SecOps is more than just a title; it’s a workflow and methodology. Its goal is to align security and ops teams in order to help companies deliver software efficiently, while simultaneously reducing risk for the organization over time. And that’s a reality of business, after all. The simplest form of security monitoring often must be coordinated with operations - for example, even getting visibility into who is doing what, where, and when in the environment requires an agent, which in turn requires ops to approve and implement it. You will know when you’ve finally reached a happy medium between DevOps and security (thereby creating a SecOps ecosystem) when you see you’re effectively managing the security trifecta of people, process and tools. But let’s go back to the beginning.
Migration into the SecOps thinking is nothing new, however it’s beginning to pick up steam. According to a recent survey by DigiCert, 49% of companies are just now starting to integrate their security and DevOps teams. The same survey also found that organizations that implemented SecOps improved organization’s security postures. Respondents reported that their information security, application delivery deadline adherence, and ability to lower application security risk improved approximately 22% - representing higher satisfaction than that organizations originally anticipated. Personally, I’m a firm believer in SecOps, and to help more people make the migration I thought it would be helpful to share some advice on tooling considerations (many free and open source).
Your goal is to create a security roadmap that your security and operations teams will follow. Therefore, it has never been more important (or economical) to invest in tools that can be used by both teams. Extra bonus points if members of your team are already familiar with the tools - making their adoption much easier. The good news is that many of the DevOps tools on the market today can also be used for security purposes; since the workflow principles are similar it makes sense that their functionality would translate well.
There are three SecOps tool categories:
1. Configuration management, incident management, and security monitoring. Your developers can use configuration management tools to build repeatable systems, test systems, and update important systems when a vulnerability is exposed.
2. Incident management tools dramatically simplify the way your organization's responds to incidents by making it possible to quickly notify the on-call security staff if something goes awry.
3. Lastly, you’ll want a security-monitoring tool to give you complete visibility into your systems and data. That way you’ll be able to know when vulnerabilities or security threats appear, and you’ll be able to address them as quickly as possible.
The beauty is in being able to integrate them all. For example, security alerting should be integrated directly into existing DevOps workflows, allowing teams to respond quickly and with relevant context about what occurred. By integrating security teams into ChatOps workflows via apps like Slack, security alerts can be fed automatically into existing Developer, Ops and Engineering team discussions. With this approach, Ops and engineering are looped in automatically and can investigate the issue straight away, saving time and effort.
APIs and hooks allow connections with agile operational tools. Doing this can drastically improve DevOps ability to work security into their debugging, file integrity monitoring, installation monitoring, and other core tasks. This can drastically improve your organization's ability to understand key security questions that are the cornerstone of a SecOps culture, “Who did what with which code from where and when?”
There are a host of tools that I’ve found very useful, and I’d like to think they could be handy for you as well. Here’s a list of common tools I’ve used for streamlining security processes, automating tasks, gaining visibility into your cloud environments and for general SecOps support:
- Puppet / Chef / Ansible / SaltStack can be used to automate and define the proper state of systems. They can help you ensure best practices like setting firewall rules, locking down users and groups, or applying custom security policies as well as demonstrate compliance requirements.
- Chef InSpec can be used to test for continued compliance with agreed upon configuration.
- Slack can be used for quick response to security alerts and incidents, allowing for easy communication among stakeholders.
- Trello can be used for visual collaboration, however it can also be used for bug tracking and assigning tasks to your team to ensure that they get done.
- PagerDuty can be used for incident response and real-time alerting of the appropriate people in the event of a security issue.
- OSQuery can be used to query your infrastructure and give you insight into the services and applications running in your environment.
- OSSEC - A Host Intrusion Detection System(HIDS) which can give you some monitoring and alerting for anomalous activity in your environment.
- GoAudit - Slack’s Open source alternative to Auditd that can help you capture host based system calls directly from the kernel.
- AWS CloudTrail can provide teams with a continuous monitor and history of all API calls across your AWS infrastructure, which helps simplify security analysis, resource change tracking, and troubleshooting.
- Containers like Docker and security tools like Twistlock can be used to automate your developers tasks, streamline software delivery, as well as to develop and deploy bug fixes and new features without any problems.
The bottom line is that if you’re committed to creating a SecOps culture in your organization, you’re going to need smart, practical tooling. Think of these tools as the connective tissue that holds the SecOps body together. How will you know what will work best for your organization? With any luck, they’ll already be in use! If not, try new things and try them out to see what will work best in your organization.
Like most things in life, desire can only get you so far. You need to put together a fully fleshed out security improvement plan, or a security roadmap, to make sure that your SecOps processes are on track. When planning, make sure to audit your current security and Ops programs. Often times, you’ll find that your DevOps teams were already using a configuration management or a project-tracking tool that could be used in your SecOps processes.
Pete Cheslock, Senior Director Operations and Support, Threat Stack
Image Credit: Profit_Image / Shutterstock