SOAPA – A Matter of Scale

SOAPA – A Matter of Scale
Security Operations and Analytics Platform Architecture (SOAPA)


Intelligence-driven Security Operations Center (SOC)

The threat and risk environment has evolved rapidly in the past five years, with an increase in active threat actors and an escalation in the sophistication of their techniques – dictating an intelligence-driven Security Operations Center (SOC).

An intelligence-driven SOC goes beyond preventative technologies and the perimeter, and beyond events-based monitoring. It evolves and adapts because of the use of security intelligence that changes the scope and focus of security operations activities continuously. For rapid response, as much of the mundane work should be as automated as possible, and other human-augmented responses should be aided with decision support systems.

Cybersecurity Scale

In addition, the increasing growth of the Cloud, Internet of Things (IoT), Mobile and Digital Transformation are placing new demands on usability, scalability and enterprise-class features of cybersecurity analytics and operations products. Industry security experts believe that 2017 will be remembered as the year where cybersecurity analytics and operations encountered a wave of unprecedented scale.

Companies are seeking to refocus their SIEM investment migrating towards a modular, extensible, flexible, scalable architecture that leverages more of a holistic and hybrid Security as a Service (SaaS) also emerging as SIEM in the Cloud.

However the need for security scalability is nothing new. Leading SIEM vendors can all talk about how they re-architected their products over the past few years to scale from thousands to millions of events per second (EPS) and somehow make sense of all this activity. EPS growth will continue but cybersecurity scale is about to hit an exponential curve, driven by things such as:

  • Cloud utilization
  • Internet of Things (IoT)
  • Network growth
  • Digital transformation applications

These and other parallel trends are driving massive growth in the amount of data we need to collect, process, analyze, and store for cybersecurity analysis and operations.

Security Operations and Analytics Platform Architecture

Since it becomes impossible to centralize all security data, enterprise organizations will rely more and more on Security Operations and Analytics Platform Architecture (SOAPA) software to integrate distributed security data and analytics functions. In other words, some security analysis (i.e. threat intelligence research, EDR, malware analysis, etc.) will remain discrete, but SOAPA will act as an overall bridge for visibility across all the data for all analytics regardless of the data’s location.

Why SOAPA? Today many midsized and large enterprise customers have far too many disparate security point tools and simply can’t manage them effectively anymore. These organizations are consolidating to common platform architectures in two areas: information risk and protection and SOAPA.

SOAPA represents an opportunity to increase industry innovation and ultimately deliver a security architecture that allows organizations to increase productivity, accelerate actions streamlining day-to-day security operations.

In the past, most enterprises anchored their security analytics and operations with one common tool: Security Information and Event Management (SIEM) systems. But unlike the past, SIEM is one of several security tools within SOAPA, and these technologies must be designed for asynchronous cooperation so security analysts can quickly pivot across tools to find data and take action as they need to in real-time.

SOAPA is an architecture that sits “above and below the SIEM.” Things like probes and data collectors lie below the SIEM, while advanced analytics and security operations services like user behavior analytics (UBA) sit above and can help provide advanced SIEM functionality.

SOAPA Overview

Security Operations and Analytics Platform Architecture Overview

SOAPA is a dynamic, extensible, flexible, modular and, scalable architecture, meaning that new data sources and components will be added and integrated incrementally over time. It includes, for example:

  • Endpoint detection/response tools (EDR)
  • Incident response platforms (IRPs)
  • Network security analytics
  • UBA/machine learning algorithms
  • Vulnerability scanners and security asset managers
  • Anti-malware sandboxes
  • Threat intelligence

SOAPA drivers. Why are enterprise organizations moving toward SOAPA? Customers are stating that they cannot stay ahead in security operations using a collection of point tools when they are facing a dangerous threat landscape and a shortage of cybersecurity skills on their teams.

According to the recently published 2017 ESG IT spending intentions survey, 45 percent of organizations report a “problematic shortage” of cybersecurity skills.

SOAPA must supplement people with integration and intelligence. Customers don’t need more tools; they need their security technologies to add integration and intelligence so they can improve security efficacy, efficiency and productivity. Security analysts are pursuing numerous new investigations on a daily basis and simply can’t keep up with the volume.

Organizations are stating they cannot stay ahead in security operations using a collection of point tools when facing a dangerous threat landscape and a shortage of cybersecurity skills on their teams.

