SIEM Security Explainers:
5 SecOps Functions and Best Practices for SecOps Success
What Is SecOps (Security Operations)?
Security Operations (SecOps) is a synergy between security teams and IT operations. It involves integrating tools, processes, and technologies to improve the practice of information security.
In the traditional security operations center (SOC), there was often a gap between security and operations teams. Each has different priorities, procedures, and tools, leading to competing efforts, inefficiencies, and in the end, less effective security efforts.
For example, in some cases security tools like firewalls or intrusion prevention systems (IPS), operated by the SOC, would shut down business-critical applications, creating damage to the organization. A holistic approach to security recognizes that cyberattacks and downtime are two risks to the organization and neither can be ignored.
As security and IT operations teams work more closely together, they share responsibility for priorities related to maintaining the productivity and security of the IT environment. This provides greater visibility into security risks and also a shared understanding of IT goals and priorities, and how to support them with security processes. Another benefit introduced by SecOps is integrating tooling and automation across security and IT operations teams, improving agility and efficiency.
This is part of our series of articles about security information and event management (SIEM).
SecOps benefits and goals
SecOps aims beyond merely enforcing security measures while supporting smooth development cycles. An effective SecOps policy should set clear goals such as fostering security collaboration across all teams, establishing milestones to mark the progress of the SecOps implementation, and ensuring that everyone follows security best practices.
Security best practices should be part of daily operations rather than a last-minute or emergency consideration. A well-planned SecOps strategy should provide several benefits:
- More hands on deck — distributing security responsibilities across teams ensures that more people can address growing and evolving threats.
- Prioritizing security — DevOps teams often focus on speed while neglecting security. By prioritizing security from the start, SecOps helps increase both overall security and speed.
- Applications are less buggy — implementing security more thoroughly means fewer bugs reach production.
- Security keeps up with innovation — if innovation outpaces security, it can become a liability.
- Faster response — attackers are increasingly finding ways to exploit vulnerabilities faster, requiring immediate action.
5 critical SecOps functions
Many IT organizations have dedicated security operations centers (SOCs) where SecOps team members work together to perform security activities. The SOC is the central nervous system of an organization’s information security efforts, and SecOps is making it more efficient, more automated, and better integrated with other parts of the organization.
1. Security monitoring
The SecOps team is typically responsible for monitoring activity across the organization. This includes networks, endpoints, and applications deployed across private, public, and hybrid cloud environments. This monitoring includes not only security events, but also the operational health and performance of applications and infrastructure.
2. Threat intelligence
It is widely recognized that security teams and tools can be more effective when they know which threat actors they are facing, their background and motives, and their tactics, techniques, and procedures (TTP).
SoC teams are responsible for gathering threat intelligence, acquiring it from third-party providers, and integrating it with security processes. Threat intelligence is data in a standardized form that sheds light on the cybersecurity threats an organization is facing.
Threat intelligence can be used directly by human analysts, and is also integrated with other security tools. For example, threat intelligence can add context to alerts sent by a SIEM, or provide a list of known bad IP addresses, which can immediately be blocked on the firewall.
Threat intelligence is packaged as “feeds.” Some of these feeds are free, and others are commercial offerings by security vendors or security research organizations. Threat intelligence platforms can help SecOps teams acquire all the relevant feeds, organize them, and integrate them with the relevant security tools.
3. Triage and investigation
SecOps teams have increasingly sophisticated tools that allow them to analyze and investigate security-related events. However, in many organizations, threat detection, investigation, and response (TDIR) processes are not well defined. As a result, different analysts have different ways of analyzing and detecting threats, which wastes time and causes gaps in detection (because some methods might be better than others).
Another challenge is that traditional SIEMs do not provide insights security teams can immediately use. They support complex customization, and teams invest major efforts in customizing the SIEM to their particular business needs. This delays time to value in security initiatives, and even after the investment, many projects show limited increases in coverage against important threats.
Modern SIEMs provide end-to-end workflows and prepackaged analysis packages that make it possible to automate and standardize the TDIR process. This allows teams to derive value from the solution from day one without complex implementation, and become more effective at detecting and triaging the most critical threats.
4. Incident response
The SecOps team is responsible for implementing an incident response plan, which defines how the organization detects a cyberattack and reacts to it. Incident response teams within the SecOps organization are responsible for the following process:
- Preparing for incidents by setting out a clear incident response plan.
- Detecting incidents and analyzing them to confirm a cyberattack and understand its severity.
- Containing the threat, eradicating it, and recovering affected systems.
- Conducting post-incident activity to learn from the incident and improve security processes.
