Seemplicity has been recognized as a 2023 Gartner Cool Vendor! Read the Report

×
×

Seemplicity secures a total of $32M to bring the future of work to security teams!

Seemplicity
Read More

Seemplicity Now a 2023 Gartner® Cool Vendor

Seemplicity Named a 2023 Gartner® Cool Vendor for the Modern Security Operations Center

Seemplicity believes the report validates that there is a critical need for a Remediation Operations platform that orchestrates, automates, and consolidates all remediation activities into one workspace. 

 

PALO ALTO, CA—SEPTEMBER 27, 2023—TE—Seemplicity Security today announced it has been named a Cool Vendor for the Modern Security Operations Center by Gartner, a company that delivers actionable, objective insight to executives and their teams.

 

The research by Gartner notes that “Security and risk management leaders are struggling to protect and defend their data and systems against an increasing volume of attackers, and across an increasing number of environments. Organizations must have a foundational set of security operations functions, but those that want to avoid security failures must be willing to adapt their people and processes, and experiment with new technologies and service approaches.”

 

Seemplicity Security empowers organizations to automate, scale and track their remediation operations to accelerate MTTR, improve security posture, and report on progress toward goals. The Seemplicity Remediation Operations platform is a SaaS application destined to be the leading productivity platform for exposure and vulnerability management teams.

 

“Enterprise security teams manage an overwhelming number of findings from an ever-growing security testing tech stack, making efficient risk and vulnerability remediation a near-impossible task,” said Yoran Sirkis, CEO and co-founder, Seemplicity. “Ad-hoc processes, unidentified remediation teams, and the inability to track and report on progress exacerbate the challenges.” 

 

Sirkis continued, “The result is many cloud misconfigurations and other risks go unmanaged and unresolved. We believe that being named a Gartner Cool Vendor validates the critical need for a Remediation Operations platform that streamlines collaboration and identifies the right person to fix the problem. Security teams need and want to treat RemOps as a mission critical, cross functional process, and our platform enables just that.”

 

Gartner, “Cool Vendors ™ for the Modern Security Operations Center,” Angel Berrios, Jeremy D’Hoinne, Pete Shoard, Evgeny Mirolyubov, Carlos De Sola Caraballo, 30 August 2023.

 

To read the full report, click here.

 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Cool Vendors is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

 

Gartner Disclaimer 

Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

 

About Seemplicity

Seemplicity is revolutionizing the way security teams drive and scale risk reduction efforts across organizations by orchestrating, automating, and consolidating all remediation activities into one workspace. As the first Remediation Operations platform created for modern security teams, Seemplicity transforms the remediation process into a streamlined and collaborative effort that can easily be utilized by developers, DevOps, cloud, and IT across the organization, helping them achieve complete operational resilience and establish a truly scalable security program. Seemplicity was founded in 2020 by cybersecurity veterans Yoran Sirkis, Ravid Circus, and Rotem Cohen Gadol, and its customers include Fortune 500 and publicly traded companies. For more information visit www.seemplicity.io

 

From Friction to Fusion: Alleviate Tension Between Security and Development Teams

Security is the cornerstone of the modern business landscape. Today, businesses are more conscious than ever of how their security strategy can impact their success. However, while security teams are gaining greater clout in organizations, the implementation and integration of strategic security processes within organizations have yet to keep pace with the growing importance of security. Consequently, though security teams have invested significantly in identifying risks, these risks are not necessarily mitigated in a timely way by the development and operations teams tasked with remediation.

This discrepancy often leads to tension between security teams and remediation teams – AppDev, CloudOps, ITOps, OTOps and lines of business. In this blog post, we explore these tensions and propose effective strategies to alleviate them.

 

The Root Causes of Tension Between Security and Remediation Teams

Just a few years ago, collaboration between security and development teams was fairly limited. Security teams would review the developed systems for vulnerabilities and suggest security improvements just a few times a year, when new product versions were introduced. This waterfall approach was fit for that era – when customers were expecting few, albeit feature-heavy, releases; security teams were primarily tasked with protecting the perimeter; and cyber security attacks were not such a common occurrence.

 

Digital Transformation Reshapes Roles and Relationships

Today, however, circumstances have changed, reshaping the roles and responsibilities of these departments. Digital transformation has driven software engineering teams towards faster release cycles. Microservices architectures and agile application development methodologies have resulted in faster time-to-market of leaner releases. As a result, application teams are now busier supporting the development and release of as many features as they can.

Along with those business benefits, the cloud has introduced new security challenges. Complex cloud environments and interconnected IT have made it harder for organizations to gain visibility into their entire IT ecosystem. This makes security teams more dependent on multiple, disparate development and operations teams than before to remediate risks. In addition, the decentralized nature of cloud-based IT also makes it harder to know about, manage and secure assets and data, making the role of security teams yet more difficult.

