We need SysSecOps. IT operations teams and corporate security professionals each have increasingly vital jobs. Most of the time, they work independently. However, when incidents happen – or when there’s the potential for a breach – their silos means that responses are slow, and possibly ineffective. It’s time to bring IT operations and security together, in a way that doesn’t interfere with their day-to-day functioning, but which allows them to share data, and communicate more effectively, when necessary. We call this approach SysSecOps: Systems & Security Operations.
For many organizations, the thrust of SysSecOps will begin at the endpoint. Endpoint security integration and organizational coordination are key to building a SysSecOps approach to enterprise security; indeed, many of the major hacks of the past five years could have been prevented with better organizational response and integration of security tools.
More than half (53%) of the respondents to the 2017 Futuriom security survey believe security technology integration is a major challenge in securing endpoints. That’s why integrating security tools is a major goal of SysSecOps, which can have beneficial effects in securing the enterprise.
Malware and phishing remain major threats to enterprise security, requiring integrated system monitoring and endpoint protection. Yet conflicting security goals within the same organization can be a barrier to securing endpoints and systems. And when it comes to SysSecOps, most current endpoint security tools are inadequate, lacking integration with other security components.
SysSecOps on the Endpoint
Monitoring the huge number of connected systems, servers and devices means dealing with more complexity than ever. Virtualization, cloud services, extensive remote workers, and ever-increasing endpoints – including those connected to customers, partners, and employees -- means that systems are no longer contained within corporate boundaries.
At large businesses, employees and network endpoints are accessing data all over the world, from a variety of cloud services. At the same time, the threats to IT resources are scaling on a global level, with prominent cybersecurity attacks occurring daily, often resulting in stolen data, corporate financial losses, and violations of privacy. That’s why security needs to keep endpoint protection front-and-center of any effective policy. Who owns the endpoints? IT operations. Who owns protection? Security. That’s why both teams need to work together.
Many security organizations recognize that preventative endpoint protection platforms can only do so much. Thus, endpoint detection and response (EDR) platforms have become a focus of the security industry, and rightfully so. EDR solves real problems.
Unfortunately, most EDR products are themselves silos; they don’t integrate well (or at all) with the broader risk management and security tools around them, or with IT operations platforms. To secure and protect connected assets, security specialists and IT managers need higher quality insights and visibility from these endpoints, not more stand-alone solutions. And they need to share that data to establish a single source of truth enabling quicker and more effective security and risk mitigations.
IT Operations and Security Want a Coordinated Approach
A recent survey, conducted by Futuriom, found that systems management and security professionals want increased integration of IT systems and security operations, encompassing both tools and processes – as well as coordination of the associated budgets allocated to these organizations. They said that integrated security visibility is a top challenge: Most said that “challenge in integration of many security tools” is a major issue when securing their endpoint environments. Plus, when asked, “What would be the most helpful in improving IT security in your organization?”, end users selected “Better integration between systems management and security operations tools,” as one of the most helpful approaches.
Those findings were consistent among IT system managers, security specialists, and network managers – they all want to see improved, more highly coordinated system monitoring and security operations. The need for better integration of system monitoring and security tools and operations is an approach we are defining as SysSecOps.
The goal of SysSecOps is to give IT and security teams an improved, more holistic view capability in managing the overall risk and security of their endpoint environments. This report outlines the trends in coordinating system and security, specifically EDR, tools to yield a SysSecOps platform for improved visibility and control into the wide array of managed IT systems or endpoints.
To pick one example of a hack where a SysSecOps approach could have helped mitigate the damage, consider an attack on eBay. Hackers gained access to records for as many as 145 million users, including unauthorized access to a database containing names, addresses, phone numbers, dates of birth, email addresses and encrypted passwords.
In response, eBay said, “Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network. We are working with law enforcement and leading security experts to aggressively investigate the matter. At this point, we are not disclosing further information.” eBay had taken standard precautionary measures, such as separating and encrypting customer data, but more advanced techniques could have been used. For example, it could have used behavioral analytics to score transactions and decline ones that seem fraudulent, according to Liron Damri, chief operations officer of security specialist Forter.
What could have gone better: Feeding detailed endpoint behavioral data into an analytics engine should have identified the attack early and prevented further damage. Who owns the endpoint data, including activity logs? IT operations. Who would control the behavior analytics on those logs? Security. Too bad they weren’t working together.
Developing a SysSecOps Strategy
Our investigation into the needs for SysSecOps have revealed many interesting trends, among them the requirement to integrate existing systems management and security tools, coordinate budgeting and planning across organizational boundaries, and focus on using endpoint visibility data to drive analytics improvements for building predictive detection of security and system risks.
But how does one do that? It’s clear from a look at the major security and systems failures of the past few years that such an approach requires strong leadership across the organization, driven from the executive and board level of the organization. If the leadership of the organization does not realize these critical goals, a SysSecOps approach cannot emerge and thrive.
Some key elements of a SysSecOps strategy include:
- IT and security professionals are asking for better integration of tools, which requires coordination of organizational budgets and planning
- To achieve SysSecOps integration, systems management and security budgets need to be coordinated across organizational boundaries to plan for the required technology components.
- The emphasis on technology should be toward building coordinated data- collection and analytics engines.
- SysSecOps for endpoints is built on a foundation of endpoint visibility, control and integration within a broader security ecosystem.
- Finally, an integrated SysSecOps strategy needs to be developed and coordinated within the organization – across divisional boundaries including systems management, and security – and driven from the highest levels of the organization.
Coordinated SysSecOps visibility has already proven its worth in helping organizations assess, analyze, and prevent significant risks to the IT systems and endpoints. If these goals are pursued, the security and management risks to an IT system can be greatly diminished.
Scott Raynovich, Principal Analyst, Futuriom
Image Credit: Pavel Ignatov / Shutterstock