5. Forensics and root cause analysis
Forensic analysis is the SecOps team’s ability to collect and analyze information that can help determine the root cause of security incidents, performance issues, or other unexpected events. The SecOps team uses specialized software tools to identify what happened on affected systems, perform root cause analysis, and respond to the threat or malfunction before it does additional damage.
Best practices for SecOps implementation
Define the SecOps scope
The first step when establishing a SecOps strategy is to determine its scope based on company-specific requirements and use cases. Some tasks might benefit from outsourcing rather than relying on the internal security team. For instance, security testing can and should be done in development as part of the CI/CD workflows — but this is not enough to guarantee the applications being built cannot be cracked or tampered with by malicious actors.
Additionally, when new vulnerabilities and exploits are made public, there needs to be a clean, direct path of communications between SecOps and DevOps for questions, information sharing, and automatic escalations. To use a recent example, the SecOps team can help answer the question, “Do we use Log4J within our environment?” and automatically assign incidents and tickets back to the DevOps team for patching or updating while searching out indications of compromise and malicious activity taking advantage of vulnerable instances.
Build repeatable workflows
The SecOps team must face various dynamic challenges across the company’s infrastructure. Ops teams typically use a process-driven approach, applying comprehensive pipelines to all applications, servers, and environments. SecOps extends this approach to security, implementing security processes through automated pipelines and IaC tools.
The wide variety and complexity of security threats mean that each security process can only address part of the organization’s needs. Effective SecOps processes must be broad, encompassing the entire IT infrastructure and addressing most threats. The SecOps team might need to reconfigure tools regularly for different threats, but SecOps should be a unified process overall.
Conduct red-blue team exercises
The SecOps team can improve its threat intelligence expertise by conducting red-blue team training exercises. The red team attempts to attack the system while the blue team defends it. This approach helps security practitioners improve their skills and anticipate various attack techniques. It also helps the team identify shortcomings in the organization’s security policies and controls.
While the red team uses port scanning, phishing, and pentesting techniques to infiltrate the system, the blue team performs the established SecOps responsibilities and assesses their effectiveness. Both teams generate reports detailing their activities and findings. Sometimes, a third “purple” team acts as an intermediary and reviews both reports.
Automate the right processes
Automation is the key to successfully implementing SecOps, especially across large, distributed environments. It enables real-time security processes like vulnerability scanning and activity monitoring to ensure fast responses and smooth development cycles. Automation suites can remediate some threats without human intervention based on incident response policies.
However, some processes require a human touch — especially if they involve more complex or unusual tasks. The SecOps team can use incident response playbooks to automate most tasks, especially for simple, repeatable processes. However, human security experts still need to investigate and respond to more sophisticated threats. The SecOps team must understand what it can or cannot automate — many processes will likely involve a hybrid approach.
Incorporate security throughout the delivery pipeline
The SecOps team must address security threats at every stage of the delivery pipeline. Traditional security teams typically focus on deployed applications in production rather than working alongside developers and Ops teams to ensure the code is safe before deployment. This approach often results in a higher security burden, requiring later revisions and impacting application performance.
A modern SecOps team looks for vulnerabilities early on, conducting scans as soon as a developer writes new code. It performs various security tests throughout the software delivery lifecycle and continuously monitors applications for bugs and vulnerabilities.
Define the SOC’s responsibilities
Establish an incident response plan defining the SOC team’s role in protecting the organization. SOC responsibilities should include:
- Communication — knowing how to engage with DevOps to ask questions about software composition analysis and other potential vulnerabilities, and creating an SLA back and forth to facilitate information sharing.
- Incident investigation — filtering alerts and investigating events to identify real security incidents and false positives.
- Prioritization — triaging the detected threats and identifying which incidents pose more significant risks.
- Coordinating the incident response process — engaging with various stakeholders and utilizing tools to orchestrate and supervise incident response, particularly in assigning tickets to patch critical vulnerabilities or remediate incidents by DevOps.
SecOps with Exabeam
Exabeam Fusion helps standardize the inputs and outputs across disparate security systems and escalation or integration tools, enabling two-way, machine-to-machine communication and control. Tightly coupled with automation, orchestration helps analysts pivot across indicators of compromise and escalate through IT Service Management (ITSM) integrations to get the right information into the right hands without human delay.
The Security Operations platform integrates with over 250 vendors and 500 security tools to discover anomalies in human, entity, and service account behavior, with turnkey playbooks and escalation that automates the entire investigation procedure — finding security events from the various inputs across your ecosystem and escalating them in a consistent, repeatable fashion.