Image source: Pixabay
What Is SecOps?
SecOps is the collaboration of security and operations teams to improve the security of an organization. This collaborative approach is also intended to increase the effectiveness of an organization’s workforce, but it requires buy-in from both teams and upfront communication of the needs and goals of each team. By providing greater transparency of security requirements and their impact on businesses, SecOps allows organizations to create and deliver more secure products from the start.
Best Practices
Although it can be difficult to move to a SecOps model, the benefits are numerous and can include a higher return on investment, improved productivity, easier adoption of technologies like cloud services, and fewer compliance issues. In order to maximize the benefits a SecOps team can provide, you need to transition purposefully and adapt accordingly. Some best practices to help you achieve these goals are:
#1. Research and planning
Without research and planning, it is almost impossible to create a meaningful or lasting change in an organization. To utilize a SecOps method effectively you must understand each group’s priorities as well as their understanding of the system as a whole. Working from an informed baseline allows you to efficiently fill gaps in knowledge and leverage employees’ motivations to achieve collaboration.
SecOps may require a redefinition of job roles/priorities and reevaluation of security incidents and core business functions but you won’t know this until you develop a clear picture of your organization and you won’t be able to implement these changes effectively without a plan.
To help understand where you are and where you are headed, you should research the current functioning, resources, and goals of your organization. You can then use this research to craft a plan addressing weak spots or gaps in team integration, assigning responsibilities to key players, and moving forward with actionable steps.
#2. Effective training
When teams function as independent actors, they often do so with minimal or no knowledge of the workflows, tools or strategies of outside departments, which can mean a steep learning curve when they’re required to collaborate. Having a robust training strategy in place can help eliminate these gaps in knowledge and help teams communicate more easily.
When developing this strategy, it is important to include a clear outline of each team’s processes, needs and goals and to explain how these aspects affect the organization as a whole. The more represented each department feels and the deeper their understanding of impacts, the better your buy-in. Your strategy should include ongoing training or briefings as practices or technology change and new members join.
#3. Create and maintain protocols
Individuals should have clear and functional protocols to work from, whether that means knowing who to go to for feedback or which tools they should be using and in what way. Having clear and up-to-date materials, such as whitepapers or video tutorials, can simplify this process.
Runbooks can be used to ensure a uniform response to security issues or operations practices, and to automate tedious or technical steps. Make your resource access permissions reflect the priority of information security as well as ease of use, and review them regularly.
Use of a Single Sign On (SSO) can help simplify management for security and compliance for operations. By standardizing and automating patch or software update processes, you minimize vulnerabilities and the impact of downtime, making sure that product release deadlines are met without sacrificing security.
#4. Set challenging but achievable goals
It is important to clearly identify what your goals for a SecOps implementation are and make them quantifiable through Key Performance Indicators (KPIs). For example, by March 30 there will be an automated process in place for the release of patches for X product, including approval steps.
The use of KPIs informed by and accessible to all team members will help you stay on track and provide you with an accurate progress measure. Including both short and long term measures allows you to adjust your SecOps collaboration early on and discourage complacency later on. KPIs should be agreed upon and reviewed by all participants to ensure buy-in and maximize collaboration.
Complementary Tools
Best practices can be complemented through the use of effective tools but security and operations teams use ones that often aren’t universally functional and don’t integrate seamlessly, creating difficulties in collaboration. Security tools, in particular, can be difficult for operations teams to understand or use correctly. The following solutions can be used to help reduce this barrier and provide value beyond security.
SIEM
Security Information and Event Management (SIEM) is a solution that collects, aggregates, categorizes and analyzes security data through machine learning and dedicated sensors. It does this by correlating event information between devices based on rules set by security teams. SIEM solutions can issue alerts when security events are identified and are useful for compliance reporting and case management. SIEM solutions are a near-universal tool for security teams, but when used alone they are rarely time-efficient.
UEBA
User and Entity Behavior Analytics (UEBA) is a tool that can be added to SIEM solutions to improve event identification, categorization and alerts through the use of behavior baselines. These baselines are developed for both users and devices by compiling usage data, such as log-in location or resource access, and are then used as a guide for identifying and analyzing inconsistencies.
This process is done with the help of machine learning, reducing the amount of time that analysts need to spend on filtering through data and increasing their ability to focus on response and prevention. Data from UEBA solutions can be used to inform resource management and permissions protocols, evaluate productivity and assist organizations in meeting disclosure guidelines instituted by compliance legislation such as HIPAA or GDPR.
SOAR
Security Operations, Analytics and Reporting (SOAR) solutions can further augment SIEM solutions by aggregating alerts and event information from integrated services and facilitating event response from a single platform. Response procedures are predefined in playbooks and automated from within the platform, standardizing how events are handled and increasing the ability of all members of a SecOps team to respond to threats.
Automation reduces time wasted on tedious tasks, such as entering tickets into tracking systems, assigning analysts to cases, or manually tracking investigation status and allows team members to focus on their primary skillsets. Most importantly, by allowing cases to be managed and responded to from a single platform, SOAR increases transparency and reduces the chance that events fall through the cracks or are handled inappropriately.
Conclusion
SecOps can benefit both organizations and their customers, provided it is implemented and managed correctly. The collaboration of teams with sometimes opposing goals and motivations isn’t easy and requires dedication and adaptability. By using best practices and appropriate tools, you can ensure that your teams are able to work productively and efficiently to deliver secure software.