With input from industry experts — both analysts and vendors — this 8-part blog series will explore what is driving the convergence of observability and security, the challenges and advantages, and how it may transform the IT landscape.

Start with: Exploring the Convergence of Observability and Security - Part 1

Start with: Exploring the Convergence of Observability and Security - Part 2: Logs, Metrics and Traces

The experts have all agreed that security teams can gain great benefits from utilizing observability data. But does this mean security and observability tools should be integrated, or even combined?

Chaim Mazal, Chief Security Officer at Gigamon says the answer to this question is a resounding yes.

"Observability tools are powerful at aiding organizations in identifying security anomalies and pinpointing performance bottlenecks at the application layer. Logging provides foundational visibility into the applications running across their hybrid cloud infrastructure. But, as threat actors apply increasingly sophisticated techniques to breach an organization's technology environment, network-derived intelligence is vital to detecting lateral movement should a threat actor successfully gain access. If successful, threat actors can move across an organization undetected seeking to exploit proprietary or confidential information for financial gain. It's only by integrating logging with network-derived intelligence that IT organizations gain deep observability across their hybrid and multi-cloud infrastructure to detect previously unseen threats, deliver defense in depth, and complete performance management."

"Security and observability tools should absolutely be combined," says Prashant Prahlad, VP of Cloud Security Products at Datadog. "Traditional security solutions are targeted solely at security professionals. But, while security pros are responsible for finding vulnerabilities, misconfigurations and risks, developers are the ones responsible for fixing them. This is especially true when it comes to cloud security as most of the remediation requires working with a DevOps team."

"For example, security can't change the configuration of a s3 bucket without the risk of breaking something in production, which is why it is critical to have the DevOps and security teams aligned," Prahlad continues. "Because traditional solutions are aimed at security pros — who traditionally managed network security — they don't provide the shared context that organizations need to fix issues quickly and efficiently. A unified platform for observability and security is needed so that developers can work directly with security pros to visualize how threats and vulnerabilities are impacting their cloud environments and prioritize fixes faster. This approach breaks down silos between DevOps and security teams and creates the shared context they need to secure cloud environments."

However, convergence is difficult to prescribe, cautions Asaf Yigal, CTO of Logz.io. "Literally every organization is going to require a unique approach based on its specific makeup, whether this is a large or mature org with a lot of people given responsibility for dev, ops, security or even platform engineering. The platforms and tooling need to match the people and process, or evolve with it."

"At the same time, we know for sure that there is a huge benefit in bringing together the relevant data, either to be actioned centrally, say in a smaller shop with only a few people responsible for DevSecOps, or to be communicated across teams in a larger org with multiple groups spanning the entire landscape."

"There's also the huge benefit of tapping into a common data set," Yigal adds, "namely logs, and using a shared platform; this is for a lot of reasons, from using a common language for querying engines, etc., to having fewer vendors to manage. This is why nearly every major observability vendor also markets a SIEM — it just makes a lot of sense."

Adam Hert, Director of Product at Riverbed agrees that tools should be integrated, but says, "Security and observability tools don't need to be combined. Some teams are trying to do this, but it does not make sense for organizations to do so, largely because you have two teams focused on very different goals. Security teams are tracking down threats, while observability teams are focused on making the enterprise more efficient and effective. Observability and security tools don't need to be combined, but they need to be able to integrate so that security tools can ask questions on the observability data."

Convergence Saves Money

"On the one hand, there's an argument to be made that security and observability tools should not be combined as most traditional monitoring and logging tools get bogged down by the strict retention requirements that are required by security tools for regulatory and compliance purposes of their products," says Jam Leomi, Lead Security Engineer at Honeycomb. "Applying that type of forensic-level, unsampled logging to observability tools would both be costly in terms of expense and speed, but also very inefficient."

"However, combining security and observability tools does have some functionality as it would cut down on costs drastically while creating an open field for collaboration between security, engineering, and the business to address incident response and the overall security posture assessment — generally, because there's a lot of natural crossover between the goals and initiatives for security and observability teams," Leomi continues. "For example, SOC2 controls require teams to keep up with performance metrics which observability platforms can offer fresh insights into data, even without having the granularity of each forensic row."

Colin Fallwell, Field CTO of Sumo Logic agrees that any time teams can unify data and interfaces for managing observability and security, it's a win, both in reducing the cost of ownership as well as ROI in uniformity and standards. "DevOps and SecOps need the same data, so why have two collection pipelines, for separate tools, capturing the same telemetric data? It really doesn't make sense. This redundancy is expensive and unnecessary."

"Additionally, there's a shortage of specialized security talent with the skillset needed to shift security left," Leomi from Honeycomb informs. "Organizations are under increasing pressure to reduce spend without sacrificing ability, so naturally, they look for tools that can perform multiple functions like the ability to observe application performance while also being able to identify security vulnerabilities."

"Further exacerbating this trend is the scarcity of security talent needed to drive and meet security initiatives," Leomi adds. "This has driven organizations to rely on what they have, which is often product and platform engineering departments that are already using a tool for observability and one that can provide a good enough starting point for security."

Go to: Exploring the Convergence of Observability and Security - Part 4: Dashboards