 

A Growing Number of Cyber Attacks

In parallel with the advancement of IT infrastructure, cyberattackers are also going through their own transformation, but this time organizations are receiving the short end of the stick. The threat landscape has evolved rapidly, with cybercriminals becoming more organized, sophisticated, and resourceful. They employ advanced techniques, such as ransomware, social engineering, zero-day exploits and supply chain attacks – to compromise systems, steal sensitive data, disrupt operations, or extort money. For example, according to the Verizon DBIR report 2023, Ransomware rates grew in the past six years, while constituting 24% of all breaches in the past two.

The increased availability of hacking tools, exploit kits, and malware-as-a-service has contributed to this increase, by lowering the barrier to entry for cybercriminals, enabling even less technically skilled individuals to carry out attacks. ChatGPT, for example, helps attackers find vulnerabilities and sharpen their attack techniques, and can even generate exploit code.

In addition, organizations now store and manage vast amounts of valuable data, including customer information, intellectual property, financial records, and trade secrets. Cybercriminals aim to steal or exploit this data for financial gain, corporate espionage, or to disrupt business operations. The potential financial and reputational damage resulting from data breaches or unauthorized access to sensitive information is immense, leading to significant financial losses, legal liabilities, regulatory fines, and damage to brand reputation.

This means that while security teams are attempting to find new ways to secure complex digital environments, they are also dealing with the growing volume, sophistication and potential of cyber attacks. From the development and operation teams’ point of view, they are suddenly required to write and deploy code that is more secure than before, since the chances of it being exploited are higher.

 

Accountability vs. Authorization

As we’ve seen, technology is advancing rapidly. However, the structure and operations of remediation is still lagging behind. Organizations still operate in siloed organizational structures, where security and remediation functions operate independently and separately.

Security teams are responsible for identifying risks, conducting vulnerability assessments, and implementing security controls. Their KPIs are reducing the size of the backlog, mean-time-to-remediate risks and, ultimately, the security of the organization. On the other hand, remediation teams, such as AppDev, CloudOps, ITOps, OTOps, and lines of business, are responsible for developing, deploying, and maintaining applications, infrastructure, and ensuring ongoing operations. Their KPIs are fast releases, developing new features for customers and uptime. At the same time, they are also the ones who are required to remediate vulnerabilities.

The result is an “accountability-authorization” gap. Security teams are held accountable for organizational security, but they are not authorized to fix those vulnerabilities. Development teams aim to deliver high-quality and secure code, however they are not completely held accountable for organizational security. On the other hand, they are held accountable for ensuring code is released quickly. Similarly, operations teams are held accountable for the ongoing availability of systems and services, but may not necessarily have to meet equivalent security service levels.

 

Security and Remediation Tension in the Day-to-Day

As a result of these transformative changes, security, development, and operations teams must now work more closely together than before. And while everyone has the same goal – delivering quality and secure apps, data, services, and systems – relationships are often strained. This manifests itself in the day-to-day as:

 

Miscommunication and Misalignment

Miscommunication between security and remediation teams is a common challenge in organizations. At the most basic level, there are differences in professional lingo and technical terminology. For example, security professionals may use technical terms and acronyms that development teams are unfamiliar with, and vice versa.

Security and remediation teams also follow different workflows and methods. Development teams work in sprints, which are often two weeks long. Their tasks are clearly determined and prioritized for the sprint, and they are measured on their ability to meet them. Security teams, on the other hand, operate similar to other business employees, in weeks, months and quarters. This means that when security teams communicate requirements, their timing isn’t always aligned with development teams’ schedules. This could create confusion, frustration and even anger at security teams for derailing the sprint’s focus.

Finally, security and remediation teams follow different mindsets. While security teams focus on vulnerabilities and gaps, remediation teams are focused on their primary objectives of building, releasing and moving on to the next task. Security teams may feel that remediation teams are not taking concerns seriously and remediation teams may feel that security teams are not being realistic about the time and resources required to implement their recommendations.

These misalignments can hinder effective collaboration and understanding, leading to frustration and delays in addressing security issues.

 

Frustration and Tension Due to Lack of Resources

Remediation teams are tasked with delivering new features, maintaining existing systems, and supporting operational activities, typically with constraints in terms of time, budget, and staffing. Closing security gaps is part of a very long list of tasks engineers have to get done, yesterday, with one hand tied behind their back.

 

A Battle Over Competing Priorities

Security and remediation teams operate in a structure that is – unintentionally – designed to create conflict between them. This conflict, along with lack of clear, effective and streamlined processes for ensuring secure code and operations, create a reality in which developers and operators are forced to find their own balance between quick and efficient delivery and the security teams’ demands for risk mitigation. In other words, builders and operators may be the ones to choose which security tasks to get done. And if they lack clear direction from security teams, they might be spending time and resources addressing low-priority issues, while critical vulnerabilities remain unaddressed. Or they might abandon fixing security issues altogether.

