Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.
With ransomware on everyone’s mind, cybersecurity is a must for organizations of any size. While some smaller enterprises may depend upon security as a service, this savvy CIO is front lining SecOps as part of their top agenda.
Josh Tessaro, practice manager at Thirdera, discussed how organizations can better address security operations. For 10+ years, Tessaro has helped large enterprises develop and implement cloud-based technology solutions. He is currently focused on ServiceNow as a platform to enable and transform business processes.
This interview has been edited for clarity and brevity.
VentureBeat: What is SecOps?
Intelligent Security Summit
Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.
John Tessaro: SecOps (Security Operations) includes all of the people, processes and technology involved in running a business in an efficient and secure way, and consists of planning, design, implementation, preventative maintenance, monitoring and response.
VentureBeat: How are enterprise CIOs addressing SecOps today?
Tessaro: Oftentimes, CIOs take a tool-first approach to security, purchasing and implementing a new tool for each dimension of the company’s security concerns. You end up with firewalls, endpoint detection and response solutions (EDR), Data Loss Prevention solutions (DLP), Network Access Control (NAC), and on and on.
A small security team or part of the technology team that has security responsibilities is assigned to design and maintain these security solutions and a group of security support personnel or a Security Operations Center (SOC) is assigned to triage issues that come in from the security tools.
Over time, as more security gaps are found, more tools are purchased and implemented and more people are added to the SOC.
VentureBeat: What problems do they run into with this approach?
Tessaro: There are so many different niche security areas that need specialized solutions that many mid-to-large size companies have 15-40 tools in their main security stack and up to as many as 80 when you consider the entire technology landscape.
When an issue is reported to the SOC, a SOC analyst may have to log into 6-10 different systems to collect information and cross reference data just to determine if the alert is real (malicious) or a false-positive.
This means that the more we invest in making the environment secure (by adding more security tools) the more complexity and time we add to investigating a single alert across those tools and the more capacity we need on the SOC.
Additionally, the more we rely on people to cross reference data and tools the more inconsistency and room for error we introduce.
VentureBeat: What are some best practices for solving these problems?
Tessaro: Pay just as much attention to investments in process as you do to technology. The more tech we have the more we need to plan for ways to aggregate all of that data and make it intelligent. A Security Incident Event Management (SIEM) solution like Splunk is critical to aggregate all the data from the disparate sources.
But aggregation is not enough, we have to filter through the thousands of alerts and find the threats that matter. It is critical to have a process that uses technology to highlight the most dangerous threats for the SOC to review, and the more information we can give them in context the faster and more efficient they will be.
VentureBeat: What advice do you have for CIOs who struggle with SecOps?
Tessaro: If you have a tool for everything, make sure you have a tool for running your security operations program from planning, implementation, detection and recommendation.
Technology landscapes are changing so rapidly that none of the security solutions are “set it and forget it.” Planning how each tool fits into the larger picture is critical.
VentureBeat: What’s the relationship between SecOps and DevSecOps?
Tessaro: It used to be that SecOps was the practice of securing an environment consisting of industry standard, purchased hardware and software with systems designed for that purpose. However, this is changing, and more and more companies in all industries have large development teams building applications for their business. This means that a large security concern is the applications you are developing in house and there may not be existing security tools that know what to look for when securing your applications.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.