Industry analysts predict what’s next for cybersecurity and platforms.
The cybersecurity space is evolving more rapidly than any other business function before it. Human Resources, Sales and Marketing – all went through major changes driven by data growth, need for scaling operations, and external pressures. Those same factors are forcing cybersecurity to evolve in much the same manner, but it should be obvious that the magnitude of data, need for scale and external pressure are all much higher than other departments. So, cybersecurity has to change that much faster. This is where the Security Operations and Analytics platform comes in. But, before we explain what that is, let’s give you a little background.
In November of 2016, Jon Oltsik wrote an article, “Goodbye SIEM, Hello SOAPA” in which he lays out ESG’s vision of the future, where SIEMs become part of what he calls a Security Operations and Analytics Platform Architecture (SOAPA). A year prior, Oliver Rochford and Paul Proctor wrote, “Innovation Tech Insight for Security Operations, Analytics and Reporting Architecture.” While they have differences, those two articles both predict an evolution in security operations being driven by the vast amounts of data that must be processed. They see a need for the following:
- Centralization and normalization of internal and external security data: This will lead to better analytics for better decision making. Decisions informed by intelligence.
- Automation and Workflows: For cybersecurity teams to simultaneously address the pressures of attacks and maximize the efficiency of limited staff, they must have repeatable, documented automation and workflows.
So, what is a Security Operations and Analytics Platform? Well, like many new technologies, it is still being defined. Both Oltsik and Rochford & Proctor talk about architectures that bring together several technologies into one platform.
“A security operations, analytics and reporting platform utilizes machine-readable and stateful security data to provide reporting, analysis and management capabilities to support operational security teams. They apply decision-making logic and context to provide formalized workflows and enable informed remediation prioritization. In a nutshell, they provide the intelligence that you wish you had in the original technologies.”
At ThreatConnect we have had a vision for quite some time of a single platform to process data, create intelligence, automate mundane tasks, orchestrate complex security processes, and ultimately inform better, faster decision making to mitigate risk to your organization. In 2013, we launched our platform, focused on aggregating, analyzing, and acting on threat intelligence, as our first step towards that vision. At the time, we believed that we would evolve and what we called a threat intelligence platform (TIP) would eventually go on to become THE platform for security operations and decision-making. Then the industry narrowed the definition of the TIP.
Still, we kept building toward our initial vision: to give the security industry the same platform it would need as it evolved much like Human Resources, Sales & Marketing, and other departments before it. If you ever saw a presentation from us back in the day, you may remember the (frankly ugly) slide we used to describe that vision:
Cybersecurity needs to have a cohesive strategy for how it captures data, analyzes it and automates it just like those other more mature business disciplines. What the industry analysts above have in common in our mind is they are all articulating that point in more detailed terms. The difference for cybersecurity is it also needs to orchestrate many more tools than other disciplines often do.
So, what is a Security Operations and Analytics Platform? In our mind, right now it looks something like this:
This illustrates how intelligence flows through every aspect of your security program; that your entire team is connected to the intelligence, each other, and the tools; and that a feedback loop from the people and tools is built-in to improve the intelligence. And, throughout the entire process, analytics are constantly enabling sound, fast decision-making.
While the analysts at ESG and Gartner are laying groundwork for architectures that cross solutions, we very much see a need for a platform to bring it altogether, make sense of the complexity and provide security leadership with a single place to get everything they need to make decisions.
I expect we will see the industry analysts continue to iterate on this topic. So, you should expect to see us write on it as this space continues to evolve. Whether the predictions on SOAPA and SOAR set out by ESG and Gartner come to fruition or not, we will still be pursuing the same vision we had when we started ThreatConnect some years ago.
Learn more about how we see intelligence in cybersecurity evolving in our “Maturing at Threat Intelligence Program” whitepaper that covers the practical use of intelligence for decision-making in cybersecurity teams at every level.