Only a few years ago, IT teams and their security counterparts worked in separate silos. But as organizations face escalating threats and breaches, there is a burning need to converge IT observability and cybersecurity. The single biggest driver of this convergence is the need to share critical data to help security teams improve cyber resilience.
IT teams involved with observability have the data that security teams need to investigate and mitigate new and escalating threats. IT teams are collecting extremely large data volumes while, at the same time, gathering additional data from monitoring tools. It does not make sense to have security teams within the same organization do the same data gathering. So far, IT observability teams are winning the race when it comes to data collection, but they must share that information with security teams to boost efficiencies and combat worsening threats and breaches.
To drive this important convergence, some organizations have considered merging their security and observability tools, but they don’t need to be combined. Most teams can manage having multiple tools, and if they are not combined, they can be specialized. They simply require tools to do exactly what they need them to do.
Both IT and security teams need access to observability data, but they don’t need to be in the same tool, as different tools have different purposes. Security teams are investigating threats, while observability teams are laser-focused on making the enterprise more efficient and effective. While their respective tools do not need to be combined, they do need to be integrated so that the security tools can ask questions about the observability data.
This is particularly apparent when Security Operations (SecOps) teams require detailed information because they detect risk based on specific IPs and messages in access logs. The information embedded in those logs, along with network data, is key because the first thing a hacker would do is turn the logs off so they cannot track what he or she is attempting to infiltrate.
In truth, these two teams need separate tools, which makes getting access to the right data complicated. When the tools are doing the investigation, they have specific questions they want to answer, including “What is the IP address?” and “Which resources has this IP address accessed?” This is hard to do because several different APIs must be stitched together.
Should IT and Security Teams Converge? It Depends on the Enterprise
In large organizations, IT and security teams work as independent units unless they must collaborate when building applications in the cloud. Small and medium-sized businesses (SMBs) often have the same people managing both security and enterprise performance due to their size and IT budget parameters. Still, there are definitely cultural issues between these diverse teams. Their jobs are vastly different in what they are trying to achieve and how they go about doing them. For example, problems often arise when the two camps try to converge dashboards, a feat that is nearly impossible when they are focused on very different goals.
IT and DevOps teams care deeply about the “four golden signals” for overseeing critical applications: Errors, Saturation, Traffic, and Latency. In contrast, SecOps teams don’t pay attention to those golden rules and find latency measurements irrelevant to their work. They care more about the new IPs or new communication between services.
Advantages of Converging Observability and Cybersecurity
Gathering critical data once and giving both teams access to it is the biggest advantage of converging security and observability. Observability tools track changes in the environment, like code pushes and configuration changes to network devices; access to that data is important when security teams are tracking threats.
The reality is that this convergence may take a long time to come to fruition. The industry has been talking about the need for convergence for the past 15 years but we are only just now seeing real progress take shape. And while this convergence can be a true benefit to both IT and security teams, most of the end-users they serve at their organizations don’t care about it or even see it. Yet, friction may arise when there are a dozen agents on the laptop.
Furthermore, security issues may impact end-user performance at times, causing users to complain to observability teams when their networks are slower than usual due to convergence. Fortunately, both IT and security teams want to improve enterprise performance and cyber resilience across their organizations, knowing that these goals are not mutually exclusive. They see the value of playing nicely together in the sandbox, and as AI and automation become more prevalent, converging IT observability and cybersecurity will become less daunting in the future.