maxkabakov - Fotolia
Threat identification is IT ops' role in SecOps
IT operations teams can take steps to improve security as part of their daily tasks. Learn about the ways to identify threat incidents and reduce false positives.
The greatest advance in IT security derives from the realization that both development and operations organizations must play a role. SecOps occurs at the intersection of IT operations and security and threat management. IT operations teams should take on semi-autonomous security roles, in particular for threat identification, to improve an organization's overall risk management approach.
Many organizations have security operations centers (SOCs) and security teams. Traditionally, security teams look from outside the environment inward for potential attack points and symptoms of an active threat. SOCs are often separate organizations that use separate tools from day-to-day IT operations. A SOC monitors and analyzes the organization's IT systems for unexpected activity that could indicate problems. While SOCs are essential for full security, they might miss the greatest source of threats.
SecOps describes tasks that IT operations teams perform to preemptively harden applications and infrastructure and protect them from attacks during their lifecycle. It is a formalization of security into daily IT tasks. SecOps as a discipline tends to focus on new applications or significantly changed areas of the overall IT environment. SecOps presumes that threats emerge because a new or changed application could expose critical data and application assets in new ways, creating a new attack surface.
Automated SecOps tools test available APIs or ports for vulnerabilities. In addition to these tools, IT operations tools should check configuration changes. A configuration change is a routine operation -- done for better performance, to support a new feature, or another reason -- that can open the door to attackers. IT operations must address these types of threats.
Modern SecOps should harmonize security and operations for new or changed applications, but it should also enlist IT ops admins in threat identification on a continual basis. To get started with SecOps driven by the IT operations team, review IT ops' approaches to security. Then focus on workflows, log management and fewer false positives.
Review IT ops processes
IT operations teams can identify many threats that result from poor internal practices. Standard monitoring and analysis tools used by IT organizations fit this purpose. Think of security in the same way that you do other processes to deploy, support and maintain applications. Security threats are just another issue to detect, isolate and resolve with a fault management tool. Threat identification, however, starts with an understanding of what's at risk and how it's protected.
To start IT-driven SecOps, identify the IT operations processes that interact with secured assets, and their exposure. Databases and APIs that expose critical applications are the core assets that IT must protect. Wherever possible, SecOps should focus on these assets directly, rather than just the user-facing APIs. Core assets are the endcaps of the critical workflows that IT operations must monitor for threats.
Narrow the scope
Focus is important to SecOps for two reasons:
- A threat identification effort that's too broad will create so many false positives as to be ineffective.
- Broad efforts bury real threat indications under a flood of unimportant information. This is, in itself, a potential security threat.
Identifying important assets helps focus SecOps efforts. Additionally, IT operations teams should base threat identification practices on workflows. The goal is to understand workflows and their properties, as well as the statistical results of valid workflow patterns. IT ops teams can thus recognize the ways in which a workflow deviates from the norm, and potential threats because of this deviation. There are generally two pieces to this process: threat incident logging and tracking, and workflow monitoring for abnormal patterns.
Recognize threat patterns
Many security threats to IT systems require multiple attempts by the attacker. At least some of these attempts get recognized, reported and logged as violations. However, logging tools often ignore a low volume of incidents. These tools use pattern analysis to indicate an active threat. To help the tools find these patterns, classify threat incidents. For example, a series of incidents from a single location or individual that has rarely generated an incident -- imagine someone entering the wrong password -- is a potential threat indicator.
While multiple incidents stemming from one source is suspect, so is a series of incidents generated by different sources. Intruders might try several different IP addresses in an attack, for example. In this example, a pattern of events in the threat incident log will be obvious.
Another attack pattern is an application access failure that isn't followed quickly by success. To detect these incidents, set up application security logs to record both authentication failures and successes. Most security incidents created by an error are followed by correct entries; any other pattern is suspicious.
Track resource use
The value of workflow information comes into play in relating resource conditions -- network, servers, VMs and APIs -- to threats. Workflows tend to follow dependable patterns of resource consumption on a long-term average. Those resource consumption levels can be compared to the current consumption volume to detect deviations that might indicate a threat. This SecOps monitoring method helps detect a denial-of-service attack, as well as massive simultaneous attempts to break passwords by trial and error.
Beware false positives
Threat detection is inherently a practice filled with false positives. Combat the problem with user behavioral analysis, contextual threat analysis and forensic classification of threats versus ordinary mistakes. All these techniques require complete data gathering and statistical analysis.
Threat identification technology has not advanced enough to support automated responses, and operations personnel will become bored with handling false positives. Apply the techniques noted here so that actionable threats make up a larger percentage of reports.