IBM’s position on Security Analytics and Operations (SOAPA)

Just what is a security operations and analytics platform architecture (SOAPA) anyway? 

In the past, most enterprises anchored their security analytics and operations with one common tool: Security Information and Event Management (SIEM) systems. Now, SIEM still plays a major role here, but many organizations are supplementing their security operations centers (SOCs) with additional data, analytics tools and operations management systems. We now see SOCs as a nexus for things like endpoint detection and response tools (EDR), network analytics, threat intelligence platforms (TIPs) and incident response platforms (IRPs). 

In aggregate, security operations is changing, driven by a wave of new types of sensors, diverse data sources, analytics tools and operational requirements. And these changes are driving an evolution from monolithic security technologies to a more comprehensive event-driven software architecture along the lines of SOA 2.0, where disparate security technologies connected with middleware for things like data exchange, message queueing and business-level trigger conditions. 

I wrote in November about SOAPA—what it is and why it is becoming so popular with enterprise organizations. 

IBM security GM Marc van Zadelhoff discusses SOAPA

I recently had the pleasure of interviewing the general manager of IBM’s security division, Marc van Zadelhoff. Aside from touring the new IBM cyber command center, Marc and I talked about the ongoing evolution of SOAPA. In fact, there was so much to talk about that our informal chat became a two-part video series. The first video is available here. 

Allow me to present a few highlights from the first part of the video:

Why SOAPA? IBM says many of its midsized and large enterprise customers have far too many disparate security point tools and simply can’t manage them effectively anymore. Marc sees these firms consolidating to common platform architectures in two areas: information risk and protection and SOAPA.

How does IBM communicate the SOAPA concept to potential customers? Marc put an IBM spin on SOAPA, describing it as an architecture that sits “above and below the SIEM.” Things like probes and data collection tools lie below the SIEM, while advanced analytics and operations services like user behavior analytics (UBA), cognitive computing tools like Watson for cybersecurity, and incident response platforms (IRPs) sit above and can help provide advanced SIEM functionality.

Does IBM see SOAPA like the transition from departmental applications to ERP in the 1990s? Yes. Marc agreed that IBM customers want to consolidate security tools around a common architecture that provides a new level of security technology integration and interoperability. And like the transition from departmental apps to ERP, this has the potential to bolster productivity and lead to new and innovative security operations processes. The debate at IBM is whether to build an IBM-only architecture or integrate with others. IBM is doing both.

Is it time for the security industry to rally around some type of common SOAPA standards? Not quite yet. While IBM believes in a SOAPA architectural concept for cybersecurity, Marc says it is too early for industry collaboration on a standard architecture. He says the industry is already coalescing around a few SOAPA leaders, so API integration is an acceptable methodology for now.

Many thanks to IBM and Marc van Zadelhoff for his time and insights, and I’ll blog about part 2 of the video series with Marc next week. Look for additional videos where I discuss SOAPA with other market leaders and cybersecurity professionals soon.