Security Operations is Not Dead
I remember when an admin ran security operations (SecOps) by logging into a console and doing something. Ah, the good ol’ days. Now, we have a multitude of ways to handle SecOps – programming with automation and APIs or inviting managed service providers into your business to (presumably) fix things.
With the advent of Infrastructure as Code (IaC) and code used to describe virtually everything else, it’s no wonder many security professionals express their frustration to us, questioning if they wasted their time on firewall and IPS certifications. We hear it a lot. . This idea that security operations is dead has proliferated through the industry and now everything will be done in a template.
One some level, this makes sense. Why spend a bunch of time making operational changes on running systems when in X minutes/hours/days the entire stack will be rehydrated and any changes you make are gone? G. O. N. E.
Nothing aggravates me more than repeating the same thing over and over. I suspect I’m not alone in that. So why wouldn’t we instead focus on decreasing the time it takes to update the template(s), tighten the triggers to redeploy the infrastructure after a change, and make the change once? Wouldn’t that make more sense?
In fact, it would. And that’s why the folks that have bought into this “code is everything” mantra are reluctant to look at security operations tools. But here’s the thing: these folks *will* be right. Eventually. But for now, they’re wrong. SecOps is not dead – it’s actually more important now as things move faster – including the adversaries.
Communication Between DevOps and SecOps
First let’s talk about communication. How does the DevOps team learn about a security issue? Do you call them? Do you send them an email? For a template to be updated, someone needs to tell them about it and what they need to do. Without security ops capabilities, you’re relying on what? Telepathy?
Also, don’t forget about context around the security issue. If the developer gets an email or random ticket in Jira, how do they know how critical the issue is? How can and should they prioritize it within the rest of their responsibilities for the current sprint? Even mind reading would net a precarious game of telephone, and that’s a good way to inadvertently focus on the wrong things.
Now let’s consider speed. How long does it take your team to make a change to a template and redeploy? An hour? A couple of hours? Time and time again, the evidence demonstrates that no matter how fast you can make a change, it’s not fast enough. Once a device is compromised, the clock is ticking. So sure, you absolutely should make the appropriate change in the template, but you should also make the fix **right now** in run time and contain the damage of the compromise.
It’s not like there isn’t a precedent for making short term changes until a more permanent fix can be applied. That’s how virtual patching works. You look for the vulnerability on your IPS (or another perimeter box) and block the attack until you can fix the underlying device or system. No one claims that it’s an answer. Nor do they think they should stop virtual patching because they should have the fix applied in a couple of hours. Treating the symptom without addressing the root cause is no path to success.
Long Live SecOps! (Or at Least, Run Time SecOps)
Alternatively, you could rely on a cloud security operations system to bridge the gap while your template magicians are doing their thing. Once the security team identifies an issue, they can notify the responsible party via their operations tool (Slack, Microsoft Teams, Jira, etc.) with a contextual alert about the issue, and severity, while also providing some options to fix. This happens in seconds.
It’s tough enough to stay ahead of the attackers. To tie both arms behind your back by not making changes to running systems because of some misguided notion that it will happen fast enough through the DevOps process isn’t a great idea, especially considering the high profile nature of what’s running in your cloud.
The next time someone tells you that they are making all of their security changes in their templates, you can bust out your Mark Twain, and let them know that the report of the death of Security Operations has been greatly exaggerated.