Fixing Security Operations with Collaboration and Automation

September 20, 2019 - Thomas Hatch

It is not too bold a statement to say the current security operations software industry is not delivering real security. Cybersecurity breaches happen so often that consumers have every right to assume nothing is safe.

What is going wrong with enterprise security operations, and what can we do to fix this problem? The integrity of the fabric of trust is at stake.

First, we must understand the components of the problem. I’ll start with the people and the tasks assigned to cybersecurity, as well as the mindsets of these people and how we must rethink cybersecurity.

A Pile of Threat Intelligence

The cybersecurity industry is focused on a specific model which is all about threat intelligence. The tools available today help determine what systems and infrastructure are vulnerable and then they convert these vulnerabilities into security alerts. Once a mountain of security alerts have been discovered then AI and advanced analytics are deployed to filter through the list to determine which are most critical. 

At this point anywhere from five to 40 security tools have been deployed…a collection of scanners, agents, and dashboards, looking for all the various issues. On top of these scanners, we see prioritization systems deployed for SIEM (security information and event management) and SOAR (security orchestration, automation, and response). SIEM and SOAR tools collect security data and events from the scanners and try to filter the noise from the priorities.

This effort represents a substantial capital investment of approximately $130 billion globally in 2019 on cybersecurity software. Unfortunately, this investment is simply creating an impossible mountain of cybersecurity data and recommendations that don’t actually secure IT infrastructure. 

What’s your carrier pigeon budget?

So what is done with this massive mountain of data? We invest billions of dollars and dedicate the talents of our best and brightest technologists to collect, analyze, and prioritize cybersecurity data to…wait for it…this is going to be amazing…are you sitting down…?

…to open a helpdesk ticket.

Taking a ticket in the Beetlejuice waiting room.

That’s right, tens of billions of dollars results in the opening of a helpdesk ticket, the functional equivalent of sending a carrier pigeon to deliver your most mission-critical information. When I discuss this scenario with security executives I can see it in their eyes. They want to make a difference and do the job they were hired to do, but because of a broken process, team silos, and tools that weren’t built for the job, their job isn’t easy.

How did the security operations function get here?
To determine a solution to the problem we need to understand the people first. 

Let’s look at security analysts and how they are measured and motivated. Security analysts are paid to discover security threats. They follow the path set by the industry before them and find as many vulnerabilities and issues as possible and then create tickets out of the most critical. These tickets then become somebody else’s problem. Tickets and vulnerability reports are tossed over the wall to the IT operations team to address.

The operations team is often curiously ignored by the cybersecurity industry. The assumption is if operations teams are simply made aware of security issues that they will be magically fixed. This was certainly the view at Equifax a couple of years ago. They knew about the vulnerability in Apache Struts. A patch existed to fix the vulnerability. The security team even opened a ticket for IT operations to fix the vulnerability! But the operations team “did not get to it.”

Why did this operations team not apply the patch? Let’s consider an operator’s motivations.

Operations teams are tasked to keep sites running and applications optimized. Their work is structured to essentially keep a site reliable. A quick look at the IT operations management product industry or at ITOM-focused conferences quickly reveals their focus is not security. They are focused on application deployment, cloud, infrastructure, containers, and uptime.

We have teams that do not have aligned motivations. Good luck trying to forcibly align those motivations. Motivations of teams and organizational culture are not easily altered. Aligning motivations requires a collaborative platform, teamwork, and common motivations and objectives.

Align and blend SecOps
SecOps should enter the scene at this point but SecOps has been slow to materialize. Many believed automation tools associated with the DevOps movement could easily be leveraged by SecOps, but it is more complicated than this.

To truly solve a problem essentially caused by misalignment we need to look at how we can adjust team workflows to leverage shared security automation.

Security and IT operations teams need to align and blend. This shift in mindset requires more than just introducing new tools, it requires a change in motivators and team structure. 

The way teams interact and respect each other, and the way teams are measured, needs to change. Success should be defined as a reduction in production infrastructure vulnerabilities, not just by the discovery of vulnerabilities. Both teams need to have KPIs and incentives around this goal, the goal of delivering real security.

SaltStack is tackling this issue with more than a shared workspace for these security and IT teams. We are working to open eyes and minds to what can be accomplished as a true team. 

SaltStack Secops is all about giving security teams the ability to define security compliance scans through a policy-driven approach. But we don’t stop there. The policy is integrated with automated action in SaltStack. This is a big shift from the current security products in the industry and allows for the security and IT teams to get on the same page and speak the same language. 

“How can we update the configuration to be secure?” 

”What software packages can be fixed to address these vulnerabilities?” 

This approach changes the dialog and delivers a foundation of collaboration and automation that creates a new reality centered on delivering results and the attainment of actual IT security.

Join us at SaltConf19 in Salt Lake City, Nov. 18-19, 2019 or attend this SaltStack webinar if you’d like to see for yourself what SaltStack SecOps automation and collaboration means for security and IT operations professionals.