Goodbye SIEM, hello SOAPA

Security Information and Event Management (SIEM) systems have been around for a dozen years or so. During that timeframe, SIEMs evolved from perimeter security event correlation tools to GRC platforms to security analytics systems. Early vendors such as eSecurity, GuardedNet, Intellitactics and NetForensics are distant memories. Today’s SIEM market is now dominated by a few leaders: LogRhythm, McAfee (aka: Nitro Security), HP (aka: ArcSight), IBM (aka: QRadar) and Splunk.

Of course, there is a community of innovative upstarts that believe SIEM is a legacy technology. They proclaim that log management and event correlation can’t keep up with the pace of cybersecurity today, thus you need new technologies such as artificial intelligence, machine learning algorithms and neural networks to consume, process, and analyze security data in real time. 

As an industry analyst, I should be waving my arms around madly, proclaiming that “SIEM is dead,” since that’s what those in my profession tend to do. Sorry, but I don’t think SIEM is dead at all. Instead, enterprise security operations and analytics requirements are forcing rapid consolidation into something new that ESG calls a security operations and analytics platform architecture (SOAPA). 

Within SOAPA, SIEM -like functionality still plays a starring role, often aggregating analytics data into a common repository. But unlike the past, SIEM is one of several security tools within SOAPA, and these technologies must be designed for asynchronous cooperation so security analysts can quickly pivot across tools to find data and take action as they need to in real time. 

SOAPA is a dynamic architecture, meaning that new data sources and control planes will be added incrementally overtime. I do believe, however, that today’s SOAPA is built with SIEMs (or similar log management and search products/services) and:

• Endpoint detection/response tools (EDR). Security analysts often want to dig deep into security alerts by monitoring and investigating host behavior, so EDR (i.e. CarbonBlack, Countertack, CrowdStrike, Guidance Software, etc.) is an essential component of SOAPA.
• Incident response platforms (IRPs). Aside from collecting, processing and analyzing security data, cybersecurity professionals want to prioritize alerts and remediate problems as soon as possible. These requirements are giving rise to IRPs such as Hexadite, Phantom, Resilient Systems (IBM), ServiceNow and Swimlane. 
• Network security analytics. SIEM’s log analysis and EDR host behavior monitoring are complemented by flow and packet analysis in SOAPA, provided by vendors such as Arbor Networks, Blue Coat/Symantec, Cisco (Lancope) and RSA.
• UBA/machine learning algorithms. While these tools have received an inordinate degree of industry hype, there’s little doubt that machine learning will be baked into security analytics henceforth, thus vendors such as Bay Dynamics, Caspida (Splunk), Exabeam, Niara, Sqrrl and Varonis should be included in SOAPA. 
• Vulnerability scanners and security asset managers. Part of security operations is knowing which alerts should be prioritized. These decisions must be driven by solid data from vulnerability management systems (i.e. Qualys, Rapid7, Tanium) and other tools that monitor the state of systems and network configurations (i.e. RedSeal, Skybox, Verodin, etc.).
• Anti-malware sandboxes. This technology represents another key pivot point for understanding targeted attacks that may use zero-day malware. Sandboxes from FireEye, Fidelis and Trend Micro are definitely part of SOAPA. 
• Threat intelligence. Enterprise organizations want to compare internal network anomalies with malicious “in-the-wild” activities, so SOAPA extends to threat intelligence sources and platforms (i.e. BrightPoint (ServiceNow), FireEye/iSight Partners, RecordedFuture, ThreatConnect, ThreatQuotient, etc.).

Aside from the technologies themselves, here are a few other thoughts on SOAPA:

1. Beyond data exchange between security tools, the next big innovation will be central SOAPA command-and-control for analytics and management (i.e. configuration management, policy management, etc.) of the security infrastructure. 
2. The market is already moving in SOAPA’s direction. Witness IBM’s acquisition of Resilient Systems for IRP, Splunk’s purchase of Caspida for UBA, and Elastic Search’s acquisition of Prelert.
3. Now that McAfee is independent of Intel, look for it to invest in its enterprise security manager (i.e. Nitro). McAfee will also accelerate SOAPA technology integration with its own tools and ecosystem partners, as well as acquisitions aimed at filling architectural gaps.
4. Given the central role that SIEM still plays in SOAPA, someone (CA? Palo Alto? Symantec? Trend Micro?) will buy LogRhythm.
5. Each of the technology elements described above could be delivered on premise or via SaaS options. SOAPA must be flexible to accommodate these options.
6. SOAPA must be built for immense scale, especially as organizations increase their use of cloud computing and IoT. It’s likely cloud analytics or storage will become part of the architecture. 
7. A few vendors may be able to deliver their own proprietary SOAPA solutions, but enterprise customers will likely eschew single vendor solutions while anchoring their SOAPAs with lead vendors and ecosystem partners. Small enterprises and SMBs could buy from a single product or SaaS vendor, however. 

How does all this come together and in what order? I’m about to launch a research project to answer these questions. Stay tuned.

More on SIEM:

• What is SIEM software? How it works and how to choose the right tool
• ArcSight vs. Splunk? Why you might want both
• Evaluation criteria for SIEM
• SIEM: 14 questions to ask before you buy
• Log management basics
• SIEMs-as-a-service addresses needs of small, midsize enterprises