ESG's Jon Oltsik talks with with P.J. Bihuniak of Theta-Point about SOAPA and Cybersecurity. This is part 2 of a 2-part series.
Read the related ESG Blog: SOAPA Video with ThetaPoint (Part 2)
Jon: I’m back with PJ Bihuniak, COO of ThetaPoint. Welcome back.
PJ: Thank you, Jon. Appreciate it.
Jon: So, you are a person I know who’s been in the SIEM market for a long time. You worked at ArcSight, and there’s a lot of debate in the market. What’s the role of SIEM today? Is it central still? Does it go away? Is it a piece of SOAPA. So, what’s your read based on what you’re seeing on your customer base?
PJ: The evolution of SIEM has been pretty remarkable, right? Initially, it was, “Let me look for all the needles in the haystack by collecting all of this security-specific device feed information, and then let me try to, based on what you tell it, get something out of it.” The SIEM industry as a whole has done a great job of collection of data, and putting it into a format that we can actually do something that’s human-readable, right?
As a go-forward for SIEM, we still see the collection element to be extremely important. We see the real-time correlation to be extremely important, but there’s a variety of offshoots or purpose-built applications that are leveraging that data. So you’re seeing the adoption of new message buses like Kafka. You’re seeing the adoption of orchestration and automation technologies to improve that background process deficiencies that we tend to have in our organizations. And you’re seeing entity-based solutions that come in and kinda look at the entity information, and help me understand what are my users actually doing, whether they’re internal or external threats to the organization. But I think the collection and the correlation doesn’t go away. It’s just, “Now, what am I gonna do with it? And am I gonna use it in a more vendor-agnostic purpose-built approach?”
Jon: So, if I can extrapolate from what you said, it maintains a central role especially for data collection, data normalization, but there’re pieces that need to plug into that, and that’s really what we’ve been talking about with SOAPA. So, one of the things you mentioned in part 1 was the skills shortage which is a pet issue of mine. So, what are the specific skills deficit you’re seeing in security operations, and how does ThetaPoint come in and help supplement those skills?
PJ: If we look at the underutilization of technology that we talked about in part 1, and we look at the integration points that we’re talking about right now, having a high-level plan and architecture around that, what you’re going to do with a end-game in mind is really a challenge for organizations. They just don’t have the skillsets in place to do so unless you’re a very, very large entity. Secondarily, the usage of the data so that you’re not reactionary is a big problem. So, understanding what you can do with the data and making sure that you’ve got appropriate controls in place or when organizations would reach out ThetaPoint and say, “Hey, I need to come up with a high-level plan. What’s my plan going to be for a security operation center? Do I have the appropriate people and processes in place? If not, how do I augment that?” And then along those lines, “Hey, I don’t want my people doing the operations and maintenance. Can you maintain that for me so that I can actually focus my time in actually getting, you know, value out of my investments?”
Jon: And is there any pattern there? Do you see any particular kinds of organizations looking for particular things, or is it all over the board?
PJ: All over the board. It depends on the client, depends on the industry, and where they are in that process.
Jon: Sure. Now, what about…you mentioned throughout these videos that there are different tools. In fact, you just said SIEM has a function, but you may want entity-based information. Are you doing anything to help companies integrate those different analytics tools into some kind of central SOAPA architecture?
PJ: Yes, absolutely. The most common integration point in helping our clients has been threat intelligence platforms, right? So, it traditionally was, “Let me get intelligence fees where there was an opensource feed,” whether it was through an industry-specific feed or whatever the case might be. Now you’re seeing organizations say, “I’m doing my collection through my SIEM platform or SIEM technology. I’m doing some real-time correlation, but how do I make sure that my level 1 and level 2 analysts know what an incident is? Now they’re doing proper data forensic handling, and we’ve got the appropriate processes in place.”
So, helping the integrate that into the security stack that they already have has been a critical component for most industries and most organizations, and you’re starting to see some organizations leverage entity-based correlation, but it’s still leveraging the same data that’s already going into the SIEM so it’s a logical integration point.”
Jon: And, when you do that kind of integration, is it all custom work, or are you seeing standards evolve to help you, or are you seeing thought leadership in the industry, in the technology vendors? Anything there?
PJ: No standard as of yet. You’re seeing attempts. We’ll leave it at that, but the attempts tend to be very silo-specific. So, a particular vendor buys a technology, and it’s bolt on to that technology. Unfortunately, most of our clients are asking for a vendor-agnostic approach. So they don’t want to be tied in. They want to have options, and we make it a point to give them those options and flexibility.
Jon: Yeah. And that's a great answer because what you're articulating to me is the rationale that we have for SOAPA, which is, security operations is a multi-vendor environment. And sure, there are vendors who'd like to own the whole stack, but that won't happen anytime soon, so therefore, it would be great if the industry would collaborate on some type of a standard architecture to plug in the pieces. Do you ever get anyone asking about that, or are you sort of involved in pushing something like that with your customers?
PJ: Well, believe it or not, it's a natural place for government-commercial collaboration. So, ThetaPoint does an awful lot of work in both sides, right, on the commercial side as well as on the federal side. And that's a natural place for that type of activity and behavior to occur, but there's certainly a pent-up need for better collaboration between the two. So, that seems like the most logical place, and we're at an interesting perspective in the fact that we can see across both sides and how that could come together very nicely.
Jon: Yeah, and you're right. We’ve seen some of that in the past. So, for instance, STIX and TAXII came out of MITRE, threat intelligence standards for integration, and we'd love to see more.
So, where do you see the future going for ThetaPoint and for security operations? Because, to me, we're at a critical point where we just can't keep up. So, how do we move forward with something like SOAPA to keep up?
PJ: I think SOAPA's going to be critical for a variety of reasons. One, we're still going to have the skills shortage. That's not going to change anytime between now and then. I think you're going to see a convergence between IT operations and security operations, especially if we look at, you know, recent breach activity around, you know, patch management, and the challenges around patch management. So, that needs to be more integrated. As it relates to ThetaPoint, because of that skills shortage, we hope that we're in the sweet spot in being able to address a lot of those gaps, whether it's architecting, engineering, operating and maintaining those technologies for those clients. But, fundamentally, it's going to be a process challenge, and that process challenge is going to be, "At what point do I start leveraging third-party firms to help me in this because of my skills gaps?" And I think a logical place will be the outsourcing or the elimination of Level 1, Level 2 types of analyst jobs, and you're gonna see more business intelligence as it relates to, what do these threats mean to me, and what are the actors, and what are they possibly after.
Jon: Yeah. I think so, too. This is a critical area and we don't have enough people, so something has to give, and service providers make a kind of a natural bridging of that gap.
Jon: So, thanks again for participating in the video series, and stay tuned for more SOAPA videos, and see our website for the whole series.