Hopefully this won’t come as a surprise, but the bad guys don’t launch attacks on a weekly basis. Attacks aren’t launched on a daily basis. Attacks are launched 24/7–persistently and tenaciously all day. Every day. If your security tools are only scanning periodically then every point in time between those scans is an opportunity for a breach or compromise.
24/7 attacks require 24/7 defense. Security vendors are employing DevOps to keep up with the pace of advancing attack tools and techniques, and companies need to embrace DevOps tools and principles to continuously monitor for indicators of attack or compromise.
I wrote a post about streamlining security through DevOps:
There has been a significant shift recently in security. Most security vendors and organizations recognize that the traditional model of keeping the bad guys out by detecting malicious exploits is flawed at best. The reality is that the bad guys are already inside the network using authorized credentials to bypass security controls and exfiltrate sensitive data. That sounds ominous but the silver lining is that DevOps changes the game and shifts the advantage back to the good guys.
There was a time when the traditional model made sense. The attack techniques used and the motivations behind the attacks were different. In recent years, however, the line between inside and outside attacks has been blurred beyond recognition. There have been some high-profile insider attacks like Bradley Manning and Edward Snowden, but the reality is that most of the “outside” attacks were perpetrated using stolen or compromised credentials. In other words there is no difference between an inside and an outside threat at the actual point of attack.
Organizations have to guard against both inside and outside attacks. In almost all cases, though, the root problem is credential abuse. Whether it’s an authorized employee accessing systems or data in an unusual way or an outside attacker moving laterally through the network and exfiltrating data using compromised credentials the crucial part for an organization is to have detection methodology in place capable of performing anomaly analysis to identify concerning behavior and activity.
Improving security through DevOps
That’s where DevOps comes in. Organizations need to have continuous monitoring in place. Anomalous activity isn’t something you can just conduct a daily or weekly scan for. If you don’t detect the activity in real-time and do something to stop it immediately the damage will already be done by the time you retroactively review log data and discover the breach.
You can read the full story at DevOps.com: Swim in the DevOps pool or drown in security problems.