I’ve written about SOAPA for almost a year now, and the concept seems to be catching on in the industry. I’ve had lots of industry leaders participate in SOAPA videos with me, and there are many more videos in the works.
I’m happy to say that SOAPA isn’t just an analyst idea or industry buzzword. In fact, 21 percent of enterprise organizations say they are very active in integrating security operations technologies and that creating a security operations architecture is one of their highest priorities, while another 50 percent are somewhat active in this area.
Why security professionals are moving to SOAPA
Security professionals are moving to SOAPA for several reasons:
- To better identify and communicate risks to the business (31 percent). This is because they will have access to more security data and will be able to enrich, contextualize, and correlate this data across analytics tools.
- To help them automate manual processes (30 percent). This is especially important given the global cybersecurity skills shortage.
- To accelerate incident detection (30 percent). As we’ve learned from the Verizon DBIR, incident detection often takes weeks or months. Clearly security professionals believe SOAPA may be able to help here.
- To improve collaboration between security and IT operations teams (29 percent). This makes sense for things such as using a central case management system that can track and report on the entire incident lifecycle.
- To help their organization improve situational awareness of security across the network (29 percent). This happens by tracking behavior across endpoints, networks, gateways, external threat intelligence, etc.
These are perfectly good reasons why enterprise organizations should design and build SOAPA. What would be really helpful, however, is if the security industry, government standards bodies like NIST or MITRE and large enterprises came together to design an industry standard version of SOAPA. I’m thinking standard interfaces, standard data formats, standard middleware, etc.
Benefits of an industry-standard security operations architecture
In my humble opinion, an industry-standard security operations architecture could be a force multiplier for all parties because it could:
1. Increase technology options. Security technologies could easily plug into a standard architecture. This would ease the integration burden and open a wide range of technology choices for enterprise. CISOs could adopt network security analytics in 2017 and then add EDR in 2018. These two analytics tools could then work together for end-to-end security investigations, threat hunting, etc. Similarly, industry standards would greatly ease the burden of replacing one security tool with another.
2. Enhance innovation. With industry standards established, security technology vendors could focus on product functionality rather than forming one-off technology integration partnerships with other vendors. Similarly, security professionals could develop and maintain their own code more seamlessly than they do today.
3. Promote greater security efficacy. Security analytics tools based upon artificial intelligence (AI) and machine learning could mature a lot faster if all data from all tools were available to them in a common format.
4. Create a global sense of community. Imagine if cybersecurity professionals gained experience on a common security architecture. This would enable greater cooperation, code sharing and exchange, industry use cases, etc.
There have been some SOAPA-like efforts from the industry, such as the Platform Exchange Grid (pxGrid) from Cisco and the Data Exchange Layer (DXL) from McAfee. Still, these are quasi-open standards, not a full, open, industry-standard SOAP platform that I envision.
I’m hopeful that large enterprises, government agencies and, yes, even security vendors will realize that the best way to make real progress is if we all pull together. Yes, I know that this is somewhat idealistic but we are talking about our own security here, so perhaps some type of collaboration is possible.