For years, enterprises have dealt with security analytics and operations using an assortment of point tools. According to research by my employer ESG, 35% of organizations today use more than 26 such commercial, homegrown, and/or open source tools in their security operations center (SOC).
Too many tools lead to a host of well-known problems. Each tool needs to be installed, configured, and operated. Security analytics tools can be complex, requiring well-trained and skilled personnel for operations. Finally, each tool presents its own interpretation of situational awareness based upon the data it analyzes. Gathering a complete perspective of security across the enterprise depends upon experienced analysts’ ability to piece together the output of these siloed security analytics tools. This has proven to be ineffective and inefficient.
I saw this situation several years ago and felt like there had to be a better way. This led me to come up with the security operations and analytics platform architecture or SOAPA (see Figure 1). SOAPA is meant to create technology integration across 4 layers: data management services, software services (i.e. middleware), analytics services, and security operations services.
This level of integration would let security analytics tools share and exchange data, allowing analysts to move easily from one tool to another and then pivot to security operations platforms to act upon the data for problem remediation and risk mitigation.
SOAPA integration continues to progress, and organizations that integrate security operations tools report positive results. That’s great, but analysts are still forced to look at different user interfaces for different tools. Yes, they can do this more efficiently now than in the past, but can’t the security community do any better than this?
I believe that it can through a common user interface that supports multiple, and potentially all, security operations tools. This UI could span across SOC processes, from incident detection and triage, through investigations, to case management, and finally security operations actions. Individual analysts could customize the interface to accommodate their job responsibilities, experience level, and even their favorite colors. Heck, there could even be a version of the UI for CISOs and business managers to keep track of security status, tailored to their specific skill sets and requirements.
A common security operations UI would offer a multitude of benefits, including: