I’ve written about SOAPA for almost a year now, here’s a link to the original blog I posted last November. The concept seems to be catching on in the industry. I’ve had lots of industry leaders participate in SOAPA videos with me and there are many more videos in the works.
I’m happy to say that SOAPA isn’t just an analyst idea or industry buzzword. In fact, 21% of enterprise organizations say that they are very active in integrating security operations technologies and creating a security operations architecture is one of their highest priorities, while another 50% are somewhat active in this area.
Security pros are moving to SOAPA for several reasons:
- 31% say they are prioritizing integration and building a security operations architecture because it will help their organization better identify and communicate risks to the business. This is because they will have access to more security data and will be able to enrich, contextualize, and correlate this data across analytics tools.
- 30% say they are prioritizing integration and building a security operations architecture because they believe that consolidating and integrating security analytics and operations tools will help them automate manual processes. This is especially important given the global cybersecurity skills shortage.
- 30% say they are prioritizing integration and building a security operations architecture to accelerate incident detection. As we’ve learned from the Verizon DBIR, incident detection often takes weeks or months. Clearly security professionals believe that SOAPA may be able to help here.
- 29% say they are prioritizing integration and building a security operations architecture to improve collaboration between security and IT operations teams. This makes sense for things like using a central case management system that can track and report on the entire incident lifecycle.
- 29% say they are prioritizing integration and building a security operations architecture can help their organization improve situational awareness of security across the network. This happens by tracking behavior across endpoints, networks, gateways, external threat intelligence, etc.
These are perfectly good reasons why enterprise organizations should design and build SOAPA. What would be really helpful however, is if the security industry, government standards bodies like NIST, and large enterprises came together to design an industry standard version of SOAPA. I’m thinking standard interfaces, standard data formats, standard middleware, etc.
In my humble opinion, an industry standard security operations architecture could be a force multiplier for all parties as it could:
- Increase technology options. Security technologies could easily plug into a standard architecture. This would ease the integration burden and open a wide range of technology choices for enterprises. CISOs could adopt network security analytics in 2017 and then add EDR in 2018. These two analytics tools could then work together for end-to-end security investigations, threat hunting, etc. Similarly, industry standards would greatly ease the burden of replacing one security tool with another.
- Enhance innovation. With industry standards established, security technology vendors could focus on product functionality rather than forming one-off technology integration partnerships with other vendors. Similarly, security professionals could develop and maintain their own code more seamlessly than they do today.
- Promote greater security efficacy. Security analytics tools based upon artificial intelligence and machine learning could mature a lot faster if all data from all tools was available to them in a common format.
- Create a global sense of community. Imagine if cybersecurity professionals gained experience on a common security architecture. This would enable greater cooperation, code sharing and exchange, industry use cases, etc.
There have been some SOAPA-like efforts from the industry to date such as the Platform Exchange Grid (pxGrid) from Cisco and the Data Exchange Layer (DXL) from McAfee. Still, these are quasi-open standards, not the fully open industry standard SOAPA platform that I envision.
I’m hopeful that large enterprises, government agencies, and yes, even security vendors themselves will realize that the best way to make real progress is if we all pull together. Yes, I know that this is somewhat idealistic, but we are talking about our own security here so perhaps some type of collaboration is possible.
Personally, I’m available by email, phone, Twitter, etc. and am happy to help facilitate this effort any way I can.