For over a year now, I’ve written about a burgeoning security technology initiative that ESG calls a security operations and analytics platform architecture (SOAPA). Here’s a link to original blog I posted about SOAPA back in November 2016.
My thoughts behind the need for SOAPA are pretty simple:
- Independent point tools that provide a myopic perspective on security events are inefficient as they depend upon humans to piece a holistic picture together. SOAPA is meant to aggregate, correlate, curate, and contextualize data and analytics from discrete tools.
- Security operations remains anchored to manual processes and human intelligence. The problem here is obvious. Security workloads are rapidly increasing but manual processes and human beings can’t scale to address new requirements. SOAPA is designed with automation and orchestration in mind to alleviate these issues.
- According to recent research from ESG and the information systems security association (ISSA), 70% of cybersecurity pros claim that the skills shortage has had an impact on their organization. What type of impact? Things like increasing the workload on staff, forcing them to hire and train junior personnel, creating an environment where the infosec team spends most of its time on emergencies, etc. SOAPA is intended to provide central command-and-control for security controls, monitoring, and operations, enabling the cybersec team to work smarter, not harder.
CISOs recognize these issues and many are addressing them head-on. According to ESG research from 2017, 21% of organizations say that consolidating and integrating security technologies was one of their highest priorities.
Organization engaged in SOAPA projects tend to be on the leading edge with the architectural, engineering, and technical skills to link tools together through APIs or by using a distributed streaming platform like Apache Kafka.
Unfortunately, the majority of organizations have all the requirements described above but lack the resources for do-it-yourself SOAPA projects. CISOs whose organizations fit this description should dig into proprietary SOAPA solutions in 2018 to see if they can find a lead vendor who can provide all or most of the architecture on their own.
For these CISOs, allow me to offer a few recommendations:
- Aim high by looking for an all-in-one solution. A true SOAPA solution should offer central policy management, leading security analytics, an automation/orchestration abstraction layer, and distributed controls for policy enforcement. These elements should be glued together through common data and storage management, a messaging bus, APIs for integration, etc. CISOs should push vendors on enterprise-class scale and functionality, their integration layers, partnerships, their roadmaps, etc.
- Insist on openness. No vendor will offer everything so demand that vendors adhere to open standards, publish APIs, offer developer support, and partner with other security vendors as a community. While vendors may want the whole enchilada, leading SOAPA solutions should still be able to interoperate with best-of-breed point tools as well.
- Consider how MSSP and SaaS services fit into SOAPA. Many organizations will want to supplement internal cybersecurity efforts with managed security services or SaaS offerings. For example, CISOs may look at managed EDR from Binary Defense or CrowdStrike, or threat intelligence platform services from Anomaly, RecordedFuture, Threatconnect, ThreatQuotient, etc. Leading SOAPA offerings should provide easy integration with these kinds of third-party services. It's also important to consider how SOAPA can protect cloud-based workloads and use cloud-based resources to scale the architecture.
- Explore opportunities to replace existing point tools with SOAPA components. With SOAPA, the whole is truly greater than the sum of its parts. So, while you may be completely satisfied with your current AV software, firewall, or web gateway, CISOs should weight the cumulative architectural benefits of SOAPA against discrete advantages of a myriad of disparate tools.
- Cast a very, very wide net. SOAPA is still in its genesis so many vendors are still in their development phase. Remember too that SOAPA is an enterprise security architecture and many security vendors are rooted in transactional technology sales rather than strategic projects. The list of vendors introducing SOAPA-like architectural solutions is long and includes SIEM vendors (IBM, LogRhythm, Splunk, etc.), endpoint security vendors (McAfee, Symantec, Trend Micro, etc.), and network security vendors (Check Point Software, Cisco, Forcepoint, Fortinet, Palo Alto Networks, etc.). CISOs must understand that they will be banking on a SOAPA vendor for years to come so it’s important to spend ample time getting to know the market and the strengths/weaknesses of diverse SOAPA offerings.
If none of the commercial SOAPA offerings look appealing, CISOs may want to consider professional service providers like ThetaPoint that can start with their existing security technologies and then build a custom SOAPA solution for them.