Security data growth drives SOAPA

Security professionals want better ways to analyze and operationalize the massive increase in security data collection and processing

Happy new year, cybersecurity community! I hope you are well rested; it’s bound to be an eventful year.

Way back when at the end of November 2016, I wrote a blog post about an evolutionary trend I see happening around cybersecurity analytics and operations technology. Historically, large enterprises have relied on SIEM products to anchor their security operations centers (SOCs). This will continue, but I see SIEM becoming part of a more global cybersecurity software architecture called SOAPA (security operations and analytics platform architecture). 

SOAPA uses middleware (i.e. message queueing, transaction processing, etc.), APIs, and industry standards such as Cyber Observable eXpression (CybOX), Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) to connect disparate cybersecurity analytics and operations tools and data sources like EDR, network security analytics, UBA/machine learning analytics systems, vulnerability scanners, security asset management, anti-malware sandboxes/cloud services, incident response platforms, and threat intelligence into a cohesive software architecture. In this way, disparate analytics tools can be used collectively to gain more context out of the data while accelerating processes and cybersecurity operations.

Why will SOAPA continue to gain momentum? Here’s a fundamental reason: Today’s SOCs are being barraged by a massive increase in security data collection and processing. In fact, ESG research indicates:

  • 35% of enterprise organizations expect to collect, process and analyze significantly more internal security data over the next 12 to 24 months, while another 37% believe they will collect, process and analyze somewhat more internal security data over the next 12 to 24 months.
  •  24% of enterprise organizations expect to collect, process and analyze significantly more external security data over the next 12 to 24 months, while another 31% believe they will collect, process and analyze somewhat more external security data over the next 12 to 24 months.

To put this data another way, 72% of enterprises are planning new security initiatives, such as EDR, network forensic investigations, “hunting” or privileged user monitoring, that will drive more internal data collection, processing and analysis. Similarly, 55% of large organizations will collect, process and analyze an increasing amount of external open source, commercial and industry threat intelligence, as well as cloud-based data from IaaS, PaaS and SaaS providers.

Now, most organizations I speak with begin collecting, processing and analyzing this data in isolation with some distinct goal in mind. It doesn’t take too long for them to realize, however, that secluded cybersecurity data can be enriched with other data sources to gain greater visibility and context about what’s happening across the network. For example, threat intelligence can be used to find indicators of compromise (IoC) and Tactics, Techniques and Procedures (TTP) associated with cyber attacks that can then be compared to security alerts, logs and endpoint/network behavior to see if “in-the-wild” cybersecurity threats have made their way to the corporate network.

3 things cybersecurity teams can do to accommodate data growth

How should enterprise organizations adjust their strategies to accommodate massive cybersecurity data growth? CISOs I speak with have three general recommendations:

1. Start with operational goals rather than technology projects. At the end of the day, SOAPA (and associated data collection) should be viewed as a technology initiative that can drive security operations results. Enterprise organizations have too few cybersecurity specialists and too many manual processes. The clear goal with SOAPA, then, should be using security data to increase productivity, accelerate incident response and automate tedious manual tasks.

2. Think software architecture, not tools integration. SOAPA should be built as a scalable architecture that can accommodate increasing data volumes, scalability requirements and future needs. As such, enterprises must avoid the temptation for quick-fix solutions that integrate a few point products together. Alternatively, CISOs should study enterprise software architecture from vendors such as Microsoft, Oracle and SAP to get ideas for SOAPA.

3. Keep the cloud in mind. Given the global cybersecurity skills shortage, many organizations will opt for cloud-based security solutions. Cybersecurity professionals must procure these services with SOAPA integration in mind. Additionally, massive SOAPA data requirements may require tiered data management/storage with archival data tucked away on spinning disks in the cloud.  

Copyright © 2017 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline