DevOps thinking means service-centric security
DevOps can be a mixed bag for many to implement and with it comes new security issues. In this article, Barbara Kay from ExtraHop discusses service-centric security.
Unless you are a stunt professional, you need four round wheels on a car to make it roll. The same goes for today’s business-critical services, with their range of ephemeral services interacting with virtual and physical systems. A failure of any inter-related service element will destroy the digital experience that the line of business is banking on. Instead of DevOps delivering promised agility, it increases friction with new points of blindness and breakage.
DevOps models spin up microservices, containers, and virtualized workloads that disappear in seconds to minutes. Traditional tools for capturing logs and packets can’t move fast enough to keep up. At the same time, external technology dictations both lag well behind (regulations dictating signature and log-centric tools), and push out-of-cycle changes on status quo infrastructure (such as the new TLS 1.3 mandate for perfect forward secrecy and the PCI requirement to abandon old SSL algorithms).
Overlaid on this technical landscape, companies rely on a range of service partners and supply chain relationships to implement an entire business process. Their business decisions, technology choices, staffing, and devices are deliberately isolated. They will change frequently, with opacity about their processes and tools, and little to no sharing of forensic evidence unless you have better SLAs and bigger legal budgets than they do.
OK. It’s a complex and complicated problem. I’d like to recommend we solve it by up-leveling how we think about security processes for digital services. Security operations teams should transition from discovering, monitoring, and protecting individual critical assets to discovering, monitoring, and protecting assets collected into critical services — the entire group of microservices, processes, and components required to complete a transaction or user experience.
This is service-centric security.
Retooling to support the digital service mission
The focus on an entire critical service requires more creative and pervasive ways of discovering and monitoring dynamic service elements. It also enables prioritization of operational and capital resources, especially the security operations (SecOps) function. In SecOps terms, critical services receive preferential treatment: proactive behavioral monitoring, more fine-grained and advanced analytics on associated events, and higher standards for detection, containment, and response times.
While it may sound like a heavy lift, the same DevOps infrastructure changes that impose pain also facilitate resolution.
- DevOps practices are providing more integration points and frameworks that let services hook into operational processes and tools.
- DevOps has pushed orchestration into the forefront, breaking down silos between teams and tools.
- DevOps norms have helped automation lose its stigma for security and risk management (helped by the shortage of skilled cybersecurity staff.)
A change that can save money
Even if it weren’t a good idea for security operations efficiency and a better user experience, this focus on critical services is a must as storage prices spiral. Critical service growth gives companies a way to bind the scope of data retention by tiering data management, storing more metrics, packets, and insights for only the important assets. You likely still want to keep logs until regulators catch up, but even there you can be more discerning. PCI lets you monitor and audit certain assets more tightly than others. As long as you know which dynamic service elements are part of those PCI-affected systems, you can retain those logs for the full period. Less critical systems might retain only metadata, and keep that data for a month or two, rather than years.
Better value from machine learning
Finally, focusing on the behavior and data associated with critical services also helps optimize the impact of compute- and wallet-expensive artificial intelligence. Machine learning models generate fewer false positives and get smarter, faster when they can learn from the things you care about without having to compute digital exhaust.
DevOps has brought blessings and blindness to security operations. Service-centric security is a way to leverage DevOps advances while maintaining the risk posture your business requires.