Happy new year, cybersecurity community! Hope you are well rested, it’s bound to be an eventful year ahead.
Way back at the end of November 2016, I posted a blog about an evolutionary trend I see happening around cybersecurity analytics and operations technology. Historically, large enterprises have relied on SIEM products to anchor their SOCs. This will continue but I see SIEM becoming part of a more global cybersecurity software architecture called SOAPA (i.e., security operations and analytics platform architecture).
SOAPA uses middleware (i.e., message queueing, transaction processing, etc.), APIs, and industry standards like CybOX, STIX, and TAXII to connect disparate cybersecurity analytics and operations tools and data sources like EDR, network security analytics, UBA/machine learning analytics systems, vulnerability scanners, security asset management, anti-malware sandboxes/cloud services, incident response platforms, and threat intelligence into a cohesive software architecture. In this way, disparate analytics tools can be used collectively to gain more context out of the data while accelerating processes and cybersecurity operations.
Why will SOAPA continue to gain momentum? Here’s a fundamental reason – today’s security operations centers (SOCs) are being barraged by a massive increase in security data collection and processing. In fact, ESG research indicates:
- 35% of enterprise organizations expect to collect, process, and analyze significantly more internal security data over the next 12 to 24 months while another 37% believe they will collect, process, and analyze somewhat more internal security data over the next 12 to 24 months.
- 24% of enterprise organizations expect to collect, process, and analyze significantly more external security data over the next 12 to 24 months while another 31% believe they will collect, process, and analyze somewhat more external security data over the next 12 to 24 months.
To put this data another way, 72% of enterprises are planning new security initiatives like EDR, network forensic investigations, “hunting,” or privileged user monitoring that will drive more internal data collection, processing, and analysis. Similarly, 55% of large organizations will collect, process, and analyze an increasing amount of external open source, commercial, and industry threat intelligence as well as cloud-based data from IaaS, PaaS, and SaaS providers.
Now most organizations I speak with begin collecting, processing, and analyzing this data in isolation with some distinct goal in mind. It doesn’t take too long for them to realize however that secluded cybersecurity data can be enriched with other data sources to gain greater visibility and context about what’s happening across the network. For example, threat intelligence can be used to find IoCs and TTPs associated with cyber-attacks that can then be compared to security alerts, logs, and endpoint/network behavior to see if “in-the-wild” cybersecurity threats have made their way to the corporate network.
How should enterprise organizations adjust their strategies to accommodate massive cybersecurity data growth? CISOs I speak with have three general recommendations:
- Start with operational goals rather than technology projects. At the end of the day, SOAPA (and associated data collection) should be viewed as a technology initiative that can drive security operations results. Enterprise organizations have too few cybersecurity specialists and too many manual processes. The clear goal with SOAPA then should be using security data for increasing productivity, accelerating incident response, and automating tedious manual tasks.
- Think software architecture, not tools integration. SOAPA should be built as a scalable architecture that can accommodate increasing data volumes, scalability requirements, and future needs. As such, enterprises must avoid the temptation for quick-fix solutions that integrate a few point products together. Alternatively, CISOs should study enterprise software architecture from vendors like Microsoft, Oracle, and SAP to get ideas for SOAPA.
- Keep the cloud in mind. Given the global cybersecurity skills shortage, many organizations will opt for cloud-based security solutions. Cybersecurity professionals must procure these services with SOAPA integration in mind. Additionally, massive SOAPA data requirements may require tiered data management/storage with archival data tucked away on spinning disks in the cloud.