SOAPA Business Case

  • Cybersecurity analytics and operations are encountering a wave of unprecedented scale
    • Many midsized and large customers have far too many disparate security point tools
    • Cannot manage these disparate tools effectively
    • Seek consolidation/integration with a common platform
    • SOAPA is a scalabe architecture that sits “above and below the SIEM.”
  • Focuses on dynamic scalability, extensibility, flexibility, modularity, integration towards orchestration and automation
  • Scalability needed for growth across cloud, digital transformation applications, mobile, and so on
  • Drives massive growth in amount of data to collect, process, analyze, and store for cybersecurity analysis and operations
  • Modular components EDR, IRPs, Analytics, UEBA, Threat Intel, Vulnerability scanners, Asset managers, Anti-malware
  • Supplements some people with integration and intelligence, orchestration and, automation
  • Acts as a bridge for visibility across the data for all analytics regardless of the data’s location

Hybrid Security Operations Platform

Today’s enterprises can generate millions of security events every day and these events must be collected and analyzed around-the-clock to detect actual or pending attacks. Conventionally, organizations have staffed Security Operations Centers (SOCs) and deployed SIEM technology as the corner-stone of their security event monitoring programs. However, today many forward thinking enterprises are adopting hybrid plug-and-play models where some or all of these functions are outsourced to service providers.

Situational Awareness is critical, i.e., the ability to detect with precision and quickly respond to real threats. The ability to Detect with Precision (minimal false alerts) requires security operations process maturity and skilled resources.

SIEM in the Cloud … “or almost SaaS SIEM

  • Cloudiness refers to rapid provisioning, scaling, on-demand, multi-tenancy, added value add-on services, and so on
  • SIEMness refers to near-real time correlation, search, compliance, reports, security content, workflows, case management, and so on
  • Vendors are making a push for SIEM in the Cloud, e.g.,
    • IBM, FireEye, Splunk, AlertLogic, …
      • IBM QRadar on Cloud offers a complementary cloud-based service of professionals and managed infrastructure, while customer performs threat management tasks
      • Splunk Cloud (with Splunk Enterprise Security) offers cloud-based service of dashboards, reports, workflows, analytics, correlation searches, security indicators and, reports

Why Outsource Security Event Monitoring?

  1. Challenges in Hiring and Retaining Security Experts
  2. Threat Visibility
  3. 24×7 Vigilance
  4. Lack of SIEM Content
  5. More Effective SOC Analyst Investigations
  6. Rapid Response

Cyberattacks are constantly morphing as hackers exploit new vulnerabilities and create new variations of malware. Service providers are often the first to see new attack vectors and techniques as their customer base encompasses organizations in many different industries and locations. Compared to individual enterprises, users of a managed security service may also benefit from more sources of third-party threat intelligence feeds and advanced correlation analysis between threat intelligence data and other suspicious behavior. Overall, improved threat visibility increases the chance of detecting and preventing a cyber breach.

No SIEM can provide 100% accurate alerts. Security experts are needed to investigate suspicious alerts to determine the criticality of a threat. In a high performance SOC with a well-tuned SIEM, customers can expect the following:

  • Half of all high priority actionable alerts are the result of SOC analyst investigations
  • Of all the system alerts requiring analyst action, after investigation, about half turn out to be false positives

These data points underscore the importance of having sufficient human security experts available 24×7.

Service providers augment the existing team of SOC analysts and can often more effectively filter and correlate security events to present SOC analysts with better data. Outsourcing monitoring tasks also improves the morale of existing employees and allows them to focus on other priorities.

Organizations seek SIEM SaaS solutions to assist with staffing security teams on a 24/7 basis, they do not have a dedicated Security Operations Center (SOC) or the ability to staff three shifts of engineers year-round.

A hybrid security solution extends the customer’s security team by providing access to:

  • Security technical experts 24×7 monitoring
  • Security research team unit (Data Scientists and Analysts)
  • Thought leaders in the global security space

Overall a hybrid security solution prioritizes, organizes and offers comprehensive reporting on the customer environment, bringing situational awareness and manageability over the large volume of alerts and cases generated in the customer’s environment.

Analytics and Big Data = Scale and Modularity

  • Cybersecurity tactics and strategy are increasingly driven by data analytics
  • Enterprises are collecting, processing, analyzing and responding to more security data from a growing diversity of sources
  • Cybersecurity analytics and operations is in a state of innovative flux, organizations seek to refresh/revise SIEM investments
  • SIEM functionality extends to threat intelligence, analytics, network security analytics, EDR, UEBA, incident response automation and orchestration

ESG references/links

Thanks for your Interest!
Nige the Security Guy.


About secureadvisor
Security Guy

One Response to SOAPA – A Matter of Scale

  1. bakie says:

    Thanks bro Nige for reposting in blog..
    we are hopping for the next post.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: