In this ESG 360 Video, ESG's Jon Oltsik and Doug Cahill talk about the need for a Security Operations Analytics Platform Architecture.
Doug: I'm here with Jon Oltsik, and today we're gonna be sharing some thoughts on a cybersecurity reference architecture. And, Jon, we recently completed some market research on the notion of enterprise cybersecurity vendors, and in that research, we asked organizations about their move to an architecture, their perspective on platforms, and you've been writing in your Network World blog about the notion of a cybersecurity operations analytics platform architecture. What's behind that? Why the need for that kind of architecture? What are the business drivers?
Jon: Yeah, Doug, so we're calling it "SOAPA." Enterprise organizations need to know what assets are on their network, they need to know the status of those assets, they need to know how those assets are behaving, they need to know how those assets are behaving in relation to one another, and then they need to make decisions on how those assets are behaving in relation to one another to understand if that's malicious behavior, suspicious behavior, and what actions they take. And, that's a scalability issue, that's a data analytics issue, that's a command and control issue. And the tools that we've used historically have been sort of point tools, isolated so we could make decisions in isolation, but we couldn't make decisions based on the context of everything that's going on and everything that's changing. And that's driving this need for an architectural solution, a software architectural solution, SOAPA, and we're seeing that behavior in large enterprises. So that's why we're covering it, and that's why our research says that this is happening.
Doug: Absolutely. So a tremendous amount of telemetry to get more visibility, but, end of the day, we need context, otherwise we just have events.
Jon: Visibility, but also, what do I do with that visibility? What level of risk can I take? When do I have to respond to a priority alert, and when can I downplay that? We just don't have the proper infrastructure to do that, and we do see companies building new types of security operations centers. So again, the demand is there. We need an architectural solution to fulfill that demand.
Doug: Sure. And so SOAPA provides a level of efficiency then, to more operationalize existing use cases. What are some of those core use cases, and how does that fit into sort of a next-generation SOC?
Jon: Yeah, I mean, it's all the kinds of things that we're seeing people doing. It's incident response, it's investigations, it's analytics, it's hunting. Again, it's doing asset, any kind of an asset inventory, or auditing. And it's being able to do that in real time, it's being able to make decisions. Also, we're seeing more involvement from executives and boards, who want to understand risk, who want to understand what's going on, and this is a means of doing that. Also, everything's changing in the enterprise. We've got cloud, we've got IoT, and therefore, we need to keep up with that, and again, make decisions in real time.
Doug: So, a future-ready architecture, so as more devices are connected online, the architecture's ready, more workloads go to the cloud. But I imagine there's a lot of scale involved here. We're talking a ton of data. We need able to perform real-time analytics. So what about the cloud as a delivery platform for a SOAPA implementation?
Jon: Yeah, that's absolutely right, and just given the amount of scale and the amount of compute that we may need, yeah, the cloud has to play a role. Now, it may play an archival role for storage, it may be involved in a distributed data management architecture, or it could, I mean if we're doing analytics on terabytes and terabytes of data, we may need the horsepower of the cloud to do analytics there. And a lot of this will kind of historical big data analytics, as well as real-time type of analytics, so yeah, absolutely, the cloud will play a role. And I would expect Amazon and Microsoft and IBM and Google and others to get involved here.
Doug: Sure. And threat intel's obviously part of a SOAPA implementation, and the cloud offers a way to sort of centralize that third-party threat intel, so you're triangulating what you're seeing internally in your own environment with external factors. Cloud's a good place to do that too, right?
Jon: Yes, and if you look at the kind of data management and data analytics that people like Facebook and Amazon have, that's the type of scale and that's the type of synthesis of data and decision-making of data that we're going to need here. So yeah, absolutely, that fits.
Doug: Sure. So obviously a SIEM has a starring role in a SOAPA implementation. What are some other implications to the vendor landscape?
Jon: Yeah, I would characterize it as is I think SIEM functionality plays a role. But where that SIEM functionality lives is sort of in play. That's what an architecture is. But it does mean that they'll be kind of dominant vendors who have SOAPA ecosystems. So think of this as sort of like what happened with ERP, with SAP and Oracle and others. They built an architecture. They built middleware bridges. They had a lot of the application functionality. But there was a partner ecosystem, there was a services ecosystem. And I think we'll see centers of gravity like that in SOAPA, where you have a lot of smaller vendors who are hitching their wagons to the bigger vendors.
Doug: Got it. Makes a ton of sense. So we are now launching a security analytics research project...
Jon: That's right.
Doug: ...and that's gonna get us a lot more information on this very topic.
Jon: That's exactly why we're doing this, because we know this is happening. We don't know the timing. We don't know where people are starting, and we also...what we do know, is from talking to people, CISOs, security analysts, they wanna do this. They don't know how to do this. Security architecture, or software architecture, is something that you may know if you're an ERP or an enterprise software architect. You don't necessarily know this if you're a security professional. And so that knowledge transfer has to happen, and that's what we wanna research, is to see where we are on that maturity curve.
Doug: Well, it's a highly relevant topic, and it's an expansive one...
Jon: And we'll be looking at it all year.
Doug: We'll be looking at it all year. So stay tuned for more on SOAPA.