Automation in SOAR Goes Further with DevSecOps

Credit to Author: Alice Barford| Date: Wed, 06 Apr 2022 08:00:51 +0000

Security teams are longing for automation capabilities. And, in recent years, their options have improved with Security Orchestration, Automation and Response (SOAR) and other security solutions like Security Information and Event Management (SIEM), Identity and Access Management (IAM), Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), and Cloud Detection and Response (CDR) offering automation in a narrow capacity.

With all these different options in play, understanding the similarities and differences between SOAR and DevSecOps is essential if teams are to achieve their goals. Though there are elements of workflow automation in SOAR, what sets DevSecOps apart from SOAR is a collaborative experience between Dev, Sec, and Ops teams; hyper-reliance on open source; the ability to be proactive and reactive; and an agile approach.

What is SOAR?

Gartner® defines SOAR as “technologies that enable organizations to collect inputs monitored by the security operations team.” SOAR tools ingest data from SIEM systems to define incident analysis and response procedures in a digital workflow format.

What is DevSecOps?

DevSecOps is a modern process methodology with DevOps adding agile infrastructure to software development over ten years ago and then recently security was added to the DevOps process. The goals of DevSecOps are to increase release velocity, eliminate silos between teams, reduce frequency and impact of bugs in production releases, and move security further left in the software delivery process. DevSecOps goes beyond application development as organizations modernize when everything in IT becomes code, aka IT-as-Code.

The  goals of DevSecOps are achieved in two ways. One, a cultural shift where teams work together on one platform to create and iterate on creating repeatable solutions with products and tools from multiple vendors, which can be called a software or DevSecOps factory. Two, the use of continuous integration and continuous delivery (CI/CD). CI/CD is a category of software tools that integrate and push code frequently to make sure new versions of an application work. CI/CD allows for code that is created to test and automate all aspects of the pipeline, including security, before code is pushed to production.

Why SOAR is unlike DevSecOps

One might confuse the mechanics of SOAR with that of DevSecOps because security teams using a SOAR tool are, in a very high-minded way, embracing the spirit of DevSecOps, which is to uses a low code approach to automate their work.

But this is where the similarity starts and ends. The three fundamental differences, outlined below, are what really set DevSecOps apart from SOAR.

  1. SOAR has limited support for open source. SOAR tools rarely integrate with open source tools because by nature they primarily integrate with third-party tools like Cisco, Exabeam, Okta or Splunk. The lack of open-source integration is a huge deterrent for DevOps teams that rely heavily on open-source tools like Git, Ansible and Terraform for their work. This impasse isolates security teams from production and discourages DevOps teams from collaborating.
  2. SOAR does not take an agile approach to deliver automation. When security teams using SOAR tools talk about automation, it is within the context of ingesting data from SIEM, managing that data and then automating incident response workflows. This is different from using CI/CD, as in DevSecOps, which allows developers to integrate their new source code, test it, push it and then deploy it to production frequently.
  3. SOAR was made as a point product for security analysts, not collaboration. SOAR is a use case in DevSecOps which can accommodate many use cases including but not limited to SOAR, Compliance, Cloud Security, App Security, Network Automation, Infrastructure Automation, and Integrations. The goal with DevSecOps is to enable teams to build solutions as building blocks and tie them into CI/CD where each team can connect into their existing workflows with the products and tools they want to use.

Especially for security and ops teams, CI/CD allows them to iterate in an agile approach with various use cases, scan the codebase or application for known security vulnerabilities, or run infrastructure and applications against security benchmarks that improve product safety and company-wide security posture.

Therefore, DevSecOps embraces open source, takes an agile approach to automation, and allows for collaboration whereas SOAR does not on all counts. However, the option for open source is actually ideal for security teams, which like the support and accountability afforded by a large community. Similarly, access to CI/CD is beneficial for security teams, which have long wanted to shift left. In other words, have Dev introduce them early into the IT-as-Code pipeline creation process so that they can troubleshoot before code makes it to production.

Achieving agility with CI/CD, a DevSecOps focus

SOAR is exclusively a security platform whereas DevSecOps holistically addresses the needs of all teams by embracing CI/CD, open source tools, and collaboration. While SOAR cannot stand in for DevSecOps, DevSecOps solves pain points inherent to SOAR and treats it as a use case while also offering general-purpose automation with the user experience that elevates the role and work of security.

Some security and ops teams may be reticent to pursue a DevSecOps solution because CI/CD is traditionally heavily reliant on being only for application development, but this is no longer true. But there are plenty of low-code/no-code platform options these days that enable an organization to achieve DevSecOps. Ideally, teams should source a DevSecOps platform that is all-inclusive; one that contains a visual interface where all levels of users can collaborate but also contains a powerful back that supports developers and DevOps requirements like supporting existing tools and automation content in its native form, e.g. Terraform configurations, Ansible playbooks, scripts, etc.

The threat landscape is ever-shifting. With security and ops teams needing to do more despite a talent shortage, automation must gain traction to ease the pressures mounting in their domain. Security teams benefit greatly from CI/CD pipelines, which not only replicate and accelerate their manual capabilities but also carve out precious time needed for modernizing their daily work processes that maps to various use cases. By embracing the spirit and practices of DevSecOps, security and ops teams can become agile with their Dev and DevOps counterparts through collaboration using technology that caters to the full spectrum of technical talent in each organization.

http://feeds.feedburner.com/sophos/dgdY