If your security team is burnt out and you’ve got an endless backlog of alerts that no one quite knows what to do with, it might be time to think about scaling SecOps. Read on to find out why these problems form, and how you can address them by adopting automation in some situations, and increasing headcount in others.
There’s Just Too Much Cloud to go Around
If you need proof that cloud adoption is growing astonishingly fast, look no further than Amazon Web Services’s revenues. These grew from $4.5BN in 2014 to $90BN in 2023, despite AWS losing market share to Microsoft Azure and Google Cloud over the same period. More cynical explanations aside, this eye-watering increase clearly reflects an actual shift in ways of working.
Indeed, it’s hard to think of a company that hasn’t massively scaled its cloud footprint in the last decade or so. In many midsize to large companies, new cloud accounts – AKA ‘subscriptions’ or ‘projects’ in Azure and GCP terminology, respectively – are provisioned every week. Each cloud account is a labyrinth of microservices, containers, and cloud-native apps; and as companies fight to eke every last bit of efficiency and performance out of their environments, they tend to add more complexity.
What does this mean for SecOps? Imagine a police force trying to protect a city where new neighborhoods are springing up overnight, without hiring more police officers. The existing force can try to work harder or smarter, but at the end of the day they’ll need to start answering less calls. This is the case with most SecOps teams, which are stretched to their absolute limits. The flood of notifications and flashing red lights is such that the industry now fully expects most of them to never be handled, and is instead focusing on prioritization.
This situation is not sustainable for organizations that care about security. While some organizations might dither and delay, eventually SecOps will have to scale in a way that’s correlated with the growth in their cloud environments (albeit not linearly). As with any other area of cybersecurity, scale can happen in two ways: technology or headcount. Let’s take a look at the smart way to go about both when it comes to SecOps.
How to Scale Automation
Automation is obviously more ‘scalable’ than headcount, so it makes sense to start there. The challenge is to automate without sacrificing quality, control, and operational safety – and all while staying within the bounds of your team’s existing technical skills. There are three key strategies to achieve this:
- Organizational guardrails. Think of these as the digital equivalent of those bumpers they put in bowling alleys for kids. They’re preset rules and policies that prevent risky or non-compliant configurations from happening in the first place (see: Tamnoon Prevent). For example, you might set up guardrails that automatically block the creation of public S3 buckets or enforce encryption for all data at rest. Prevention is always more efficient than remediation and can eliminate many potential issues before they can even begin.
- Centralized cloud monitoring tools. Cloud-Native Application Protection Platforms (CNAPPs) are your all-seeing eyes in the cloud, constantly scanning across all your environments and accounts for vulnerabilities or suspicious activities. CNAPPs can alert you to everything from misconfigured security groups to unusual login patterns that might indicate a breach attempt; however, additional layers of automation are typically required in order to prioritize CNAPP alerts.
- Automated remediation. This is where your automation doesn’t just spot the bad guys but also kicks them out automatically. For instance, if an unauthorized IP address tries to access a sensitive resource, an auto-remediation rule could immediately revoke that access and update the firewall rules. Automated remediation might be the ‘holy grail’ of cloud SecOps, but it’s often difficult to implement without putting production systems at risk.
Investing in all three of these areas can help you build a much more efficient SecOps organization. However, even the best-executed automation program is never a silver bullet. There’s still a crucial role for human expertise in this equation, which brings us to our next point…
How to Scale Teams
While life would certainly be simpler if we could just automate our way out of every security challenge, in reality, there is no escaping from the need to grow your team – both in size and in skill. There are a few points worth considering here, which will impact how and who you hire when scaling headcount.
Who monitors the monitor? Setting up and maintaining sophisticated automation systems requires a deep well of expertise. Cloud security engineers need to be part developer, part security analyst, and part cloud architect. They’re the ones who translate security policies into code, monitor the monitoring tools, and ensure that your automation doesn’t accidentally capsize your production systems.
Traditional SecOps roles are not necessarily geared towards building or managing these systems. The more automation you introduce, the more you need to think about your team as product builders rather than narrow security specialists.
Technology can’t remove humans from the loop (yet). According to Tamnoon’s estimates, at least 30% of CNAPP alerts can’t be safely auto-remediated with current tools and techniques. We are not yet at the level of ‘full self-driving’ remediation; humans need to keep their hands firmly on the wheel. Two main reasons:
- The potential for unintended consequences – like breaking a critical application – is too high to entrust to software alone.
- Automation can be very useful from a tactical standpoint but can prevent teams from seeing strategic opportunities. E.g., an automated workflow can lead to SecOps ‘chasing’ the same alert over and over again rather than implementing a guardrail to stop the bad behavior in the first place or hiring a developer resource to address the systemic issue creating the risk.
Misconfigurations are more automate-able than incidents. While automation can handle many day-to-day issues like incorrect permissions or non-compliant resources, incidents such as potential breaches are not as straightforward. In these high-stakes situations, a skilled security analyst can connect subtle dots, think strategically, and make nuanced decisions under pressure.
For example, a series of failed login attempts might be technical or human error—or the first sign of a sophisticated attack. Blocking the resource might not be the right decision if it means employees can’t access a critical system. Few organizations would trust an automated system to make this decision hands-free.
The bottom line: When growing your cloud SecOps team, you should focus on technical experts who can design, implement, and maintain your automation systems and remediation experts who can handle the high-stakes, judgment-heavy tasks that automation can’t (yet) touch.
Closing: What CISOs Should Do Next
Above we’ve shared a few pointers on how to scale SecOps organizations. Implementing them is a process that can take weeks, months, or years, depending on the size and maturity of your existing organization.
As a CISO, you should first:
- Take stock of your current automation capabilities. Are you leveraging organizational guardrails, centralized monitoring tools, and automated remediation to their fullest potential? If not, prioritize investments in these areas to build a strong foundation for scalable security.
- Assess your team’s composition and skills. Do you have the right balance of security engineers who can build and maintain automation and skilled analysts who can handle complex incidents? Develop a strategic hiring plan that addresses both these needs.
- Focus on improving collaboration between SecOps and development teams. Effective remediation often requires changes to application code or infrastructure – developers have to be involved in this. Encourage regular communication, joint training sessions, and shared tooling between SecOps and dev teams. This will help you scale your SecOps team in the right direction and ensure you are not duplicating work or creating redundant roles elsewhere in the organization.
To learn more about scaling cloud security and the Tamnoon approach to human-guided automation, book a free session with one of our experts.
