Context is King: Building Bridges Between DevOps and Security, Part IV

This is part 4 of 4 in a blog series on key trends in securing the public cloud.

It’s Time to Integrate Security into Development, rather than in front of it.

So far in our blog series, we have outlined the need for clear communication paths between developers and security personnel who have deployed in the public cloud, and how gaining access to the right data at the right time is critical.

In this final blog around building bridges between development and security in the cloud, we will outline the importance of context. While gaining visibility is certainly a cornerstone to success, it is futile without the ability to query the data and ascertain meaning from it. Alert fatigue is a real concern in our industry and context is key to creating high fidelity alerts with a low signal to noise ratio.

One way to think about alerts in this way is essentially a notification with context. This context needs to be timely, accurate, and convey enough information to communicate risk. There is also a delicate balance between just enough information and far too much information.

Notifications and context essentially are designed to notify on events and provide either answer to questions or additional information to enable the ability to ask more questions.

In public cloud environments, the key attributes to context are different: the network diminishes in fidelity while the system itself increases. The reason for this is that the network is often static, while the system is very dynamic. In the cloud it is important to get as close as possible to the application/system level – the rest is abstracted with containers, ephemeral workloads, and orchestrations systems.

As mentioned previously, context allows you to answer questions like: 

  • Has an account been compromised?
  • When did the breach start?
  • How did the attacker get in?
  • Was data exfiltrated?
  • What was the cause of the breach?
  • What other machines were connected?
  • Was this the cause of a configuration error, vulnerability, or weak password? 

And, almost as important, with context you can enable security personnel to ask the right questions to the right people. Context gives security insight into the application topology, which apps talk to which, and why, who wrote the apps, when were they launched, if the app is behaving outside of the norm, or if there is something occurring that the developer is not aware of.

With that, we conclude the series on bridging gaps from DevOps to Security, or what some are now calling “DevSecOps.” To us, it’s really about opening up communication between development and security teams and embedding rather than dividing them.