Security tools are getting more sophisticated. DevOps is bringing us automation in operations, and a more holistic way of looking at how we manage infrastructure. But all too often, we\u2019re not doing basic things to improve security and reliability, like protecting against known vulnerabilities.Hewlett Packard Enterprise\u2019s 2016 Cyber Risk Report points out that \u201c29 percent of all exploits samples discovered in 2015 continued to use a 2010 Stuxnet infection vector that has been patched twice.\u201d It takes an average of 103 days for companies to patch known network and security vulnerabilities, according to a study vulnerability risk management vendor NopSec ran last year; that goes down to 97 days for healthcare providers and up to 176 days for financial services, banking and education organisations. That\u2019s not taking into account misconfigurations, or lack of communication between different teams.\u201cIf you\u2019re blocking email from an IP address because it\u2019s sending you phishing messages, you probably don\u2019t want it to be logging in to your SQL database either, but your email and database admins probably aren\u2019t sharing that information,\u201d points out Paul Mockapetris, the chief scientist at THREATstop, which offers a cloud service for blocking known malicious IP addresses by regularly updating the block lists on your existing firewalls. It sends the details over DNS \u201cfor the same reason the bad guys use it for data exfiltration; it pretty much goes everywhere and every device in the world understands it.\u201d\u201cWe want to show that security can be understandable and simple,\u201d says Mockapetris (best known as the co-inventor of DNS). \u201cWe can configure all your firewalls for you automatically.\u201dChris Bridger\u2019s, THREATstop\u2019s senior director of security points out the benefits of automation. \u201cEnsuring security controls are in place that govern network access and apply appropriate protection filters to block threats in near real-time becomes a challenge for any organization\u2019s security policy. As the threat landscape is constantly changing, an automated approach which removes the time costs, as well as the potential for human error, has become an essential component.\u201d[Related: 5 security bad habits (and easy ways to break them)]But Mockapetris makes a point that applies beyond THREATstop\u2019s Shield service. It might not sound as sexy as threat intelligence systems with dramatic visualizations, he admits, \u201cbut you can fix a lot of your life by doing all that simple stuff.\u201dCaaS \u2013 get used to itThe idea of configuration as a service \u2013 and treating infrastructure declaratively \u2013 is part of the automation and standardization that enterprise IT departments are going to have to get comfortable if they want private and hybrid cloud to work. If you run Azure Stack, Microsoft\u2019s forthcoming hybrid cloud solution, you\u2019ll be following a much more prescriptive way of working. \u201cIn the past, we left how to patch systems as an exercise for the customers. Now we\u2019ll provide an update, and an orchestration system together with the patch,\u201d explains Vijay Tewari from Microsoft\u2019s Enterprise Cloud team. \u201cWe will orchestrate the patch across the system so it does not take down any workloads.\u201dThe system will check itself as part of the update, he says, using the same Test in Production system it will use to avoid configuration drift. \u201cHow do you know the system has deployed correctly? Six months down the line, how do you know it\u2019s still configured well? TIP is a series of scheduled tests for that. And when we use automation to patch the system, we run TIP to check the system is healthy, then we patch it and then we run TIP again so wee that we got what we expected.\u201dThat won\u2019t be disruptive and it shouldn\u2019t involve scheduling downtime. Before Azure Stack, Tewari worked on Microsoft\u2019s Cloud Platform System, a hyperconverged appliance built with Dell hardware running the Windows Azure Pack. \u201cFor CPS, we release three patches a year. We can patch a customer on premise without bringing down their workloads,\u201d says Tewari.For your existing servers, there are plenty of tools for avoiding configuration drift in a more automated way, like a combination of Upguard\u2019s Guardrail to look for changes in configuration over time, or between different servers, PowerShell Desired State Configuration scripts to apply the right configuration and Pester to run integration tests to make sure that configuration does what you want it to.Doing that kind of configuration management at scale, as a service, is what Microsoft\u2019s Operations Management Suite is designed for. It\u2019s a mix of automation (including backup and recovery) for Windows Server, Linux, VMware, Azure, AWS and OpenStack, with security and compliance tools and log analytics that let you see how well you\u2019re doing at the basics, like applying patches and getting configuration right. \u201cIt\u2019s helping IT have a deeper view that makes their world easier,\u201d claims Microsoft\u2019s Jeremy Winter.Skills gap continues to be a problemSome of that is analysis you could already do with a tool like Splunk, but many customers didn\u2019t have the expertise for that, he found. \u201cI asked customers \u2018why aren\u2019t you using big data? Why don\u2019t you have big analytics systems?\u2019 and they told us \u2018I don\u2019t know how to make head or tails of the all data in there; I'm not a data scientist, I'm not the expert that can string this all together, I'm busy at my own job,\u2019 and that's where the readymade solutions came from,\u201d Winter explains.\u201cThis correlation between what's changing, this correlation of configuration and understanding the desired configuration state of your environment, and then overlaying that with security, compliance and everything else; it\u2019s not an individual bunch of siloed tools; it's a mashup of that information that's where you get the power. You bring all your data into this environment and you start to have a nervous center for all this information, so you can correlate across it.\u201dBut as more customers started using the service, Winter started noticing an interesting side effect that he calls \u2018data exhaust\u2019; patterns of information that emerge from the data customers are creating inside OMS. By uploading their logs in the Security and Audit Collection, customers don\u2019t just get alerts about attacks that are happening. They also add their information about attacks to the details Microsoft gathers from its own system, making it easier to spot malicious IP addresses that are engaged in attacks.There\u2019s also a social, community aspect emerging, Winter says. \u201cAnother thing we saw \u2013 and it seems really simple; how long a patch takes to apply. How long is it taking other people?\u201d That kind of comparison can be invaluable (rather than invidious), because it\u2019s going to help you see how you\u2019re doing on the basics. And if you don\u2019t get those right, the most sophisticated threat intelligence systems can\u2019t protect you.