The DevOpsification of Security

This post first appeared on The New Stack on November 4, 2016.

In December 2009, Google was the target of a series of highly coordinated, sophisticated advanced persistent threat (APT) attacks in which state-sponsored hackers from China stole intellectual property and sought to access and potentially modify Google source code — the company’s crown jewels. Dubbed Operation Aurora, the attack proved to be a referendum at Google on the layered, perimeter-based security paradigm.

Five years later, in 2014, Google published a paper titled BeyondCorp which detailed the company’s radical security overhaul, transitioning to a trustless model where all applications live on the public Internet. Google wrote:

“Virtually every company today uses firewalls to enforce perimeter security. However, this security model is problematic because, when that perimeter is breached, an attacker has relatively easy access to a company’s privileged intranet. As companies adopt mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce. Google is taking a different approach…We are removing the requirement for a privileged intranet and moving our corporate applications to the Internet.”

Yet while much of the world is in the throes of adopting the open, on-demand IT paradigm characterized by agility and elasticity that Google helped define, security has yet to be reimagined in the image of cloud and DevOps, much less Google.

Cloud architectures and DevOps principles necessitate systems that are lightweight, loosely coupled and extensible, but security remains siloed, implemented outside the development lifecycle and most often delivered via proprietary, “black-box” products.

This is to say that security is still stuck in the dark ages of enterprise IT. The analogy being that security treats IT like a medieval castle: a fortress with thick walls, surrounded by a moat, with a heavily guarded single point of entry and exit. Anything located outside the wall is considered dangerous, while anything located inside the wall is trusted.

This model worked fine in the days of single-server, monolithic applications and well-defined corporate LANs; drop anti-virus on the host and throw up a firewall around the network, and you’re safe! But in the world of cloud, DevOps and mobile where applications are decentralized, deploys are done on the minute and the corporate perimeter has been busted, these legacy approaches are at best ineffective and at worst lead to a full breakdown in security operations.

The reality is that security, like DevOps, cannot be something you simply buy, it must be something you do, encompassing a collection of principles, practices and products.

It holds, then, that today’s security paradigm must be application-centric, developer-driven and built from the inside-out.

Application-centric — Applications are now the lifeblood of businesses, yet application security has traditionally been implemented in pre-production via code analysis and then treated as an extension of endpoint and/or network-based approaches in production. The logic went: if I secure the host, then the app is safe. But in a world of distributed apps that are dynamically scheduled on ephemeral compute building blocks, you likely don’t even know where your app is running, so how can you secure it? Security and policy must be baked into the application. It’s no longer sufficient to secure the network and the endpoint, rather it’s the workload itself that must be secured.

Developer-driven — If security is to be application-centric it must be 1) integrated into the application lifecycle and 2) implemented and managed like programmable infrastructure, which implies that security must scale with your application and your cloud and be open and extensible. Tools like Hashicorp’s Vault offer a glimpse of the future.

Built inside-out, not outside-in — Enterprise security is depicted as having “a hard, crunchy shell, with a gooey interior,” implying that once the perimeter is breached, the attackers have free reign. Building security inside-out necessitates prioritizing a new operational toolchain that enables continuous monitoring and testing, policy-driven controls and fine-grained authorization and access management. Most importantly, it requires a cognitive shift away from prevention and towards control and response.

Correspondingly, based on these design and implementation principles, we’re seeing the emergence of a new breed of products and companies that deliver DevOps-like capabilities — visibility, automation and collaboration — to security operations.

Visibility: For security analysts “you cannot protect what you do not see,” so visibility tools provide a view of your organization’s assets, users and data flows between them in addition to the logical view of all inter-process communication. Through visualization and contextualization of threats across the entire system, the goal is to detect and stop anomalous behavior with higher fidelity. Companies like Illumio, Guardicore, CloudPassage, vArmour, ThreatStack and Dome9 do this for your datacenter and/or cloud. ProtectWise, DarkTrace and Niara take a network-centric approach, while Prevoty, Contrast Security, tCell and Stackrox are app-centric. Ultimately all are vying to become the Datadog or New Relic of the cyber world.

Automation: Talk to any CISO and they’ll tell you that hiring and retaining qualified security personnel is their greatest challenge. Couple that with the fact that the average large enterprise has deployed anywhere from 50 to 70 disparate security products. The result is that understaffed teams simply cannot keep up with today’s high velocity, rapidly evolving threat landscape. The only solution becomes to replace humans with machines — to automate and orchestrate systems to understand and respond to alerts themselves. Platforms like Phantom, Evident.io, Demisto and Hexadite help with this. Additionally a new category around testing production environments for weaknesses in highly automated manner is emerging with companies like SafeBreach, Verodin and AttackIQ leading the way.

Collaboration: Organizations are waking up to the fact that security can no longer operate in isolation. To effectively thwart, or at very least mitigate, sophisticated attacks, security analysts, devs and ops must work in unison and be given a unified data platform to help prioritize and investigate alerts, proactively hunt new threats and provide analytics, audit and reporting capabilities. Companies like JASK, Siemplify, Skybox and stealthy Awake Networks are helping define this new category dubbed SOAR — Security Operations, Analytics and Reporting — by Gartner.

DevOps ultimately helped align engineering with operations to enable organizations of all sizes to develop better software and thereby bring innovation to market faster. Now, we’re seeing similar practices and tools invade cyber security with the hope of reducing the amount of, or at very least minimizing the blast radius of, breaches. What this all implies is we’re at the outset of a new era in security where companies and products that win will be defined by openness, flexibility, UX and the power of their workflows not solely detection algorithms.