5 security operations and analytics trends to watch in 2020

According to ESG research, 36% of organizations are actively integrating disparate security analytics and operations tools in pursuit of a more cohesive security technology architecture (note: I am an ESG employee).  Another 48% of organizations say they are somewhat active with security analytics and operations tool integration.

This data describes security operations and analytics platform architecture (SOAPA), something I’ve been writing about and consulting on for the past 3 years.  Today’s potpourri of point tools can’t keep up with security requirements, data volumes, or process automation, so CISOs are building or buying tightly integrated SOAPA solutions to meet these needs.

I believe that 2020 will be a big year for SOAPA as more organizations retool their security operations centers (SOCs).  Here are a few SOAPA developments I’ll be tracking:

1. One-stop SOAPA shops. Security analytics and operations technology vendors will continue buying sprees to supplement their existing product portfolios.  This isn’t new: In 2019: Micro Focus purchased Interset, Palo Alto Networks grabbed Demisto, and Sumo Logic acquired JASK.  I expect further M&A activity next year, in areas like process automation and advanced analytics, but we’ll see one or several threat intelligence platform vendors like Anomali, ThreatConnect, or ThreatQuotient be snapped up by a major SIEM  Likewise, network traffic analysis vendors like Awake Security, Corelight, or Vectra Networks could be added to SIEM.  This one-stop shop approach may work; ESG research indicates that 63% of enterprise organizations would be willing to buy most of their cybersecurity technologies from a single vendor.

2. Fusion Centers. Many firms use different teams and tools for various security functions, but this leads to obvious communications and collaboration problems.  On a recent trip to New York, I met with several large banks building fusion centers to amalgamate functions like threat intelligence analysis, security operations, and incident response.  In my experience, NY banks tend to be a leading indicator of emerging trends, so I expect fusion center development to gain traction in 2020.  Since fusion center knowledge is somewhat limited today, I assume that there will be lots of demand for services expertise from the likes of Accenture, Optiv, and PWC who can help design, plan, build, and even staff new facilities. 

3. On to the cloud. In the past, CISOs were reluctant to move security technologies to the cloud for fear of losing control of their data and infrastructure.  This is no longer the case: ESG research indicates that 38% of organizations are already running security analytics and operations technologies in the public cloud while another 44% would consider deploying security analytics and operations technologies in the public cloud as part of a hybrid SOAPA.  As organizations adopt cloud-based security technologies, it’s logical that Amazon, Google, and Microsoft will assume a much bigger role as SOAPA providers.  Other security technology vendors must plan for this inevitability through technology integration and big 3 partnerships.

4. Threat management meets vulnerability management. Threat management has always dominated security spending while vulnerability management was limited to software and application scanning.  Okay, but CISOs (and business executives) want a better understanding of overall cyber risk so they can prioritize actions and make data-driven decisions.  In 2020 and beyond, we’ll see more innovation and money flowing toward the vulnerability side.  I envision cyber risk management dashboards that know details about assets and can correlate this information to known exploits, chatter, and TTPs from threat actors.  These systems can then point cybersecurity teams to high-priority remediation needs.  In some cases, remediation actions can be fully automated for rapid response.  Think CIS top 20 meets machine learning and process automation.  This is already happening to some extent in the software vulnerability space from vendors like Kenna Security and Tenable Networks, but I foresee broader coverage and functionality ahead.

5. New SOAPA technology categories. Aside from cyber risk management, I’m bullish on the continuous automated penetration and attack testing (CAPAT) market.  These tools fire off simulated attacks constantly to test analytics capabilities, controls, and IR processes.  The results of these tests will drive correlation rules and machine learning algorithmic adjustments along with security controls fine tuning.  Part of this lifecycle process will also bring deception technology into the mix from vendors like Guardicore, Fidelis, Illusive Networks, and TrapX.  As simulated red team testing identifies common adversary targets, honeypots can be updated, in a “dynamic deception” cycle.  Much of the activity described here will be partially or fully automated, leading to continuous security operations improvement. 

Of course, dynamic changes like these will lead to industry hyperbole and customer confusion.  This will create a big opportunity for services vendors who can hold customers’ hands through a state of rapid transition.  I’ll also try to help with blogs, guidance, and videos.  Look for lots of SOAPA activities like those described above at RSA 2020.