Let’s face it, cybersecurity is a geeky domain. While much of IT has shifted its focus to things like business processes enablement and digital transformation, infosec pros still spend much of their waking hours in the weeds, looking at things like protocol anomalies, SQL statements, command shells, etc.
This technical purview has been a highlight of security operations products since their inception. In the early days (late 1990s), security analysts’ jobs depended upon technical tools like TCPdump and Ethereal/Wireshark to look for suspicious activities within network packets. The next step was searching for clues through Syslog and then this led to the use of log management tools and then the evolution of SIEM in the 1999-2000 timeframe.
We’ve certainly progressed in the last 18 years, but there is a consistent pattern. Security operations technologies remain threat- and/or telemetry-focused. In other words, each tool was designed to collect, filter, and correlate data elements based upon rules, behavioral heuristics, or analytics algorithms, with the goal of finding some type of needle in a growing haystack.
Now this data focus is necessary but simultaneously incomplete because it fails to address a major question: What the heck should SOC analysts do when a security operations tool delivers a telemetry-based conclusion?
Unfortunately, cybersecurity professionals were always left to answer this question on their own—that is until recently. First, early SOAR pioneers (i.e., Invotas, Phantom, Resilient, ServiceNow, etc.) recognized a gap between security operations technologies and processes and began to fill it with tools for process automation and orchestration. A good start but these new capabilities assumed that SOC analysts knew which processes to automate and orchestrate. In many cases, this simply wasn’t the case.
I believe we are now seeing the next step of the evolution, a category called security operations platforms led by a variety of vendors like D3 Security, Demisto, JASK, Siemplify, Swimlane, Uplevel security, etc. Some are evolving from SOAR while others come from security analytics. Regardless of their backgrounds, all these vendors are taking the next logical step by helping organizations decide what decisions to make and which processes to undertake once security analytics tools identify a problem.
I call this analyst-centric security operations technologies, designed to offer:
- Noise cancelling assistance. Security operations is built on a foundation of terabytes of log data, threat intelligence, and security telemetry. In the past, human analysts were called upon to sort through the haystacks on their own, but we’ve reached a scalability point of no return here. Analyst-centric security operations technologies let the machines do what they do best: Sort through the data automatically as a proxy for human beings. In other words, analyst-centric security operations technologies are programmed to emulate SOC investigations, get to root cause, and suggest a remediation plan, at scale.
The reliance on "swivel chair" security operations demanded that SOC analysts went from console to console and somehow correlated all the reporting in their heads. Analyst-centric security operations aggregates everything into a SOC manager-of-managers, providing the proverbial "single pane of glass" for SOC teams. Future products will likely incorporate new types of displays, input devices, and visual analytics to further support and enable SOC teams.
- Canned models and routines. This is really the key advancement here. Vendors with deep SOC experience are programming security operations expertise into the tools themselves. Think best practices for security investigations, runbooks, and remediation actions. This provides a great starting point for security operations novices while advanced organizations can customize these templates to fit their more mature processes.
- Continuous learning and sharing. Analyst-centric security operations technologies monitor security analysts’ activities, keeping tabs on what works and what doesn’t. Over time, these tools can recognize patterns and then suggest tasks and processes that were most effective in the past. Furthermore, this learning can occur across multiple organizations. I believe that security operations best practice sharing could be one of the most important benefits offered by this technology advancement.
The shift toward analyst-centric security operations technology is in its genesis phase but I’m encouraged by what I’m seeing. Sort of the next-generation of SOAPA. IBM and Splunk have already substantiated this market shift with acquisitions (i.e., IBM/Resilient, Splunk/Caspida, and Phantom). Look for lots more innovation, investment, and purchases in the next few months.