Process as code: Security ops orchestration for a brave new world

Cybercrime is an enormous problem — a nemesis of the federal government, America’s biggest corporations and tens of millions of individuals. But there is now legitimate hope that a big piece of the cybercrime problem can eventually be solved.

Despite the fact that the highest-level attacks are very sophisticated, more than 90 percent are lower-caliber attacks built on the foundation of off-the-shelf components, purchased in shady underground  marketplaces.

This is the good news — it’s much easier to repel these run-of-the-mill attacks than highly sophisticated, well-financed attacks. But there are other challenges the industry is facing.

There is a massive shortfall in the number of trained security experts to man a typical Security Operations Center (SOC) monitoring the health and safety of a corporation’s digital footprint. It takes almost a decade for security researchers to acquire the skills to defend against modern-day attacks. Frost and Sullivan has forecast a shortfall of 1.5 million trained security experts by 2020. SOC teams, overwhelmed in handling the deluge of low-impact incidents, fail to respond in time or miss altogether early incident alerts flagging serious attacks.

There appears to be a solution to deal with this massive human shortfall and empower SOC teams. Serious efforts are afoot to record process as code — or simply put, to use software to automate repetitive but time-consuming tasks while increasing the productivity of individual security experts.

Much of this is so-called SecOps orchestration.

Some historical background is important. SecOps is an analogue of the far more mature DevOps movement that grew around the simple idea of recording common IT processes as code and collaborating across IT teams.

This allowed new and useful features to be developed, tested and put into production in days instead of weeks. Today, DevOps tools created by companies like Puppet, Docker, HashiCorp, Ansible (a Menlo portfolio company recently acquired by Red Hat) and Atlassian enable IT teams to launch new features and changes as often as multiple times an hour!

SecOps orchestration essentially takes DevOps methodologies and applies them to security to better investigate and respond to incidents. It manages the security incident lifespan, end-to-end, as a consistent business process, documented with code in the form of “playbooks” or “recipes.”

SecOps has the potential to be far bigger than incident response today. Today, responding to security incidents is a manual process of cobbling together disparate tools, including logging systems, netflow analyzers, third-party threat intelligence feeds, data forensics and software patching, backup and recovery. Using this approach, discerning the root cause and fixing the impact of attacks can take weeks or months.

Today, private security experts are fighting their adversaries manually and alone.

In contrast, pioneers with large online infrastructure footprints like Netflix and Google are already borrowing from the SecOps playbook and automating routine tasks with code. These include, among other things, re-imaging endpoints, following up on email phishing attacks, coordinating data between the network and endpoint devices and updating firewall permissions — all increasing the rate and speed at which security incidents can be processed.

I believe a successful SecOps orchestration platform can carve out a large standalone business for itself by focusing on a few business and architectural priorities — automation built on open APIs, a neutral community to share best practices and intuitive UI.

To be effective at automation, SecOps orchestration platforms from Phantom, CyberSponse and Invotas (recently acquired by FireEye) rely on “recipes” that read from, and write to, a wide array of security appliances built by third-party vendors. Today, large customers like banks — who plan to spend $1.5 billion a year on cybersecurity — are forcing vendors to open up their APIs and play nice with others. The emergence of software/cloud appliances and robust open APIs as a common interface for them has made it easier to build orchestration products.

Companies must also learn to band together to build and share these automated recipes. After all, a great way to deal with malware purchased on black-hat marketplaces would be to build a white-hat marketplace or community of the good guys!

The U.S. Department of Defense already has such initiatives, but private security specialists and vendors are skeptical today about sharing data, partly because they operate in multi-national jurisdictions. Vendor-neutral and open frameworks like FIDO (an open-source project started by a team at Netflix) and Phantom’s community playbook repository create a virtuous cycle, attracting security experts to build their own playbooks and recipes encoding on best practices.

Finally, great workflow, UI and design are key to building seamless orchestration and collaboration across IT teams. Resilient Systems and FireEye/Invotas have built great workflow tools that help SecOps teams respond to incidents in a consistent fashion. Demisto has a modern approach to collaboration, building a security orchestration bot that works through Slack’s messaging user-interface.

Startups in this space are working to solve a massive ubiquitous problem and to democratize best cybersecurity practices. And they tend to be vendor-agnostic, putting them in a good position to build a community and products that reflect the best interest of customers.

Today, private security experts are fighting their adversaries manually and alone. Tomorrow, they will band together and implement best practices into code — and, finally, build a highly effective defense against the bad guys.