In “No-Code Automation and DevOps,” the second post in our four-part series on operational excellence, we evaluated DevOps as a critical business function and explored ways for automation to reduce costs and improve efficiencies. Focusing on challenges within DevOps culture today, like widespread burnout and frequent context-switching, we discussed trending topics, like internal developer platforms (IDPs), to see how these kinds of solutions could provide a better path forward.
Ultimately, we revisited the three metrics from our first post; speed (performance), scalability, and reliability as key indicators of operational excellence, paying special attention to how DevOps can impact these related objectives.
Now, let’s take a different perspective on cloud operations.
Infrastructure teams are responsible for more than just operating tools and services across different environments. Getting all these cloud services to work together requires major configuration and maintenance effort. Cloud engineers must also work to secure their applications from vulnerabilities and external threats. Like DevOps, SecOps (short for “security operations”) can be a complex and tedious process for cloud engineering teams.
No-code automation gives security operations teams the tools they need to build their cloud workflows efficiently. Platforms like Blink come with purpose-built automations for cloud security tools and services, significantly reducing the effort required to build new workflows. In the Blink Automation Library, there are over 5000+ cloud automations available for teams to deploy today.
In this post, you will learn about the different types of security tools being used by cloud engineering and SecOps teams today. Then, we’ll discuss how no-code automation can unlock new degrees of operational efficiency for your developers and SecOps teams.
What Does SecOps Automation Mean Today?
The cloud security ecosystem is massive. Cloud security today is filled with highly specialized tools and confusing acronyms. It can be hard to decipher what different terms mean, and which tools matter most. Let’s spend a few minutes demystifying some basic security lingo and tools, adding context around how those different tools use automation today.
- SOAR stands for “Security Orchestration, Automation, and Response” and is an umbrella term that refers to a specific type of security tool. SOAR enables you to connect different security services together and orchestrate responses, using sequences of actions called playbooks. However, SOAR platforms are limited when it comes to creating event-based automations. According to TechTarget’s e-book Ultimate guide to cybersecurity incident response, “SOAR is not a replacement for other security tools, but rather is a complementary technology.” While SOAR enables you to connect different security tools and workflows togethers, “SOAR platforms are also not a replacement for human analysts, but instead augment their skills and workflows for more effective incident detection and response.”
- SIEM stands for “Security Information and Event Management.” SIEM automation uses event log data from different sources to identify unusual activity with real-time analysis. If you’re a bit confused about how this is different from SOAR, you’re not alone. The Ultimate guide to cybersecurity incident response draws a comparison between the two related tools, pointing out that “while SOAR and SIEM platforms both aggregate data from multiple sources, the terms are not interchangeable. SIEM systems collect data, identify deviations, rank threats and generate alerts. SOAR systems also handle these tasks, but they have additional capabilities.”
- EDR and XDR stand for “Endpoint Detection & Response” and “Extended Detection & Response,” respectively. These are security tools that continuously monitor for and respond to security threats on endpoint devices, like laptops or servers. They gather information about threats and analyze that information in order to mitigate those threats.
At the end of the day, security automation involves the coordination of these and many other cloud security tools. We’ve seen a natural convergence, for example, with many SIEM vendors introducing SOAR capabilities into their products. But in practice, security operations remain an event-driven affair. Issues don’t get resolved just because an alert is received by a cloud security engineer. SOAR platforms enable playbook automation, but are limited at what they can do outside of security tools (like in AWS, Kubernetes, Slack, Google Docs, JIRA, etc.), which is usually where the resolving action needs to be taken. They are also super complex and difficult to maintain. Furthermore, SOAR platforms were not designed to support interactive “shift-left” workflows (like providing on-demand automations for developers).
Bridging the cloud-native gap for SecOps
The way cloud engineers and cybersecurity teams think about “SecOps automation” has shifted over the last few years. Today, SecOps automation means more than just integrating services into your SIEM and SOAR platform and getting alerts. Instead, SecOps receive alerts and must take action, often across multiple cloud services. This means logging in and out of different tools, manual enrichment tasks, creating Slack channels, and notifying affected stakeholders. Meanwhile, there are actions that must be taken across your cloud infrastructure that cannot be automated by SIEM or SOAR.
For example, how are you supposed to use SIEM or SOAR automation platforms to solve these kinds of problems?
- Detecting API keys, tokens, or other secrets shared in Slack or Microsoft Teams
- Detecting sensitive documents shared in Google Drive
- Detecting Google Drive files shares with third-parties or on the public internet
- Securing emails from phishing attacks
- Protecting users from MFA exhaustion attacks
- Enforcing endpoint security for all company devices
- Exposing self-service requests to DevOps, development, or business teams
At the end of the day, having a strong cloud security posture is making an investment in your business and customers. That’s why it’s important for enterprise leaders to embrace no-code automation, which empowers skilled practitioners to more efficiently and effectively resolve security issues and automate their everyday SecOps workflows. Adopting a no-code platform helps teams to better enforce security policies and compliance, with all integrations and scripts managed securely on a cloud-native platform, with all security updates and high availability already handled.
What is Operational Excellence in SecOps?
When it comes to cloud security, operational excellence means having clearly established SecOps processes and procedures, with visibility into the real-time security status of your cloud infrastructure. Processes should be coordinated across all relevant cloud platforms, so your SecOps teams can identify and respond to issues faster, using real-time information to make better decisions sooner.
Here’s how we evaluate operational excellence from a SecOps perspective at Blink Ops:
Speed and SecOps
One of the most critical elements of an organization’s security posture is their ability to respond to security threats rapidly. But speed can mean different things in different cloud security contexts. Here are two examples describing different bottlenecks that can occur on SecOps teams, negatively affecting the speed of your cloud security operations.
