Automation in SOAR Goes Further with DevSecOps
Security teams are longing for automation capabilities. And, in recent years, their options have improved with Security Orchestration, Automation and Response (SOAR) and other security solutions like Security Information and Event Management (SIEM), Identity and Access Management (IAM), Endpoint Detection and Response (EDR), and Cloud Detection and Response (CDR) offering automation in a narrow capacity.
A recent RSAC blog post suggested that SOAR, because of its likeness to infrastructure as code, is equal to DevSecOps. The article points out that automation and coding are important to security teams, but DevSecOps is more nuanced than that. Though there are elements of workflow automation in SOAR, what sets DevSecOps apart from SOAR is its hyper-reliance on open source and its adoption of an agile approach.
What is SOAR?
Gartner® defines SOAR as “technologies that enable organizations to collect inputs monitored by the security operations team.” SOAR tools ingest data from SIEM systems to define incident analysis and response procedures in a digital workflow format.
What is DevSecOps?
DevSecOps is a modern process methodology typically applied to software development. The goals of DevSecOps are to increase release velocity, eliminate silos between teams, reduce frequency and impact of bugs in production releases, and move security further left in the software delivery process.
These goals are achieved in two ways. One, a cultural shift where teams work together on one platform. In other words, software-defined everything. Two, the use of continuous integration and continuous delivery (CI/CD). CI/CD is a category of software tools that integrate and push code frequently to make sure new versions of an application work. CI/CD tests all aspects of the pipeline, including security, before code is pushed to production.
Why SOAR is unlike DevSecOps
One might confuse the mechanics of SOAR with that of DevSecOps because security teams using a SOAR tool are, in a very high-minded way, embracing the spirit of DevSecOps, which is to use code to automate their work.
But, to be clear, this is where the similarity starts and ends. The two fundamental differences, outlined below, are what really set DevSecOps apart from SOAR.
(1) SOAR has limited support for open source: SOAR tools rarely integrate with open source tools because by nature they primarily integrate with third-party tools like Cisco, Exabeam, Okta or Splunk. The lack of open source integration is a huge deterrent for DevOps teams that rely heavily on open source tools like Git, Ansible and Kubernetes for their work. This impasse isolates security teams from production and discourages DevOps teams from collaborating.
(2) SOAR does not take an agile approach to deliver automation: When security teams using SOAR tools talk about automation, it is within the context of ingesting data from SIEM, managing that data and then automating incident response workflows. This is different from using CI/CD, as in DevSecOps, which allows developers to integrate their new source code, test it, push it and then deploy it to production frequently.
Especially for security teams, CI/CD allows them to iterate in an agile approach, scan the codebase or application for known security vulnerabilities, or run infrastructure and applications against security benchmarks that improve product safety and company-wide security posture.
Therefore, DevSecOps embraces open source and takes an agile approach to automation, whereas SOAR does not on both counts. However, the option for open source is actually ideal for security teams, which like the support and accountability afforded by a large community. Similarly, access to CI/CD is beneficial for security teams, which have long wanted to shift left. In other words, have Dev introduce them early into the software development process so that they can troubleshoot before code makes it to production.
Achieving agility with CI/CD, a DevSecOps focus
SOAR is exclusively a security platform whereas DevSecOps holistically addresses the needs of all teams by embracing CI/CD and open source tools. While SOAR cannot stand in for DevSecOps, DevSecOps solves pain points inherent to SOAR while also offering general-purpose automation that elevates the role and work of security.
Some security teams may be reticent to pursue a DevSecOps solution because CI/CD is traditionally heavily reliant on code. But there are plenty of low-code/no-code options these days. Ideally, teams should source a DevSecOps platform that is all-inclusive; one that contains a visual interface where all levels of coders can collaborate but also contains a powerful back end that caters to DevOps.
The threat landscape is ever-shifting. With security teams needing to do more despite a talent shortage, automation must gain traction to ease the pressures mounting in their domain. Security teams benefit greatly from CI/CD pipelines, which not only replicate and accelerate their manual capabilities but also carve out precious time needed for modernizing their daily work processes. By embracing the spirit and practices of DevSecOps, security teams can become agile through their CI/CD processes.