 

How to Fix the Security-Remediation Gap

Since the tension between these teams is the result of circumstances that are within the control of organizations, organizations also have the power to untangle the security-remediation knot. Here are a few methods they can apply.

 

Shifting Left Security

“Shift left security” is an approach that advocates integrating security practices and considerations earlier in the software development or operational lifecycle. As mentioned earlier in this post, traditionally, security has been viewed as a separate phase that occurs towards the end of the development or deployment process. However, with the shift left security approach, security is moved earlier in the timeline. This includes incorporating security requirements, conducting threat modeling, performing secure code reviews, and implementing security testing and analysis tools as early as the development and design phases.

Shifting left security helps address security considerations from the outset. This enables organizations to proactively identify and mitigate potential vulnerabilities before they become more complex and costly to address, and before they create friction between security and remediation teams.

Shift left security also promotes collaboration and communication between security and remediation teams. By integrating security in the development phase, everyone has a better understanding of security requirements and challenges, leading to more effective security measures and reduced friction between teams.

 

Aligning Processes and Workflows

Aligning processes and workflows is crucial for organizations to improve collaboration, efficiency, and overall effectiveness in addressing security issues. These processes and workflows provide a structured framework for teams to follow, ensuring that security considerations are integrated seamlessly into development and operational activities. 

This involves defining clear roles, responsibilities, and handoffs between teams involved in security and remediation efforts. For example, by implementing regular meetings, cross-team workshops, and shared collaboration platforms. This standardization will help ensure that everyone understands their tasks, the expected outcomes, and the sequence of activities to be followed.

In addition, such processes will foster open communication, enable knowledge sharing and strengthen the relationship between teams, to ensure that security issues are promptly addressed and that all stakeholders are kept informed.

 

Consider Tools that Support these Processes and Workflows

Leveraging automation and security tooling can significantly improve the ability to communicate, prioritize and mitigate security issues. Platforms that automate and orchestrate security and remediation workflows can cultivate a streamlined and collaborative effort. For example, a platform that incorporates vulnerability and risk mitigation workflows could benefit everyone by clearly pinpointing the issue, identifying the owners and tracking remediation progress. This increases productivity, reduces the workload for teams and enables scaling the remediation process. As a result, it also alleviates the tension and improves collaboration.

 

Next Steps for Your Organizations

The tension between security and remediation teams is a common issue that many organizations face. However, despite the different approaches each team has, it’s important to remember we all share the same overarching goal: protecting the organization from security threats and minimizing the impact of vulnerabilities.

Addressing this tension requires a change that involves people, processes, and technologies. This starts with building relationships and defining clear processes and workflows. Automated platforms can also help, since they lighten the overhead the teams have and help remove friction, which makes it easier for both teams to find ways to protect the organization.

To learn more about how Seemplicity can help automate remediation operations across your organization and accelerate risk reduction, click here.

Lessons to Apply Now from Dark Reading’s 2023 Risk Remediation Survey

Feeling bogged down trying to remediate all the risk findings your security scanning tools discover? You’re not alone. 

The “2023 State of Risk Remediation” report, new Dark Reading research commissioned by Seemplicity, surveyed 108 security professionals across companies with 100 or more employees to glean insight into their risk remediation process. The survey encompassed issues such as the number of security scanning tools companies use, how the security team figures out who should remediate a risk finding, and the obstacles and timelines within the organization’s remediation process.

The “2023 State of Risk Remediation” survey found that: 

  • It takes nearly 4 weeks to remediate each critical security risk from start to finish. A granular look at the end-to-end risk-reduction process shows remediation life cycles consistently measured in weeks, not days. 
  • The average organization manages 3 to 5 security tools, which adds complexity and slows down remediation. The data highlights that manual tasks and multiple feeds from disparate scanning tools conspire to drag down speed-to-remediation. 
  • 49% of security professionals don’t know who to contact to fix risks or verify fixes.  Locating the correct “fixer,” getting a response to a remediation request, and verifying successful fixes are top time consumers for most organizations. 
  • 97% would focus on more meaningful activities, such as proactive security if remediation wasn’t so inefficient.  If they weren’t bogged down with ad-hoc, manual and inefficient processes, respondents said they would be able to focus on actions to prevent incidents, such as additional architecture reviews, threat modeling, and security awareness training.

To analyze the most time-consuming aspects of remediation operations, the research broke down into steps the remediation operations process and saw how long it took to complete each step. 

