RSA Conference 2017: Security analytics and operations

Focus on architecture, machine learning, threat intelligence, incident response automation and a growing list of data sources

So far, I’ve written two blogs about my expectations for the upcoming RSA Security Conference next week. The first blog was about my outlook for endpoint security, while the second focused on network security

I am also in the middle of a big research project on security analytics and operations right now and believe that many independent technologies will be integrated into a comprehensive architecture that ESG calls SOAPA (i.e. security operations and analytics platform architecture).

With SOAPA in mind, here’s what I expect to see at RSA:

1. Cybersecurity data everywhere. Cybersecurity analytics and operations used to be based on a few primary data sources: log files and events. Application, database, network, security and system logs are now supplemented by a plethora of other data sources—endpoint and network behavior data, threat intelligence data, malware analysis, social networking data, etc.

In fact, one reason why I anticipate a security analytics and operations architecture is purely in response to massive growth in the amount of security data being captured, processed, and analyzed. While a lot of this data will remain distributed, security analytics and operations tools must have visibility, knowledge and decision-making capabilities across all of it. That means SOAPA will be an event-driven software architecture (think SOA 2.0) with a highly distributed data management infrastructure.  I hope to hear vendors’ thoughts and plans for this type of architecture.     

2. SIEM is still in. I’ve been hearing the “SIEM is dead” mantra for years, and I still don’t buy it. I’d say it’s more like SIEM is evolving. For example, AlienVault is a full operations and analytics platform. IBM has extended QRadar with AppExchange and Resilient for incident response. LogRhythm added its own host agent and network security analytics, and Splunk grabbed Caspida for UBA and has a big effort around adaptive response. 

While those vendors seek to increase their reach, what’s really happening here is that SIEM functionality is expanding into a series of interconnected functions, modules, and services. In other words, a software architecture. All leading SIEM vendors need to ensure that their products are built for openness and integration while pushing innovation and M&A activities as they try to remain SOAPA hubs with plenty of connection options for partner spokes.   

3. Threat intelligence maturation. Threat intelligence was all the rage a few RSAs ago, but the focus was around the information rather than how to actually use and benefit from threat intelligence analysis. In 2017, it’s all about contextualizing, operationalizing and synthesizing threat intelligence, leading to a group of innovative threat intelligence platforms and tools from the likes of Flashpoint, Lookingglass, Recorded Future, ThreatConnect, ThreatQuotient, etc. I’m looking forward to hearing how the threat intelligence crowd is working on helping organizations address new types of business risk as well as pure cybersecurity disciplines such as penetration testing, “hunting,” incident response, etc. 

4. Persistent buzz about incident response. Speaking of IR, the trend toward incident response automation and orchestration has gained tremendous momentum over the past 12 months. Furthermore, most enterprise organizations I speak with are now willing to abandon homegrown software efforts in favor of commercial tools from the likes of FireEye, Hexadite, IBM (Resilient), Phantom, ServiceNow and Siemplify. I’m looking to hear more about how IR automation and orchestration is maturing. Is the focus more on automation or orchestration? Where are organizations starting this process? How are they proceeding? What role do people play today, and how are these roles changing?    

5. Machine learning hype and reality. I predict that artificial intelligence and machine learning will be this year’s winner of the industry hyperbole award at RSA. Everyone will talk about it, but no one will clarify it so that cybersecurity professionals understand what it does and where it fits.

In my humble opinion, machine learning should be viewed (today) as an intelligent layer of defense that can automate and accelerate some types of specific analytics activities. In other words, machine learning is somewhat limited today, but that doesn’t mean it can’t be extremely useful in appropriate use cases. Which use cases? That’s what I’ll be exploring at RSA with vendors such as Darktrace, E8, Exabeam, Vectra, Securonix and Sqrrl. 

6. Services, services, services. According to ESG research, 45 percent of organizations have a “problematic shortage” of cybersecurity skills in 2017. That means almost half of organizations may not have the cybersecurity staff or talent pool to manage security analytics and operations on their own. Which service vendors are filling this void? That’s an area I hope to research at RSA. I know companies such as BT, CSC, CrowdStrike, FireEye, Unisys, SecureWorks and Symantec are doing well in the services realm, but I hope to learn more about which of these and other cybersecurity vendors help organizations address various aspects of security analytics and operations requirements. 

I’m heading to RSA with an insatiable appetite to learn more about the present and future of security analytics and operations. See you at the show.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)