After working in the security industry for 15 years, one of the consistent themes I’ve observed is how teams struggle with balancing the increasing amount of work they have to do, without an increase in resources to accomplish their goals. But there’s another, less obvious problem that I like to refer to as a different kind of SaaS: “security as a silo.”
It should be no surprise that large organizations frequently struggle with silos that create friction and miscommunication—barriers that get in the way of accomplishing important goals. In many respects, security is no different from other business functions this way. But a few security organizations have figured out how to utilize specific technologies to increase productivity, efficiency, and effectiveness among people and processes. A mouthful, I know, but let me explain.
The DevOps Revolution
It seems like forever ago when software development and IT operations were siloed themselves. Each function was responsible for specific things: developers coded and built software, and IT operations deployed and delivered it.
Oftentimes, this process involved developers throwing their code over the wall to operations, with no thought of how it would deploy efficiently. Tools weren’t connected, communication between teams was sparse, and operations was left with a set of repetitive, manual tasks to deliver the product consistently. Forget scale or automatic deploys. Backlogs grew, software didn’t get delivered fast enough, and a fire slowly spread.
This method of software development and delivery wasn’t time-effective or cost-effective, especially in light of the changing tech landscape. Teams were expected to build fast, and deliver even faster. Over time, both dev and ops could barely keep up.
This heavy stream of fire fights—coupled with the advent of emerging technology (cloud, SaaS, etc.)—paved the way for a revolution. Teams needed to work together, workflows needed to be put in place, and tools had to be connected for smoother delivery. Orchestration and automation were introduced to make this entire process seamless and more effective.
This is how DevOps was born. And DevOps had a simple purpose: a single unit building, deploying, and delivering software.
Infosec Is on the Precipice of Change
It’s no secret that security teams are distressed. They suffer many of the same plights that developers and operations folks did before the birth of DevOps.
For example: Teams are inundated with a plethora of alerts, and they don’t have enough time or people to actively investigate them all.
To make matters worse, most alerts are likely false positives that still need to be investigated, causing teams to chase down logs and other intel only to find there’s no actual threat. Meanwhile, alerts that do pose a real danger may not get investigated fast enough or at all.
Coupled with these false positives, many investigatory tasks are manual, repetitive, and time-consuming.
Coupled with that, tools are unconnected, so teams have to jump from system to system, copying and pasting info from one to the next. This is extremely daunting, and error prone.
And coupled with that, good security talent is sparse these days, so simply hiring more people isn’t an easy solution (and isn’t always more efficient, either).
Finally, the threat landscape is growing leaps and bounds, and sadly bad actors are becoming more creative than ever (Mirai, botnets, and malware, etc). It’s increasingly difficult for defenders to keep up, let alone get ahead of these threats.
Sound familiar? Security is reaching an inflection point. And just like how orchestration and automation brought change to software development and IT operations, it will bring change to security operations (SecOps).
Security Orchestration and Automation: The Great Uniter
It’s time we as an industry invested in technologies and methodologies that enhance our tools, processes, and people. We know that orchestration and automation were crucial technologies for DevOps to succeed. Why not bring these same concepts to SecOps?
Security orchestration unites disparate systems and tools, and lights the way for machine-to-machine security automation. Machines are great at handling a series of repetitive tasks, while humans are great at deriving context from data. Why not offload these repetitive tasks to machines, and allow humans to focus on correlation of data? In certain scenarios, a human may not even need to be involved if the process is well-defined enough.
That’s the beauty of automation. And coupled with orchestration, it can be extremely flexible.
Related Blog: Security Orchestration and Security Automation: What is the Difference?
So what does this mean for security as a whole? Well, this:
- Defenders can get ahead, and aren’t constantly fighting fires
- The security function is streamlined and more productive
- The industry is stronger, more connected, and more effective
- And it paves the way for unity among the greater IT team
Which leads me to my final thought: I’ve seen the challenges security teams face. I’ve experienced it myself as a security analyst years ago, so I know first-hand how difficult it is for defenders right now. I also know how hard it is to add orchestration and automation without a team of developers at your fingertips. And given the well-known cybersecurity shortage and budget constraints, adding automation to security operations is a pipe dream to many organizations. But it doesn’t have to be.
The goal is simple: provide security teams the fastest way to add automation to security processes, no code required.
Learn more about Komand by Rapid7 and security automation and orchestration.