- Incident response: When security incidents occur, there is a great deal of communication and documentation involved. For instance, a security threat might trigger an alert from your SIEM tool, which kicks off a response workflow in your incident management platform. This notifies a SecOps engineer to take action, who then pulls the latest logs and updates the issue ticket. That engineer then sends a Slack message to a manager asking for temporary permission to access the production cluster, so they can begin troubleshooting the issue. Every one of these handoffs introduces a potential bottleneck and additional manual effort, slowing down response times.
- Incident enrichment: When a SecOps engineer receives a new issue from an incident management tool, there is quite a bit of detective work that engineer must do in order to troubleshoot the issue. Often, troubleshooting involves logging into different cloud services pulling logs and compiling information together manually in order to determine the root cause of an issue. Security tools enable some automated enrichment capabilities, but complex enrichment tasks still fall to human operators.
When it comes to measuring speed in SecOps, your primary metric is likely to be MTTR, which stands for mean-time-to-response (“r” is also sometimes “repair”). This is an aggregate metric that measures your team’s total time to respond from incident origin until the situation has been remedied and service is restored. Improving efficiencies in your cloud security processes can decrease MTTR.
The Blink Automation Library comes with more than 200 different automations for incident response and remediation, to help cloud engineering teams resolve security issues faster. Cloud engineering and SecOps teams can leverage Blink automations to decrease MTTR for security incidents, and also to decrease the frequency of security incidents with tons of helpful automations that make it easier for cloud engineers and SecOps teams to manage their everyday security responsibilities.
Scalability and SecOps
While it may seem more natural to consider scalability from an infrastructure perspective compared with security, it’s still important to make sure your organization has the ability to scale to meet the challenge when faced with different security risks. Like we did in our prior post, it can be helpful to evaluate your ability to scale across three different axes.
Here are some questions you should ask yourself when considering scalability in your security posture:
Scalability of processes
- What processes do you have in place to identify threats? Do the right people have access to this information?
- Can your existing processes scale to accommodate increasingly large outages or security threats? What escalation procedures are in place?
- When security threats occur, is documentation readily available and actionable to resolve issues?
- How is your team’s cloud security hygiene? Are you regularly rotating security keys and ensuring only those who need access have permissions?
Scalability of infrastructure
- What teams have access to critical infrastructure? Do the response teams have the necessary access to resolve security issues?
- What workflows are in place to ensure security threats are avoided or quickly resolved?
- How long does it take to upgrade or onboard new security tools? How much effort is required?
- How difficult is it to compose workflows across different cloud and security platforms? How much manual work is required?
Scalability of communications
- Do teams receive the necessary training to prevent security issues?
- How many communication channels does your organization use when there’s a security issue?
- How difficult is it to coordinate across teams or channels?
- How difficult is it to create actionable alerts for stakeholders?
- Do SecOps engineers know where to find relevant information? How well documented are your incident response processes and workflows?
No-code automation can help your cloud security team prepare for and respond to security threats more quickly. In a world of microservices and countless cloud tools, it’s more important than ever for security engineers to leverage automation to abstract away ever increasing complexity. Adopting a no-code platform can help your cloud security team standardize response workflows, improve your team communication and documentation, and cut down MTTR.
Reliability and SecOps
Any CISO worth their salt will tell you that preventative measures are necessary to fortify your security posture. These proactive measures, like adopting EDR/XDR, SIEM, and SOAR tools, or monitoring mobile devices with an MDM platform, are all table stakes for securing your cloud-native infrastructure. Having these tools and processes in-place can ensure your team is better prepared when the inevitable occurs.
Reliability in cloud security is also functional and outcome-based. For example, there are responsibilities like customer SLAs and compliance policies that SecOps teams must continuously account for over time.
- Customer SLAs, or “service-level agreements,” are contracts between a service-provider and its client promising that certain services will be provided, and in which manner those services are delivered. Included within a customer SLA will typically be a technical definition of mean time between failures (MTBF) and mean time to recovery (MTTR).
- SOC2 is, according to the AICPA, a “report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy.” Having a SOC2 report is a common benchmark customers use when evaluating potential software providers, and the maturity of that provider’s operational and security processes. It’s difficult enough to establish SOC2 compliant processes, but even harder to maintain those processes over time. Check out the Blink Automation Library for helpful automations that make it easy to stay on top of your SOC2 report.
- GDPR is, according to the European Union, “the toughest privacy and security law in the world…[that] imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.” GDPR regulates, among other things, the transfer of data between country borders and ensures certain privacy guarantees for EU citizens. There are hefty fines for businesses that violate the EU’s GDPR regulations, so it’s critical to have procedures in place to prevent violations of these laws.
Individually, each of these responsibilities can be difficult to wrangle for SecOps teams. But combined with the regular planned work undertaken by cloud security engineers can be a recipe for project delays and overstressed SecOps teams. Traditional security tools and solutions are not enough for cloud security teams to keep up with the demands of securing modern cloud-native infrastructure.
Blink comes with over 1200 different automations to help improve security compliance and reliability across your cloud infrastructure.
Try Blink today
Blink enables DevOps, SecOps, and FinOps to achieve operational excellence by making it easy to create automated workflows across the cloud platforms and services they use every day. The impact of adopting a no-code automation platform like Blink is happier, more productive development teams and more reliable, resilient cloud operations.
The best part? The no-code future for cloud operations is available today. Sign up to create a Blink account.