Posted on by 2code monte

Cyber Security is easy, right? – What is SecOps?

Introduction

Security Operations (SecOps) is a well established term, however depending where you look it’s definition can vary slightly, but overall it’s generally consistent. When we talk about Security Operations we are referring to “IT” Security Operations.

SecOps is the combination of IT Operations and Security Operations (Cyber) to prevent silos and improve collaboration, reduce risks and gaps. This approach improves outcomes, and contributes to a more secure work environment by reducing the attack surface, and minimising the impact of incidents.

Previously you would see IT Operations and Security Teams “fighting” each other as both would see their area of responsibility as the priority over all else. Operations wants to keep the lights on so the business can function, and the Security team wants to keep the business secure to prevent a large incident which could potentially turn off the lights.

The problem? Both are right, and both are right at the same time, why? Because when you look at it they are both doing the same thing without realising. If we remove the “IT” and the “Cyber” or “Security”, they are both essentially, Operations. Their missions are the same, they are two halves of the same puzzle.

When IT and Security are not combined you tend to get conversations as below.

  • Security – We need to apply this patch urgently.
  • IT – We need to test first, and roll it out slowly.
  • Security – It’s critical.
  • IT – So is keeping users working.

Or

  • IT – We have had to make this change.
  • Security – But that affects the security baseline.
  • IT – The app is critical to the business, this was urgent.
  • Security – But now our attack surface has increased, and we’re more likely to be victim of a cyber attack. This is critically important.
  • IT – So is keeping users working.

Of course these are over simplifications of complicated IT environments where there are thousands of impacts from each IT change. Think of IT or Digital (as it’s more commonly becoming known) as a delicate ecosystem where the smallest change can have complex repercussions further downstream.

This often happens when functions are siloed and the opposing teams have no context of the other teams business as usual work (BAU). When the teams are more integrated a mutual understanding is reached with each having an appreciation for the work of the other.

Instead of causing resistance for each other, they are united in their mission which is basically to keep the business or organisation “Operational”. Let’s take a look at what a SecOps team do.

NOTE: Before we fully dive into this, we should mention that we can also have what is known as a CSOC, or SOC a Cyber Security Operations Centre. CSOCs or SOCs are generally more focused on “detect and respond”, and active threat hunting activities. Think of the SOC or CSOC as the emergency response team, responding to incidents, proactively hunting for threats, and creating new custom detections based on the latest threat intelligence.

Forming a SecOps Team.

There are no hard and fast rules of what you must have in a SecOps team, and with many organisations struggling to recruit (attributed to many reasons ranging from lack of suitable applicants, to being unable to meet wage demands) it’s very likely that there will often be vacant roles within all IT Teams which will impact the composition of the team.

We also need to have a strategy in place, and understand how to meet that strategy before heading off in a random direction. We need a clear purpose, and an agreed, achievable mission. What do we mean by this?

If you’ve been following us for a while you’ll know we are strong proponents of “secure by design”. With this philosophy we would require more resource aligned to IT technical work. We need engineers/technicians who understand how to implement secure configurations, create security baselines aligned to best practice, and ensure new implementations are secure by default to reduce the level of inherent risk being introduced into our infrastructure. This in turn reduces the amount of incidents that require remediation, reducing the number of analysts required.

If we were in a position where we were unable to find sufficient resource to enable us to effectively implement our secure by design strategy, then there would be a requirement to assign more resource to incident response and remediation as we would expect to see an increase of alerts due to a weaker security baseline.

Tailoring our approach to ensure expectations are realistic is vitally important, if we arbitrarily set an unachievable ideal, the SecOps team is doomed to fail, we lose any perceived improvements and negatively impact morale.

What does SecOps do?

There are no laws that state a SecOps team MUST do all of these tasks, and it obviously depends on the internal resource available, but these represent a good outline of what a SecOps team is generally expected to deliver.

  • Vulnerability management – Apply security updates and remediation activities. Actively identify weaknesses or gaps, validate controls.
  • Prevent threats – Configuration, hardening and secure by default.
  • Detect threats – Monitoring and logging of networks, applications, and endpoints, creating custom alerts.
  • Remediate threats – Device isolation, account suspension, alert/incident response, and investigation. Configure and apply automation.
  • Threat hunting – Active investigation and custom queries.
  • Threat intelligence – Gathering actionable, and relevant information, IOCs and TTPs.
  • Inventory – Asset Management which includes network hardware, devices, endpoints, systems, and in some cases data.
  • Identity and Access Management – Especially important in a Zero Trust architecture. Securing identities, implementing Single-Sign-On, and MFA. User and Entity Based Analytics.

These activities can be split into two sub-groups which also naturally aligns to IT Operations and Security Operations functions as discussed previously. One focuses on secure by design, configurations and applying updates, the other on threat intel, alert response, and remediation.

Most orgs are already undertaking “Security Operations”, but it is disjointed as the teams are not combined and actively collaborating.

Combining the teams also drives another benefit, which is centralising systems, logging and monitoring. Ideally we want both IT and Security reviewing the same logs in the same place, and then applying their own filters to display relevant information. When our information is isolated and siloed it’s much more difficult to join the dots effectively during investigations or incidents.

Having analysts and technicians in the same team allows better collaboration during investigations and the pooling of internal knowledge when it is most needed. It can also be surprising how much duplication goes on between the IT and Security teams, and any efficiency savings are normally very welcome for over-stretched internal teams.

We’re looking to achieve unified operations, and for this to result in as much consistency as possible across our IT and security functions. This should also reduce the amount of reports, and questions which go back and forth between the teams as the knowledge is shared via BAU activities, rather then ad-hoc as and when there is an issue, or an audit.

SecOps Challenges.

SecOps needs to be incredibly agile as technical innovations continue to push business processes forward, which more often than not comes at the expense of security. SecOps teams must have in-depth knowledge of their IT environment, and the critical business functions to fully understand both the security and business impact of any new innovation.

It’s only by understanding the impact that we can decide how best to appropriately secure any new system or process. “Appropriately securing”, also includes the maintenance and vulnerability management of those systems and processes.

SecOps needs to be plugged into every aspect of the business to ensure they become aware of any new system or process which has not come through the official governance channels. This can be very challenging if there are visibility gaps, or the organisation is a significant remote workforce.

When considering that the number of systems being used both officially and unofficially (see “Shadow IT”) are increasing exponentially within most organisations, this means that one of the biggest challenges for SecOps is resource. One thing that organisations still don’t grasp is that if they continue to implement new systems which require monitoring, configuring, maintaining, securing, remediating and incident response, the more resource internal operational teams require.

System churn is also a problem. A lot of businesses and organisations do not have a coherent digital strategy which results in a never ending merry-go-round of new systems which aren’t well considered or integrated. This makes the job of SecOps much more difficult.

SecOps Benefits

We’ve discussed a lot of the benefits throughout this blog, and we’ve bulleted some below.

  • Identify threats earlier in the kill chain.
  • Stronger collaborative working.
  • Cross-team knowledge sharing.
  • Coherent IT and Security strategy.
  • Unified Operations.
  • Reduced duplication of effort.
  • Centralised and shared documentation.
  • Clearer reporting and accountability.
  • More efficient alert and incident management.
  • Enhances Secure by Default.
  • More effective audit and compliance efforts.

As is clear from the above list, implementing SecOps can resolve a lot of the well-known and documented issues affecting IT teams currently.