Changing DevSecOps to DevSOCops: It starts with the letter “E”
DevSecOps? It’s a hybrid of DevOps and Security that has formed over time to help support the development team’s security and infrastructure needs. They are often composed of Site Reliability Engineers, a 24x7 operations team. I know, who needs more definitions when it all starts with the letter E...we are all engineers of one flavor or another.
But really, what about the SOC? The security operations center has security and infrastructure needs, too. Do they get SRE’s? Who is Sec and who is SOC when both are teams of security professionals?
Do they get a team that is there to support their infrastructure? Who helps keep the lights on if the SOC’s job is to monitor and respond to the alerts? Who makes the alerts? Who maintains the automations?
In this blog series, I make the case for Dev”SOC”Ops—introducing additional development concepts and frameworks into security operations centers to improve quality, alert efficacy, and observability of the tools and infrastructure leveraged by a SOC.
In 2015, I read an article by Todd Waits called Applying DevOps Principles in Incident Response. I found it looking for the intersection of my old career (lean manufacturing) and my new one as a product manager working on cybersecurity software. It was meeting my first DevOps person who helped me see just how much it takes to ensure everyone else can do their job! I learned about vulnerabilities and scanning via doing it for code before I learned about doing it for network based scanning, ironically.
In the blog, Waits explores how to apply DevOps to the incident response domain. In the same way that advances in methodologies surrounding software development were gleaned from Toyota's manufacturing processes, he argues the same could apply to DevOps across domains. I am extending his vision to say the same concepts should apply to any team running a Security Operations Center.
Examining the picture below, the classic SIEM model was heavily reliant on engineers maintaining their own stacks, integration engineers and network engineers often didn’t have resources to support the SOC directly due to uptime issues or other higher priority issues from IT.
Prior to the adoption of cloud technology, one could argue each of these line items below is a “DevOps – like” task, however, the skills required span past development or SRE types of skills. They also require a depth of knowledge in Security Operations and quality assurance, as errors in these tasks can result in lower detection efficacy, ruining the whole point of SIEM to begin with! If you assigned the creation of the detection content to the SME, you’d end up with content and parsers being written ten different ways and different field names.
DevSOCOps covers the jobs of detection engineering, integration engineering, threat intelligence engineering, and incident response automation observability and maintenance with the goals of maximizing uptime, providing quality assurance for the SOC, and delivering continuous improvement to maximize investments.
Some firms choose to staff and build the DevSOCOps role, but unless your business is cybersecurity, its hard to justify to the board additional headcount, unless you focus on the different roles of your E’s...your engineers.