Figure 1: Remediation Process Broken Down by Time Spent on Each Step

 

Using this approach, the research was able to identify the bottlenecks in the remediation process, and where automation should be introduced to not just accelerate remediation, but also to scale it, regardless of the number of security scanning tools. 

Three key lessons emerged that organizations can act on now to improve risk reduction: 

1 – Automate risk reduction workflows so valuable security resources can focus on strategic security initiatives.

Employing judicious automation technology at every point in the remediation process and across disparate scanning and management platforms frees teams to focus on more strategic security initiatives while also improving remediation efficiency and performance.

2 – Acknowledge that remediation has many moving parts.

Effective prioritization, along with the ability to aggregate congruent issues in a single remediation ticket, are key steps in making risk remediation manageable. 

3 – Automate based on industry-proven approaches and knowledge.

An automated remediation workflow tasked with organizational risk reduction is only as good as the security expertise it’s built on. 

Download the full research report “The 2023 State of Risk Reduction: A Need for Speed” here.

Cracking the Code With Communication: The Catalyst for DevSecOps Success

Modern software development is about teams working together – think “DevOps” – and moving fast. To prevent bottlenecks, streamline the development cycle and improve efficiency, organizations are “shifting left” to include QA, performance and security tests into the development process. The move means tests are performed earlier in the CI/CD workflow, with security continuously built in throughout the software development lifecycle (SDLC). In turn, there is greater engagement between software development, security and operations teams (hence the term “DevSecOps”).

It is, therefore, unsurprising that in the recent SANS 2023 DevSecOps Survey, respondents ranked communication as the second most important factor to DevSecOps success.

Yet, despite its significance, DevSecOps communication tends to be disorderly and messy. The conflicting priorities of DevOps and security teams create friction, limiting their desire to collaborate and, in turn, communicate; where the former concentrates on speed and efficiency, the latter prioritizes safety practices. Additionally, organizational silos (ranked as one of the top three challenges to DevSecOps success in the SANS Survey for the last three years) and differing workflows and tools present a logistical nightmare that prevents seamless communication. This in itself is a barrier to effective communication, but also contributes to the tension, which further damages cross-functional communication – a classic catch-22 situation.

In short, the teams don’t think the same way or speak the same language. And, without effective communication to break down the silos, DevSecOps success is limited.

 

The consequences of poor communication

Poor communication hinders the efficiency of DevSecOps practices and slows down the SDLC. Without a collaborative workflow in place, DevOps teams get overwhelmed with security findings and open tickets that they need to prioritize and organize, while the security team is constantly on the chase to understand what, if anything, is being done about said findings. The administrative burden on all teams not only adds to the animosity they feel toward each other, but is a waste of resources and significantly reduces productivity. According to a Forbes Advisor analysis, 49% of respondents reported that ineffective communication impacted productivity.

 

 

In addition to the administrative burden of prioritizing and allocating tickets, when “fixers” are left with an unmanageable amount of findings, the remediation process suffers and this can result in serious security issues later on in the development process. Small discoveries can snowball into major concerns if they are not addressed in a timely manner. The now much larger issue is a greater remediation challenge than if it were handled when first discovered, demanding considerable resources and delaying production output.

In many cases, however, findings don’t get addressed at all. Time constraints and a continuous influx of security findings make it near impossible for the DevOps team to remediate every vulnerability, meaning vulnerable code gets pushed out to production. Not only could this be a costly compliance breach, but the organization’s reputation is at risk should a customer suffer as a result of the vulnerabilities.

 

What can be done?

To put the “shifting left” mindset into practice effectively, communication between development, security and operations teams must be improved. Here are three steps that you can take now:

 

  • Embed a security mindset within the DevOps team

When DevOps personnel are equipped with greater cybersecurity knowledge, often through training and awareness programs, a culture of security becomes embedded within the team. Additionally, having a security champion on the DevOps team further helps to promote a security mindset and culture. Sharing the responsibility of security with the DevOps team fosters greater alignment and a more collaborative relationship. With a willingness to work together, naturally communication between the teams will improve.

  • Develop shared policies and data

Shared policies and data foster an environment of greater transparency and help build a common view. With teams aligned and on the same page, it is easier to communicate and set realistic expectations surrounding security. Moreover, when the DevOps team is able to meet security expectations, communication is further improved as there is less friction.

  • Eliminate administrative complexities

Implement tools that offer better visibility and context so remediation can occur quickly. Seemplicity’s Remediation Operations platform aggregates and deduplicates findings across a number of siloed solutions to offer complete visibility of security vulnerabilities while reducing the number of open tickets, and routes remediation requests to the relevant fixers. With the administrative burden out of the way, the security team maximizes engagement and communications with the DevOps team and enhances remediation efficiency.

Learn how Seemplicity’s RemOps platform enhances team collaboration and improves the remediation process.