Neil Simon's play and film The Odd Couple hinged on two characters, Oscar and Felix, who had entirely different priorities but found themselves living together—and creating frustration for each other.
After a brief time together, Oscar throws Felix out of his apartment, but (spoiler alert) in the final scene he realizes that Felix has had a positive effect on him. Felix's life changes bring the two together.
Similarly, changes in IT security and operations are forcing greater collaboration. While these teams have typically operated at arm's length, with forced tolerance of one another, that must change. Increasing regulatory pressure from privacy laws such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as high-visibility hacks that resulted from sluggish patch management, are driving these teams to more closely coordinate their efforts in mutually beneficial ways.
We are also seeing the results of DevOps, blurring the lines between developers and operations teams, to more rapidly and successfully deploy code. The success that DevOps has experienced is a roadmap for a SecOps relationship renaissance.
The bickering between Felix and Oscar sometimes resulted in broken dishes. In real-life IT, regulatory fines and security breaches await those teams that don't work together. Look for the following opportunities to strengthen collaboration between security and operations teams in 2019.
1. Establish a patch management partnership
Who owns patch management in your organization? Typically operations is responsible and accountable, with security and audit providing policies and verification. That system can work, but it sometimes creates an "us versus them" mentality.
It's easy to point at operations and say that their patch management system is broken or that it lacks sufficient priority. And sometimes that is the case; operations must be provided with clear timelines for deploying patches that close critical vulnerabilities, and it needs the resources to accomplish that.
Sometimes, though, the volume of changes can be overwhelming for operations, and there are times when systems must be locked down, or when applications cannot be patched without breaking an older application.
If security views patch management as a partnership, these challenges can be solved together. Security can help operations through regular re-prioritization of vulnerabilities, and, where changes are frozen, work to provide mitigation strategies such as network segmentation or additional security monitoring.
2. Share identity and access data
While patch management is almost always the responsibility of operations, identity and access management (IAM) is often a joint-custody program. Typically there are boundaries between administration and governance responsibilities, but they use a common IAM platform.
With compromised credentials the top threat in security breaches, according to the 2018 Verizon Data Breach Investigations Report, it's critical that security and operations work toward an integrated approach to managing and governing identity and access.
In practice, this means using identity and access data as a source of insight for security information and event management (SIEM). This is not simply for forensic purposes, searching for evidence after a breach, but is also useful in real time as a means of identifying a breach in progress by alerting on unusual access patterns or abuse of privileges.
Responding to privilege abuse should also lead to a rapid revocation of entitlements until the incident can be investigated, because damage can be done in minutes once attackers have an insider's credentials. This requires integration back into the IAM platform to automate the response.
3. Manage the data—not just databases
Database management is a critical skill that operations provides, but it's usually focused on maintaining the performance of the database. With privacy mandates and attackers focused on data, the security team could use some support from application and database administrators in protecting the data as well.
Encryption, while not specifically required by privacy mandates, provides critical protection for personally identifiable information (PII) in the event that attackers access a database containing PII. Some administrators have been reluctant to support encryption, fearing complexity or performance challenges. Modern approaches to format-preserving encryption, though, encrypt data in a way that does not alter the data format, resulting in strong encryption with few changes needed to the way applications already work.
4. Embrace change
Few administrators willingly accept the handcuffs that are typically part of privilege management tools. But with the pressure from DevOps to provision faster and to keep pace with patch management, there is a need to make implementing changes easier for operations.
Security teams must resist the urge to implement every feature of a privilege management tool on every system. The choice of how much privilege management should be applied must be based on risk. For many systems, checking out passwords and session recording is sufficient. Even better are risk-based activity controls that terminate access or step up authentication if high-risk commands are used.
Additionally, some changes are time-sensitive to prevent an incident in progress from becoming headline news. Automating common responses to security incidents through orchestration tools for select changes allows a rapid reaction while minimizing risk.
5. Plan and train response procedures together
All good teams practice and train together, and the same needs to be done for responding to a cyber attack. The NIST Cyber Security Framework, updated in April 2018, calls for response planning, communications, analysis, mitigation, and improvements as part of the core respond function.
The time to establish and practice protocols and procedures for each of the above activities is before a breach occurs. Attempting to make them up in the middle of a crisis leaves inevitable gaps and extends exposure time, allowing more damage to occur.
When building and training against these protocols and procedures, it's critical that operations and security engage equally. Some organizations have the perspective that security is the sole responsibility of the IT security team. This is not a practical approach, as anyone who has dealt with a major security breach will tell you.
While IT ops and security may feel like an odd couple forced to live together at first, the more work that the two teams do together, the more appreciation each will have for the other's perspective.
This will ultimately improve the confidentiality, integrity, and availability of IT services. This is only a partial list of how security and operations can work together more closely. Share your ideas by joining the conversation.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.