The SecOps Gap — how it's threatening security and what you can do about it

Every day, consumers, businesses and government agencies share and expose more of themselves online. For hackers, the lure of this data, and the associated payday exploiting it, is often far too compelling to ignore.

Cyber attacks in organisations are continuing to make headlines with startling frequency and devastating consequences. As a result, they’re bringing the topic of security to every boardroom in Australia and around the world — prompting organisations to more closely consider how they can protect themselves and their customers, while still offering the access and capabilities demanded in the digital age.

While innovation and digital transformation will remain a key focus for most, including the public sector, the fact is that without the right security procedures in place, an organisation or a government agency is a ticking time bomb.  At some point, if things don’t change in how security is managed, it’s inevitable you will be exposed to threats, and your reputation and data will be at stake.

The issue of cybersecurity in government came to the fore again recently, after the Australian National Audit Office (ANAO) called out again in 2015 that some agencies fell short of mandatory federal government security standards, despite claiming otherwise. When measured against the four key government mandated cyber mitigation strategies — application whitelisting, patching applications, patching operating systems and minimising administrative privileges — some failed to be compliant.

While the ANAO wouldn’t identify the specific weaknesses found, software patching continues to be a common problem. The auditors said the rate of patch deployment it found was below the industry standard of 95% of network devices. In many cases, the entities weren’t aware of the low patch levels, nor did they have procedures in place to monitor and audit the effectiveness of the deployed patches.

So how can organisations overcome these challenges to better navigate security threats?

The most obvious step is first acknowledging that the most significant risk of all could actually be coming from the inside and, therefore, largely avoidable.  

Unbeknownst to many, some of the biggest risks organisations face are stemming from outdated and poorly synchronised internal procedures. These are hindering efforts to be proactive and respond quickly at the time of a security breach and, ultimately, inviting hackers in.

On average, it takes 193 days to resolve a known vulnerability.  When you consider that some sources say that a hacker can be live in a system for roughly 250 days before being detected, it leads to some staggering stats — they could be taking advantage of your organisation for 443 days, or about a year and a quarter, before you’re aware of it. For agencies storing sensitive public data, this will likely send shivers through the department.

Not surprisingly, then, 80% of cyber attacks come from vulnerabilities that were known about but left unpatched. Of those attacks, 99.9% of exploits were compromised over a year after the fix was published. In some recent cases, the vulnerabilities were up to seven years old.

So why is this happening? If we know what the problem is then it must be easy to solve, right? 

Well, there are some complications, the greatest of which analysts are calling the ‘SecOps gap’ — a critical breakdown in communication between the security and IT operations teams. It is this gap that is having significant implications to businesses, exposing them to unnecessary risks and system downtime. 

And it unfolds like this.

While security is responsible for running scans, they are then dropped off with the IT operations team. From their perspective, their work is done. They ‘found’ the vulnerabilities, reported them and it’s now up to the operations team to fix them. However, the operations team is held accountable for uptime and stability — to them, the changes suggested in a security report could pose risks to those business objectives and SLAs. The result: vulnerabilities are left like open wounds.  

In a study conducted by Forbes for BMC published earlier this year, it was noted that 60% of executives believed that operations did not understand the requirements of security and vice versa. So the two teams, who have to feed information to one another in order to shut down known threats, actually don’t understand each other at all and are not aligned on goals.

Exacerbating the situation is the lack of visibility to actionable threat information — this means security isn’t communicating to operations what threats are most important or most pervasive and therefore should be prioritised. This is compounded further by the restrictions posed by manual processes — tools that aren’t linked, and use different reference points, make processes tedious and time-consuming.

In short, keeping large government agencies or enterprises secure against cybercriminals has never been tougher; that is, without an automated system in place that can effectively close this SecOps gap.

As outlined in the Forbes study, an organisation’s security arsenal is determined by the strength of its IT and security departments combined; their united front is fundamental to planning for and identifying risks before they arise, and then doing something to remove them.

Building this shield requires a game plan that considers technology, people and processes, and how they all correlate. Operations and security need to understand the requirements and concerns of the other and, in many cases, implement a formal strategy to do so.

To go about closing the SecOps gap, organisations need to maintain a posture of being audit ready at all times.

This includes adherence to the top four mitigation strategies as outlined by the Australian Signals Directorate (ASD), which is estimated to prevent around 80% of targeted attempts to hack into agencies’ systems and can be summarised as follows:

• Vigilant compliance. Organisations need to be audit (compliance and regulatory) ready all the time, and these audits need to be quick. Compliance can be the first line of defence if adhered to — protecting your organisation from both internal and external foes. 
• Precise threat analysis. In order to have an effective security strategy, you have to be able to see what is out there in your network, what’s on it (or not on it) and what business services it supports, and assess its potential impact so you can fix the most important things first.
• Relentless remediation. Organisations also need precise, automated threat analysis and remediation. There should be a regular cadence with a measured approach to assessing risks and benefits. Relentlessly pursuing vulnerabilities will help strengthen your security posture and make it harder for hackers to get in ‘the easy way’.

Maintaining an ongoing patch registry ensures that the patch status of every device on the network can be continuously monitored, with out-of-date equipment targeted for upgrades and compliance audits much easier to execute when necessary. This means that your environment is audit ready all the time and security teams have a real-time view of vulnerabilities. With a consistent and trackable application of policies, organisations can maintain vigilance with a full cycle of system discovery, monitoring, remediation and change control.

Whether viewed from a security, operational or compliance perspective, SecOps alignment is essential to ensuring modern organisations perform at levels required in today’s competitive marketplace. Along with the challenges that SecOps represents, it also provides an important opportunity for the two teams to be mutually successful; where they can achieve individual goals and, of course, improve the overall success of their business and close this unnecessary SecOps gap.