Okay, so it's not exactly "of the week" when it's been a while since I posted the last one. We're back from our temporary lack of good ideas for discussion.
Lately we've been thinking a lot about how security and ops (network/systems) teams work together. From the ivory tower, it looks like security is getting operationalized as a lot of security stuff gets more high visibility and has more impact on what network/systems teams are doing. That means network/systems folks have to deal with and think about and involve security earlier on, rather than having it be a "versus" game where security teams are notified after the fact or not as embedded in decision making. We're also hearing more about security and network/systems teams having to share or have access to the same tools.
With log data, it's especially relevant, since that data has usefulness across both teams. Operational teams are using log data for root cause analysis and troubleshooting when a problem occurs, monitoring of basic stuff that doesn't come through in performance analysis (or doesn't come through as quickly, for example "that service just tripped that event log message that means it's going to go non-responsive" rather than waiting for it to actually go non-responsive), and tracking things that could put systems at risk for botched configs or problems (software installs, user/group changes, services, files being changed). Security teams are using log data for both historical analysis (and compliance) and tactical analysis in real-time.
Performance and availability data has traditionally been the place of Operations teams, but sometimes these two issues overlap, and one could be used to inform the other. Our first SolarWinds Labs episode ([VIDEO] SolarWinds Lab Episode #1: Virus in a Haystack) talked about a company whose firewall was spinning out of control causing performance issues, but actually turned out to be a security problem. Performance data is like a canary in a coal mine for discover stuff like Denial of Service attacks, too.
There's still a place for the security team - someone needs to be the single wringable neck/team for thinking that way, knowing how to be responsible with firewall policies or compliance or incident response - but it seems like it's trending more toward the same way each team has an "Exchange Guy" and a "Cisco Gal." It's best that many people know these duties so everyone can share responsibility and in the case of security it's thought of every step of the way. Along with that, there's the reality that on many teams the Security Dude is just one person.
What do you guys think? How do your teams work together? Are they using the same tools, do you wish they could? How do you see it changing in your organization as security becomes everyone's problem?