Due to the “hard shove” of the COVID-19 pandemic, enterprise security operations have adjusted in many ways over the past year. That challenging evolution for SecOps and the ongoing adjustments as the pandemic eases were the focus of an Interop panel in June.
The panel, moderated by Joan Goodchild of Dark Reading, included Chris Morales, chief security officer and head of security strategy at Netenrich; Chris Crowley, a consultant for Montance; and Eric Parizo, principal analyst of security operations at Omdia. The four discussed tools and strategies for orchestrating and automating IT security operations as security operations teams explore new frameworks and technologies and their correlating security tools and data.
SecOps teams are still working to adapt to all the changes, and that’s an ongoing process, Parizo said. “I think the pandemic has given enterprises the hard shove that they needed to advance into the realm of distributed IT, and security operations obviously is going along for the ride in a few ways,” he said.
For Parizo, the key word of this evolution is "distributed." The IT architecture itself has become more distributed, he said, as everything from storage to computing to applications increasingly moved to the cloud as companies adjusted during the pandemic.
Crucially for Parizo, networking and security also made that transition. “That's a major change that alters the IT architecture of any enterprise,” he said. “So in turn, SecOps has had to transition to adjust to that increasingly distributed nature of IT.”
Morales agreed, sharing that he’s been living what Parizo described. The loss of internal infrastructure due to remote work means that everything is software as a service (SaaS) right now, he said. He and others in similar roles have worked this year to make those operations both stable and secure.
Remote Work Struggles
People themselves are also increasingly distributed, Parizo pointed out, with employees working remotely – sometimes with their own devices and on non-company networks. “It's all an entirely new paradigm from a SecOps perspective that organizations are adapting to that.”
Many of those teams are struggling to maintain a proactive, threat-driven approach, Crowley said. “My concept in discussions and interactions with people is the security teams are feeling swamped, still and more so than they were actually before the emergency responsive actions and in the pandemic,” he said. Part of the challenge, he said, is that paradoxically security concerns often go out the window in an emergency and become a problem to deal with after the immediate crisis has passed.
Those teams themselves are no exception to the increased distribution over the past year, Parizo said. “It seems strange to say, but many SecOps teams didn't know how to function without being in that big room with all the monitors on the wall,” he said. “They had to figure out all the technical stuff, just getting their tools and telemetry to function from a remote standpoint, as well as the soft skills like collaboration and task management, without the luxury of being able to go tap someone on the shoulder a couple of desks down.”
Losing that ability has been a challenge on his own team, Morales said, especially for newer or less-seasoned employees. “You can't understate how useful it was for junior guys to turn around and ask somebody a question,” he said. Just as many students have spent the past year learning remotely, so have those employees, he said.
An Eye on Automation
As SecOps teams deal with these challenges and decide how their operations will function going forward, automation has a role to play, the three panelists agreed. Morales said he’s working to focus on taking real-time data and mapping the attack surface constantly, but still has to operate from a threat model.
“I think that automation is the right thing to reduce the burden,” Crowley said, “but with every new technology acquisition that we make, we have to decide how to use it properly.” Deciding to simply automate everything isn’t the right approach, he said. Instead, start with defining what your team does, then deciding where automation makes sense and what success looks like for any given action.
“If you can't tell me exactly what right is in an action, I'm probably not going to be able to program a computer to automate it,” he said.
It’s important to remember that automation is more difficult than it seems, Parizo agreed. Technology can solve some challenges, he said, but it can’t fix bad processes or poor organization or role/task definition.
This is where IT automation matters, Morales said. “The funny thing about automation is that if you don't know what you're going to automate, then it doesn't work at all,” he said. Having that clarity makes the work of both SecOps and IT easier, Crowley said.
Talent is another ongoing challenge, Parizo said. “You're never going to have all the talent you want or need, bottom line,” he said. Automation can help reduce some of the more painful parts of some roles, but diverse hiring practices with an eye to passion and strong learners is the way to build a great team regardless of what technological shifts might come.