One advantage of a well-embedded DevOps mindset is the ability to pursue efficiencies by driving automation and orchestration in key security processes.
Modern security teams employ a diverse collection of tool stacks for offerings such as security operations, IAM, application security, vulnerability management and more. Manual review processes are rapidly becoming a thing of the past, and even incident response processes are starting to evolve from the ground up.
Let’s look at the application of DevOps principles into the Security Operations Center (SOC) and Security Incident Event Management (SIEM) tool suites.
SecOps has faced several challenges over the past few months, with SOC teams having to manage both a heightened threat landscape and unfamiliar employee working patterns that invalidate formerly reliable insider threat alerts. In this new reality, tooling used for SecOps must be agile, adaptive and responsive to new signals from hybrid on-premise and remote working models, as well as to new models of identity and access.
While the SOC has relied on SIEM solutions for years, today’s environment might serve to accelerate the already exploding use of Security Orchestration, Automation and Response (SOAR) tools. SOAR tools serve as an extension of traditional SIEM functionality by integrating monitoring capabilities with various other internal and external tools available to an analyst. For example, an analyst can gather relevant threat intelligence information for an event indicator (such as an IP address) by executing a command via a graphical interface. This command streamlines the traditional analyst approach of navigating to the threat intelligence source, manually searching for the indicator identifier, and recording the information back into a central platform for further reference.
A SOAR platform is the epitome of integration with the enterprise, and it exemplifies the DevOps philosophical tenets. SOAR extends SOC capabilities by using existing tools managed by other teams in a streamlined fashion. This increases the holistic unity of the enterprise and its ability to work towards a common goal.
In addition, SOAR focuses on speed. Automation and orchestration are at the core of the product, and these let analysts quickly work through formerly labor-intensive tasks. Finally, SOAR empowers individuals to develop solutions for themselves.
Just as development teams are given the keys to operations architecture, industry-leading SOAR platforms let analysts build and iterate their own automated workflows. This functionality minimizes menial tasks and ultimately enhances the quality and efficiency of SOC output.
With many industry leaders already using SOAR platforms, adoption continues to accelerate. We have seen companies implement basic SOAR capabilities to overwhelmingly positive feedback. Rather than buying off-the-shelf tools, many companies have employed their software engineering teams within their security organizations to begin building dedicated SOAR platforms.
SOAR functionality is not always complicated — one initial feature developed was a Slack bot that sent messages to developers to confirm the legitimate use of root accounts. This relatively simple concept was still attributed as a monumental win for the security analysts, who are accustomed to dealing with a barrage of false positives that are not quickly resolved. Now those wasted hours have been automated away, and the junior security team members are excited that they can turn their attention to more useful tasks and strategic improvements.
After initial successes like these, organizations quickly prioritize the buildout of SOAR capabilities and push resources into their security engineering teams. These teams work with the SOC, and other security functions, to identify pain points that can be alleviated using technology solutions.
These experiences with partnered companies demonstrate the movement to SOAR technologies as a fitting embodiment of DevOps philosophies in security operations. But it’s only the first step of integrating DevOps philosophies into SecOps. The movement towards DevSecOps-enabling technology solutions was already underway: the post-pandemic reality will bring efficiency and cost reduction to the forefront, key elements in gaining the approval of Chief Financial Officers.
More broadly, security leaders have an opportunity to revamp their operations in preparation for this new reality. Freed from the need to perform repetitive, manual security tasks, leaders can now release their program enhancements and address the strategic challenges exposed by the pandemic, such as digital business transformation and community threat collaboration for this novel landscape.
Unless otherwise indicated, throughout this website, “we”, “KPMG”, “us” and “our” refer to the network of independent member firms operating under the KPMG name and affiliated with KPMG International or to one or more of these firms or to KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.