SecOps: Taking DevOps One Step Further

The DevOps cycle provides organizations with the opportunity to incorporate security into the heart of their software development process. Rather than complying with a ‘final check’ prior to a product release, organizations apply security best practices and compliance requirements throughout the application lifecycle. This process is typically called “SecOps” or “Security Operations”.

---

What is SecOps?

SecOps involves the cooperation of security and IT operations teams. Security and operations staff collaborate and take joint responsibility for security issues. SecOps involves information security operations center (SOC) practices, processes, and tools. These approaches are used to attain goals, and to secure the software and application environment.

SecOps is a practice that strives to automate important security tasks. It ensures that organizations do not compromise on security when achieving uptime and performance goals. It involves the introduction of security measures early on or at each stage of the software development life cycle (SDLC).

---

How Did Operations and Security Teams Work Together Before SecOps?

SOC processes were once isolated from other areas of the organization. Developers would create systems, IT operations would operate them, and security teams were in charge of securing them. In this mode of work, security analysts and operations work in a separate organizational unit, with minimal communication between them.

In a traditional development cycle—requirements, design, development, testing, deployment, and maintenance—security is typically performed between testing and deployment, or even further on down the track. IT operations teams and security teams have different priorities, which can cause their efforts to conflict. This can reduce security, cause inefficiencies, and make the organization vulnerable to risk.

---

How Does SecOps Combine Operations and Security Teams into One Organization?

SecOps requires joining together security and operations teams. When IT operations and security teams collaborate in a SecOps strategy, they are both accountable for maintaining the efficiency and security of the technology environment. This combined effort allows for greater insight into an organization’s security vulnerabilities and provides essential shared information that can assist with the speedy resolution of security issues.

In SecOps a process is needed to unite all parties (the ops and the security personnel) and their tools. For instance, when a developer deems code is ready, an organization should know:

• What tool is being used to scan for vulnerabilities
• Who is responsible for reviewing alerts from the vulnerability scan
• How the developer will receive the feedback they need to fix it

---

Benefits of SecOps: What Happens When IT and Security Teams Work Together?

• Information and communication are integrated – offers better visibility and awareness of vulnerabilities in an organization, which can help decision making.
• Priorities unite – security takes center stage. It may be built into IT and software development environments from the onset, enhancing security and defenses.
• Tools and technology amalgamate – forming one security portfolio that provides enhanced IT hygiene and optimal endpoint protection. IT and security teams can work together to effectively use real-time remediation and query tools to understand the state of endpoints. Thus, they conduct a proactive vulnerability assessment.
• IT operations can be streamlined – improved operational efficiency, fewer compliance failures, minimal downtime, and more successful patch deployment.
• Security is proactive – continuous security policies that apply to the entire organization help to resolve issues more precisely and quickly.

---

SecOps Functional Areas

SecOps is a support function to the day-to-day operations of an organization. Let’s take a look at functional areas that describe how SecOps provides this support:

• The steering committee – a group created to assist with the development of the organization’s strategic vision, aimed to help the SOC protect the organization’s information assets. Through the steering committee, the SOC relays to the organization what it has achieved to defend the business and what it plans to do in the future.
• The command center – the instructive and interactive division of the SOC. Via this center, the organization can ask for help from SecOps. The center provides a means to announce information to the organization to create awareness of the organization’s situation during training and incidents.
• Network security monitoring (NSM) – the process of analyzing network data for abnormal activity. It involves alert-based identification and long-tail analysis (threat hunting for the least common events or weak signals that may suggest unusual threat events). NSM is not an intrusion-detection system (IDS) however, it uses IDS-like processes. NSM requires gathering all the data types (session, event, full content and statistical) needed to detect and analyze intrusions.
• Threat intelligence – the examination of malicious behavior. Knowing the techniques used by attackers enables targeted steps to isolate, disrupt and mislead the attacker. It provides information about new and evolving security threats, exploits, threat attackers, malware, compromise indicators, and vulnerabilities. The more insight an organization has into potential threats and the more information it has about an attacker’s operations, infrastructure, capabilities, and motives, and the better it can protect itself.
• Incident response – the ability of an organization to deal with and react to security incidents. The NSM team typically detects the event, while the incident response team identifies a real incident, contains damages and eradicates the attack. An incident response plan assists IT staff with their isolation, response, and recovery from attacks. The aim of an incident response plan is to stop damages like data loss or theft, service outage, and unauthorized access.
• Digital forensics – the capability to assess information assets for incident investigation and response. It is the science of preserving, identifying, recovering, presenting and analyzing information about digital evidence stored on computers or digital media devices. Organizations use digital forensics to isolate evidence that supports or disproves a given assumption.
• Self-assessment – the continual assessment of an organization’s security posture. An organization should detect, manage, and assess vulnerabilities, conduct regular penetration testing and create a red team. Red teams are used by an organization to test the success of a program. They mimic the techniques and behaviors of attackers. There is an opposing group, the blue team, that defends against the simulated attack. Self-assessment involves typical tasks, however, incorporating these tasks in the SecOps organization promotes threat detection and can inform the operational team of the organization’s security environment.

---

3 Best Practices for Implementing SecOps in Your Organization

The following best practices will help you implement SecOps more smoothly:

1. Perform formal SecOps training – training is essential to implementing SecOps. Organizations may use ready-made training resources, accepted frameworks or third-party courses, while others may choose to create their own SecOps training and processes.
2. Avoid potential pitfalls – an advantage of SecOps is the enhanced teamwork between all software teams. In the past, security and developer teams could have different opinions on how to produce code. Cross-team cooperation and communication help alleviate this issue.
3. Offer effective SecOps tools – there are five main SecOps tool categories:
   • Configuration management, security monitoring, and incident management. Developers should use configuration management tools to develop test systems, repeatable processes, and update key systems when a vulnerability is detected. A few examples are Puppet, Chef, Ansible, SaltStack, and Chef InSpec.
   • Automated incident response tools make it easy for your organization to respond to more incidents, faster and more effectively. For an example, see Exabeam’s Incident Responder.
   • Security monitoring tools provide your organization with visibility into its data and IT systems.
   • Security automation tools are used to automate manual tasks, streamline processes and achieve visibility into cloud environments. Examples include Slack, PagerDuty, OSQuery, OSSEC, and AWS CloudTrail.
   • Container technologies like Docker and security tools like Twistlock and Aqua are used to simplify software delivery, automate developer tasks, and deploy bug fixes and new features.

---

Towards a True DevSecOps Environment

DevOps is more than the sum of the development and operations team. An organization seeking to benefit from the reactivity and agility of a DevOps practice should involve IT security in the entire development life cycle.

DevSecOps also demands the automation of security gates to maintain the DevOps workflow. It relies on tools to automate security processes and integrate them into ongoing development processes. However, beyond tools, a successful DevOps security program requires a culture change.

DevSecOps takes DevOps one step further. It has long been understood that developers should not build something and “throw it over the wall” to operations. But now both developers and operations staff should understand that security is not an external concern, it is their responsibility and they are often the best suited to solve security issues, given enough knowledge, context, and assistance from security teams.

Want to learn more about Security Operations Centers?

• Security Operations Center: Ultimate SOC Quick Start Guide
• How to Build a Security Operations Center for Small Companies
• Security Operations Center Roles and Responsibilities