DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • Calendar View
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • Calendar View
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Cloud Native Now
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • CI/CD
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Sustainability
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB
Hot Topics
  • Linux Foundation Europe to Host RISE Open Source Project
  • I Guess This is Growing Up: Devs and CISA’s Secure-by-Design Guidelines
  • Forget Change, Embrace Stability
  • Finding Your Passion
  • State of Software Security Report 2023 - Chris Eng, Veracode

Home » Blogs » DevSecOps » Swim in the DevOps pool or drown in security problems

Swim in the DevOps pool or drown in security problems

Avatar photoBy: Tony Bradley on May 15, 2015 3 Comments

There has been a significant shift recently in security. Most security vendors and organizations recognize that the traditional model of keeping the bad guys out by detecting malicious exploits is flawed at best. The reality is that the bad guys are already inside the network using authorized credentials to bypass security controls and exfiltrate sensitive data. That sounds ominous but the silver lining is that DevOps changes the game and shifts the advantage back to the good guys.

Recent Posts By Tony Bradley
  • The Best Approach to Help Developers Build Security into the Pipeline
  • Better Apps and Better Security When You Shift Left
  • The Road Ahead for Security, DevOps Transformation
Avatar photo More from Tony Bradley
Related Posts
  • Swim in the DevOps pool or drown in security problems
  • How DevOps Teams Can Defend Against API Attacks
  • Combining SecOps and DevOps
    Related Categories
  • Blogs
  • DevSecOps
    Related Topics
  • continuous monitoring
  • devops
  • Lancope
  • OODA loop
  • TK Keanini
Show more
Show less

There was a time when the traditional model made sense. The attack techniques used and the motivations behind the attacks were different. In recent years, however, the line between inside and outside attacks has been blurred beyond recognition. There have been some high-profile insider attacks like Bradley Manning and Edward Snowden, but the reality is that most of the “outside” attacks were perpetrated using stolen or compromised credentials. In other words there is no difference between an inside and an outside threat at the actual point of attack.

TechStrong Con 2023Sponsorships Available

Organizations have to guard against both inside and outside attacks. In almost all cases, though, the root problem is credential abuse. Whether it’s an authorized employee accessing systems or data in an unusual way or an outside attacker moving laterally through the network and exfiltrating data using compromised credentials the crucial part for an organization is to have detection methodology in place capable of performing anomaly analysis to identify concerning behavior and activity.

Improving security through DevOps

That’s where DevOps comes in. Organizations need to have continuous monitoring in place. Anomalous activity isn’t something you can just conduct a daily or weekly scan for. If you don’t detect the activity in real-time and do something to stop it immediately the damage will already be done by the time you retroactively review log data and discover the breach.

Things are heading in that direction—but slowly. The good news is that DevOps seems to be picking up steam as more security vendors and organizations face the reality that the traditional security model can’t effectively protect against attacks.

“The DevOps movement is really gaining momentum but unfortunately still small,” agreed TK Keanini, CTO of Lancope. “It is a small but passionate community that can do nothing else but grow and help fill a void as we move from traditional enterprise IT to Internet IT. The tempo of DevOps is its major security feature and—with the principals of John Boyd’s OODA loop—has a winning formula to make it too expensive for adversaries to attack.”

DevOps isn’t just a trendy way of providing or delivering security. The security vendors themselves are also starting to embrace DevOps internally as a means of keeping up with attackers and working to develop new tools and techniques more effectively and efficiently.

Keanini explained that everyone will be moving to DevOps over the next 3 years—just not all at the same time. “Where IT was infrastructure and development was applications, suddenly infrastructure is the application or you could say that applications have become infrastructure but in either case, the business is forced to redraw the org charts and redo the processes.”

Jump in! The water is great

Attacks are relentless and attackers are nothing if not innovative. If you’re using yesterday’s security tools and techniques to defend against last week’s attacks and attackers you’ve already lost. Organizations need to move faster to stay ahead of attacks, and the most effective way to accomplish that goal is to incorporate DevOps tools and principles into the security model.

Keanini summed up with, “It is exciting and I encourage folks to start jumping off the diving board as they are filling up the pool.”

Filed Under: Blogs, DevSecOps Tagged With: continuous monitoring, devops, Lancope, OODA loop, TK Keanini

« Survey: Fed gov cloud success hinges on DevOps
Why I Dislike The Term ‘DevOps Culture’ »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Log Data Overload: How to Get More Out of Your Log Data
Wednesday, May 31, 2023 - 1:00 pm EDT
App-Solutely Necessary: Why Modernizing Your Apps Is A Must Hosted By The Cloudbusting Podcast Team
Thursday, June 1, 2023 - 11:00 am EDT
Confident Cloud Migrations: How A Top 5 Bank Ensured Reliability With AWS And Gremlin
Thursday, June 1, 2023 - 1:00 pm EDT

GET THE TOP STORIES OF THE WEEK

Sponsored Content

PlatformCon 2023: This Year’s Hottest Platform Engineering Event

May 30, 2023 | Karolina Junčytė

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Latest from DevOps.com

Linux Foundation Europe to Host RISE Open Source Project
May 31, 2023 | Mike Vizard
I Guess This is Growing Up: Devs and CISA’s Secure-by-Design Guidelines
May 31, 2023 | Pieter Danhieux
Forget Change, Embrace Stability
May 31, 2023 | Don Macvittie
What Is a Cloud Operations Engineer?
May 30, 2023 | Gilad David Maayan
Five Great DevOps Job Opportunities
May 30, 2023 | Mike Vizard

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

Most Read on DevOps.com

CDF Marries Emporous Repository to Ortelius Management Platform
May 26, 2023 | Mike Vizard
Microsoft Adds Slew of Developer Tools to Azure
May 24, 2023 | Mike Vizard
US DoJ Makes PyPI Give Up User Data ¦ Tape Storage: Not Dead
May 25, 2023 | Richi Jennings
Red Hat Enhances Insights to Simplify RHEL Management
May 24, 2023 | Sharon Florentine
Is Your Monitoring Strategy Scalable?
May 26, 2023 | Yoni Farin
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.