For years, enterprises have dealt with security analytics and operations using an assortment of point tools. According to research by my employer ESG, 35% of organizations today use more than 26 such commercial, homegrown, and/or open source tools in their security operations center (SOC).
Too many tools lead to a host of well-known problems. Each tool needs to be installed, configured, and operated. Security analytics tools can be complex, requiring well-trained and skilled personnel for operations. Finally, each tool presents its own interpretation of situational awareness based upon the data it analyzes. Gathering a complete perspective of security across the enterprise depends upon experienced analysts’ ability to piece together the output of these siloed security analytics tools. This has proven to be ineffective and inefficient.
I saw this situation several years ago and felt like there had to be a better way. This led me to come up with the security operations and analytics platform architecture or SOAPA (see Figure 1). SOAPA is meant to create technology integration across 4 layers: data management services, software services (i.e. middleware), analytics services, and security operations services.
Enterprise Strategy Group, 2019
Figure 1. Click image to view full size.
This level of integration would let security analytics tools share and exchange data, allowing analysts to move easily from one tool to another and then pivot to security operations platforms to act upon the data for problem remediation and risk mitigation.
SOAPA integration continues to progress, and organizations that integrate security operations tools report positive results. That's great, but analysts are still forced to look at different user interfaces for different tools. Yes, they can do this more efficiently now than in the past, but can’t the security community do any better than this?
I believe that it can through a common user interface that supports multiple, and potentially all, security operations tools. This UI could span across SOC processes, from incident detection and triage, through investigations, to case management, and finally security operations actions. Individual analysts could customize the interface to accommodate their job responsibilities, experience level, and even their favorite colors. Heck, there could even be a version of the UI for CISOs and business managers to keep track of security status, tailored to their specific skill sets and requirements.
A common security operations UI would offer a multitude of benefits, including:
- Reducing training cost and complexity. All analysts could go through standard training, giving organizations the ability to rotate them through different roles. It’s logical to think that analysts would get more familiar and proficient if they used the same interface all the time. This could help junior analysts accelerate their career advancement as well. My guess is that if a standard UI for security operations took hold, it would be used at universities, at conferences, within tabletop exercises, etc.
- Sharing custom UIs across organizations. It’s likely that security professionals would customize the interface to highlight different dashboards, metrics, and layout and then share these with other security analysts and organizations. They would post templates, chat about improvements, and compare notes. Thus, the UI could help improve collaboration and unify the security professional community.
- Encouraging UI research and development across the industry. Let’s face it, the UIs we look at today are marginally better than what we saw in HP OpenView in the 1990s. It doesn’t have to be this way. There is a field of research called visual analytics where academics study how humans visualize and consume data. There’s even an annual IEEE security event called VizSec, “a forum that brings together researchers and practitioners from academia, government, and industry to address the needs of the cybersecurity community through new and insightful visualization and analysis techniques.” If there were a common UI for security operations, the industry could throw its collective resources into efforts like VizSec and others, exploring things like mobile device interfaces, virtual reality, large displays, etc. – all for the greater good.
Think a common interface can’t happen? Well, one vendor is betting that it can. At its recent .Conf conference, Splunk announced Mission Control, a common cloud-based interface that unifies its three security offerings, enterprise security (ES), Splunk user behavior analytics (UBA), and Phantom, as well as other Splunk products. It’s early, but Splunk wants to move beyond its own playground and sees a future where it opens Mission Control to third parties as well.
Splunk may not represent the industry at large, but because it plays a prominent role in SOCs, Mission Control could start the proverbial common UI snowball rolling downhill. Sure, another party may come up with a better UI. One or two are certainly better than 50.
Whether Splunk or someone else succeeds, there are too many potential benefits here to ignore. Security professionals, technology vendors, academics, and government agencies should find more ways to collaborate on visual security analysis and common UIs. It’s worth the effort.