening policies, and shows new software vulnerabilities. All of this information gets spun into a bonanza of security alerts, and ultimately they file a bug report and ask operations to take care of it. It’s no different than taking a problem and throwing it over a fence for someone else to fix.
There are few things in my life that I find more annoying and unhelpful than when someone walks into my office and says: “Tom, there’s a problem over there” and walks out. If I have a highly effective employee, they’ll walk into my office and say: “We have a problem, here’s what we’re going to do about it.”
Operations people are the ones on the ground and in the trenches. They’re the people who are doing the maintenance of the systems. They’re also the people who are maintaining the cloud infrastructure and deploying the applications.
In short, security people find and identify issues. Operations people ensure applications are running and that new applications are deployed. Both teams ensure that developers’ lives are easy, that their code flows smoothly into production, and that a site is reliable.
Do operations people care about security? Is security one of the most important things on their list? Absolutely, but are they going to be hurt more today by the infrastructure going down and an app not being deployed, or by a security breach?
Integrated SecOps Is the Key
This is where the concept of SecOps comes in. But while SecOps as a phrase has been tossed around a lot, we’ve had trouble in the industry getting SecOps to gain traction.
One of the main impediments to SecOps’ adoption is that we’re still following that “scan and over the wall” approach. SecOps stems out of the philosophies of DevOps. When we go back to the roots of that movement, it originally had less to do with configuration-management systems and CI/CD pipelines (which is what DevOps has evolved into); rather, it has more to do with opening up inter-team communication. The question then becomes: How do we open up better team communication between operations and security? How do we make sure that our operations teams can enable security to make changes in a safe, governed way?
We need to take a better approach that helps us change how these two teams communicate and work together. In many ways, it does need to be different from the DevOps movement.
It’s All About Automation
At SaltStack, we’ve begun to see effective SecOps workflows where security teams and operations teams are tied together.
Security is gathering information, which is fed into a new SecOps management tool that we’ve created called SaltStack SecOps. The goal is one platform that scans and remediates in a single cycle. We need to be able to take the scanning, compliance and vulnerability data and make sure the scan itself is accessible to the operations teams, because they need to have that automation presented to them. Sure, there are always going to be cases with nuances that are difficult — that’s life — but teams should have tools that can automate security fixes 80% of the time. In this way, the execution of those automation routines is delivered to the operations team and they won’t have to build them every time.
We also need to consolidate scanning tools. For people working in security, that may sound ridiculous and unattainable because there are so many different agents to do these scans.
However, with regards to compliance scans, many of the vendors have completely different agents — one may do a CIS compliance scan and another will do a STIG scan. They can’t even make one agent do the same thing. Organizations need to insist that their security vendors are able to offer more powerful agents or viable agentless alternatives, that can provide combined scans and do it very quickly. Waiting anywhere from 24 hours to a week to execute a scan is no longer acceptable. Teams need to be able to kick off a scan and get something back in minutes or seconds. The security industry needs to look like an industry that focuses on the complete picture and how teams deliver secure infrastructure, as opposed to focusing on the thing they seem to talk about the most: threat intelligence.
There are few things in my life that I find more annoying and unhelpful than when someone walks into my office and says: “Tom, there’s a problem over there” and walks out. If I have a highly effective employee, they’ll walk into my office and say: “We have a problem, here’s what we’re going to do about it.” There’s a discussion, some refinement, a little buy-in and then we go. How helpful is it really if a neighbor knocks on your door, tells you there’s a killer virus on the loose and then leaves? Yet, that’s exactly what many security tools do. We have enough talk. It’s time to look for security that acts.
Feature image by Jan Alexander from Pixabay.