How DevSecOps promotes continuous and purposeful monitoring

The paper 6 tips to integrate security into your DevOps practices advocates integrating your security team with the existing DevOps team to create DevSecOps. In a series of blog posts, we’re giving you a flavor of all 6 tips, including: Tip 3 : Monitor and observe continuously with purpose.

Understanding the challenge of continuous monitoring

Too often, enterprises leverage a monitoring or observability solution without adapting it to work for their organization. When enterprises fail to fully plan their monitoring initiative, they overload themselves with data. This can be like looking for a digital needle in a haystack. What’s more, without gathering the right data in the right ways, data is often not actionable. The first step to enabling continuous monitoring — and growing the previously limited subset of intelligence — is strategic planning. In other words, purposeful monitoring and observation.

The whitepaper points to four factors for successful monitoring:

• Gathering holistic data that provides a complete picture
• Structuring data for analysis
• Using actionable alerts and threat intelligence to proactively react to threats faster
• Incorporating a robust monitoring toolchain built for modern threats

Delivering value from monitoring

Monitoring provides the most value when you observe everything occurring within your enterprise, be it active directory, firewall, syslog, application log, etc. Gathering data from an incomplete selection of sources gives your business blind spots, so it’s important to collect infrastructure data coming from outside the change management process.

Successful organizations don’t just capture all their data; they organize it carefully. You’ll need to decide what to log based on potential targets. Consider the ‘signal-to-noise’ ratio when collecting data from various sources. For instance, the syslog from a backup server might not harbor useful information like the syslog of the server hosting the identity solution.

Use parameters to determine the baseline for any application, considering elements like user login/logout, network activity, system activity, transactions, etc. In general, log data should consist of who (user identity), when (activity start and end timestamp), what (activity performed), and where (source IP). In some instances, it’s an industry or security standard that dictates the logging requirement, e.g., PCI-DSS, ISO27001.

Azure Sentinel delivers Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) capabilities to Azure for both cloud native resources and on-prem resources. It’s also ready to integrate with non-Microsoft solutions using APIs.

Choosing the right monitoring tools

Current systems generate more data and events than humans can interpret on their own. Too often, raw data is useless. Furthermore, collected events must be correlated together to provide a wider picture. The way to overcome these challenges is machine-driven monitoring.

Informed enterprises also use threat intelligence to gauge potential threats vs. recorded ones. Threat intelligence gathered from several sources about emerging and existing threats provides a greater understanding of threat capability, IOCs (Indicator of Compromise), and the tactics, techniques, procedures (TTPs), and mitigation controls to use against it.

From the need to carefully organize data and incorporate a robust toolchain built for modern threats, to a real-world use case for remediating proactively with automated threat alerts, Tip 3 offers a comprehensive elaboration of why monitoring and observing continuously with purpose should be part of the new DevSecOps way of working.

Download the white paper 6 tips to integrate security into your DevOps practices.