CI/CD practice is traditionally associated with Git commits. However, in cybersecurity the same concept rises to the next level – security teams need to continuously deploy and integrate new detection rules in order to stay ahead of the modern threats. Nowadays, every organization that runs its operation on the basis of hardware and software assets, needs to ensure proper cyber protection. What’s more, if the organization fails to comply with certain mandatory regulations, such as GLBA and FISMA in the US, and GDPR in the EU, they will be subject to sizable fines along with other penalties.
In light of these needs, maintaining the continuous development, implementation, and deployment of detection rules sounds like a good idea. But what is the best way to establish such a process? Is it as easy as Git commits? Well, lately, when it comes to cybersecurity code, things tend to get more complicated. Nevertheless, if done right, a continuous threat detection flow brings tons of benefits. Below we give a brief overview of how to implement CI/CD in your cybersecurity pipeline.
According to the United States General Services Administration (GSA), integrating security as a vital part of the CI/CD pipeline helps to eliminate silos while encouraging collaboration and teamwork between developers, security experts, and operations teams. Furthermore, the collaborative approach can be extended beyond internal teams to achieve communication between professionals worldwide. Because while using the right software solutions and automating redundant tasks is important, eventually security processes benefit the most from the input of the community’s brightest minds.
For example, SOC Prime’s Detection as Code platform gathered over 300 security professionals from all over the world that regularly supply context-enriched Sigma-based detection rules to more than 6000 enterprises worldwide. By deploying detection content from this platform, SOC teams can save time and resources on research and development.
It is understandable that there might be more than one way to organize an effective SOC. Yet, ensuring the security-first business culture starting from coding and all the way to endpoints and user accounts is crucial for achieving this goal. One of the main reasons why organizations apply a collaborative approach is that it allows them to successfully maintain CI/CD security by having real-time access to the industry’s best practices. To seamlessly implement detection content across various security solutions, security engineers may use Sigma-based detections by converting the generic vendor-neutral Sigma format through Uncoder.IO to vendor-specific formats.
Every security operations workflow starts with continuously monitoring assets that need to be protected from cyber danger. Typically, software solutions like SIEM or EDR/XDR provide visibility into events that are happening within the organization’s networks and systems. Those events need to be normalized and correlated while also continuously monitored for signs of adversary behavior. However, the standard detection rules aren’t enough for capturing new threats. Maintaining up-to-date content is another challenge since SOC teams don’t always have enough capacity and talent to constantly craft detections for sophisticated attacks. That’s why continuous content management is often the most difficult part of the cybersecurity CI/CD pipeline.
One of the options that SOC teams can opt for is to automate the delivery of detection content. There are a few ways to achieve this:
- Outsource content development to a third-party contractor. For example, Managed Security Service Providers (MSSPs) can provide your organization with relevant detections on a continuous basis. However, usually, there is a tradeoff between the price paid and the level of confidentiality that you want to keep regarding your internal data.
- Leverage your own CI/CD of detection content. The above example SOC Prime platform provides the Continuous Content Management (CCM) module which enables direct streaming of the compatible content right into the SIEM environment. The newest rules to the emerging attacks get published within 39 hours after the disclosure.
Enabling streamlined SOC operations saves tons of hours on the manual threat intelligence and coding, thus facilitating proactive defense against the latest attacks. Truth is, while basic cybersecurity measures like firewalls and antiviruses are still in use, there is a growing need to respond to new threats and continuous content management helps to withstand the continuously evolving attacks.
Now, when you know particular methods that are commonly applied in CI/CD security, you need to evaluate how to organize them into a pipeline, i.e. create a workflow.
In the source coding stage, for many years, security operations were mostly conducted at the end of the development lifecycle. That was only after the whole code version was committed to Git, built, tested, and deployed to a production environment. Only then the security teams would perform their scans, penetration tests, and ad-hoc analysis. However, this approach was making threat remediation slower and more difficult. Additionally, a lot of attacks could be executed in the most vulnerable environments since they were detected too late.
This issue gave rise to the popularity of DevSecOps teams that tried to bridge the gap between development, operations, and security workflows. And obviously, they could do that by integrating security early in the CI/CD pipeline, or as they also say, “shift security left”. The urge for this shift is critical for cloud-native networks which have a lot of security gaps and need constant monitoring.
Research by the National Institute of Standards and Technologies (NIST) states that the cost of fixing a security bug is up to 30 times higher after the deployment to production than in the earlier stages of development. Add to this the indirect losses of revenue due to damaged user experience and you’ll see why so many organizations move to cybersecurity CI/CD processes. On top of that, not only the source code needs to be continuously monitored for the latest threats but also the networks, endpoints, and data in general.
Clearly, preventing security incidents by early detection is vital and can be achieved by implementing an iterative, seamless CI/CD cybersecurity pipeline. It works best when combining the traditional SIEM solutions with the trendiest practices like the collaborative approach and continuous content management.