If you’ve read my columns over the past few years, you’ve seen a security operations effort I’ve been pushing called SOAPA (security operations and analytics platform architecture). I first conceived of SOAPA as an antidote for the existing security operations practice of relying on an army of independent and disconnected security tools.
Now this army formed over time as organizations added different security controls and threat detection systems. And while they didn’t mean to create an unmanageable monster, that’s what they got. Each system requires its own setup and ongoing management. Each one does its own alerting and reporting. Each one demands employee training, etc. Meanwhile, security operations is based on pivoting from one tool to the next and relying on humans to make sense of the whole enchilada.
SOAPA is meant to address this complexity with a tightly-integrated security operations stack consisting of:
- Common data services. Security operations is based upon a growing assortment of data types totaling terabytes per day, and all the data must be ingested, processed, and made available for analysis. SOAPA centralizes these functions, freeing analytics engines from data management tasks.
- Software services. In the old days, we called this middleware. SOAPA uses a software services layer to deliver data elements to the right analytics engines in the right formats.
- Analytics layer. This is where the data is turned into insight using tools such as threat intelligence platforms, behavioral analytics, SIEM, etc.
- A security operations layer. Once the data is analyzed, organizations still need to take actions like quarantining a system, modifying a security control, or installing a software patch. These and many other tasks are performed by the security operations layer.
Looking forward to 2019, I see several industry initiatives and open source software projects that have the potential to make significant contributions to SOAPA. Some of those I’m tracking include:
- The MITRE ATT&CK framework (MAF). I see more enterprise organizations using the MITRE ATT&CK framework each day, as it can help them view security events and controls from an attacker’s perspective. In 2019, MAF will be further integrated into the SOAPA security analytics layer and become a feedback loop from the security operations layer to the security controls for fine-tuning enforcement policies.
- Apache Kafka. Kafka is an open source distributed streaming platform used to build real-time data pipelines. In 2019, large enterprises will embrace Kafka to deal with massive growth in distributed security data telemetry. This really isn’t anything new – Splunk already provides a Kafka connector while McAfee’s homegrown SOAPA architecture includes Kafka. Nevertheless, we’ll hear more about Kafka and SOAPA next year.
- The ELK stack. Elasticsearch, Logstash, and Kibana (ELK) is another open source software project gaining momentum with security analytics and operations, as it provides good data collection, retention, and analytics capabilities. Some enterprises use ELK as an adjunct to a traditional SIEM for use cases like threat hunting and forensic investigations. The knock on ELK is that it takes advanced skills to build and operate, but given its strengths, look for vendors to push ELK into the commercial market in 2019. Empow cyber security is already doing this today, others will follow.
- OpenC2 came out of a US DoD effort called integrated active cyber defense (IACD). To gain broader appeal, the Feds handed it over to OASIS, which is now actively recruiting members. OpenC2 is a great idea as it seeks to standardize command-and-control between security management and control planes. So, rather than figuring out how to talk to firewalls from Check Point, Cisco, Fortinet, and Palo Alto Networks, security operations tools would have a standard way to issue commands. I’m hearing whispers about OpenC2 today and am hopeful that it gains momentum in 2019.
I’m tracking several other initiatives, but these are the ones that jump out at me. Are there others I should keep my eye on? Please let me know.