How DevSecOps is transforming the security operations center (SOC)

It can be costly, in many ways, to lose data through a cyber attack. However, if you have a healthy Security Operations Center, you can take action to detect and defend against incidents. DevSecOps is transforming the space. So, what is DevSecOps and how is DevSecOps impacting security operations centers? Let’s take a look.

The Evolution of DevOps

Today, to keep up with the speed of the on-demand world, DevOps is well and truly in the mainstream. DevOps helps organizations deliver services and products quicker and at higher quality to their users. This is done by integrating software development and software operations teams: a complex endeavour which is well worth the effort.

Some feel that security should have been included in DevOps from the very beginning, as keeping security as a separate silo defeats the purpose of DevOps as a whole. Others say that including security now isn't necessary, as it's implied that common sense security measures are taken into consideration. In any case, continuous delivery procedures need to support good security practices, as there’s no point in delivering applications quickly if personal customer data remains exposed.

To benefit from DevOps, organizations must make security a central part of the DevOps process, from the start. Consequently, part of the industry is welcoming security into the fold: enter DevSecOps.

But what about SecOps?

Let’s shed light on another key term: SecOps. In essence, SecOps and DevSecOps are interchangeable, with SecOps as a term placing more emphasis on the automatization of traditional security departments instead of the entire end-to-end process. SecOps, like DevSecOps, represents the implementation of security throughout infrastructure deployment and the software development phase. With SecOps, security becomes a central part of the process rather than a last minute addition prior to deployment.

Back to DevSecOps

DevSecOps, much like DevOps, revolves around developing a culture that fosters continual, flexible cooperation between departments: in this case, security teams and release engineers.

DevSecOps brings together two apparently conflicting aims, delivery speed and secure code, and unites these aims in one process.

Six key components of a DevSecOps approach

1. Analysis of code – deliver code in small pieces so the team can quickly identify vulnerabilities.
2. Submitting changes – permit anyone to submit changes, this can increase efficiency and speed. Afterward, see if the change is successful or not.
3. Monitor compliance – be prepared for an audit at all times, which means always being in a state of compliance.
4. Investigate threats – identify possible threats each time the team updates code so they can respond quickly.
5. Assess vulnerability – identify vulnerabilities with code analysis and ensure the team quickly attends to them.
6. Train security – train software and IT engineers and provide them with instructions for set procedures.

The benefits of DevSecOps, SecOps, whatever you want to call it!

The joining up and mixing together of development, production, and security operations teams is beneficial to all parties. Production employees enjoy fewer data breaches and more secure applications. Developers can conduct their work without worrying to death that a final security review will reveal serious problems and inhibit the release of an application. The security team is aware of DevOps best practices and can conduct quicker security reviews.

The DevOps model gives special importance to continuous feedback and testing, automation, early bug detection, a predictable schedule of code release, and collaboration between all parties. The benefits of highlighting security to the DevOps process are more secure applications, more thorough documentation, and improved regulatory compliance.

How does DevSecOps affect security operations centers?

DevSecOps can be administered via a security operations center (SOC) of some form. Here are some methods by which a SOC can modernize its processes (even though a SOC in and of itself is a form of silo).

• Develop a distributed SOC with DevOps members – members of a department familiar with DevOps can assist with incident response as they have an in-depth understanding of IT systems and can gain knowledge of vulnerabilities and threats from security staff.
• Partner threat hunters with DevOps team – threat hunters can communicate directly with dev or ops teams to address security gaps at their core, rather than isolating a threat and reporting it to management.
• Creating superior security centers – the SOC can work with specific dev and operation groups to put in place security best practices. They can convey these positive results to the entire organization to encourage DevSecOps practices.
• Make the SOC available for advice and guidance – everyone working with security should be able to easily contact the SOC and liaise with the top security experts of the organization.

Looking to the future of security operations centers

The security operation center of 2020 offers us the best chance of surviving imminent cyber battles. Our next generation SOC must be founded on practices familiar to DevOps, such as automation, behavior analytics, machine learning, and security isolation. Automation provides organizations with the capacity to achieve more with fewer resources: that much is obvious. With the global shortage of security professionals, estimated to reach a total of two million by 2020, automation is our only chance of keeping up with cyber attacks.

That being said, automation isn’t the silver bullet of security, either. There are already a number of tools on the market, such as QRadar and other security information and event management (SIEM) products, but automation still needs to be triggered from the other end of the pipeline. Amazon Macie is an example of an AI looking through anomalies and sensitive data in the here and now, but these developments are nascent.

Still, the SOC of the future will benefit from the collaboration and integration of developers and security professionals. Behavior analytics should be incorporated in all aspects of an organization so all team members know who can access what, what they can do with that access, and if they should retain access.

Breaches of the future will, for the most part, continue along the same line as those of today: too much access. Putting malicious intent aside, many breaches are the result of people accidentally leaking sensitive data to those who wish to benefit from this. Phishing will likely become outdated as SOC will use security isolation to get rid of malicious packages inside a platform that is isolated from endpoints.

Security operation centers of 2020 will likely self-evaluate and acquire resources via machine learning. Picture an automated SOC preventing breaches before they take hold by scanning customer-facing websites, identifying a serious vulnerability, and patching the web server. The future can’t come fast enough!