Data Security Knowledge Base

What is Security Operations and Analytics Platform Architecture? A Definition of SOAPA, How It Works, Benefits, and More

A lot of companies rely on security information and event management or SIEM to take stock of their security. SIEM brings together the log files and other information from a variety of sources, making it easier to see trends and patterns that are related to your systems and security. A system administrator can use the aggregated log files and documentation to come up with a system profile, and used as a baseline to identify and detect anomalies in the future.

While SIEM has proven useful over the years, it is becoming more and more outdated. Cybersecurity is a fast-growing and ever-evolving sphere, and event correlation and log management would simply not be enough to keep up with it. As such, organizations are pressed to look for new technologies that could help them beef up their respective cyber security, which is what security operations and analytics platform architecture are all about.

A Definition of Security Operations and Analytics Platform Architecture

There is not yet a single, universally accepted, industry standard architecture for security operations and analytics platforms. However, API integration is an acceptable methodology recognized by most industry leaders currently. While an industry standard has yet to be defined, SOAPA does have some notable characteristics.

a. It brings together all security data from different sources.
b. It utilizes different sets of technologies and unifies them into one platform. This involves machine-readable security data that is be analyzed, managed, and reported by the different technologies working together.

Along with middleware, SOAPA makes use of several industry standards to connect the disparate sources of data and tools that today’s enterprises are faced with managing, including:

1. Cyber Observable eXpression (CybOX),
2. Trusted Automated eXchange of Indicator Information (TAXII), and
3. Structured Threat Information Expression (STIX).

By combining disparate data sources, tools, and technologies, SOAPA streamlines processes and makes overall security operations more efficient, while giving otherwise isolated data more context so companies can glean better insights from their data sources.


The description of SOAPA may sound similar to SIEM. If SIEM is focused more on event information and logs, security operations and analytics platform architecture would look at a wider variety of tools and information. In fact, SIEM is actually a part of SOAPA, being one of several security and analytics tools used in the model.

However, SOAPA is a dynamic model, allowing for the addition of other tools and data sources, as well as enabling analysts and data scientists to move rapidly between tools and data sources to analyze and take action on insights in real time. Security operations and analytics platform architecture is a top priority for more than 1 in 5 organizations, according to Jon Oltsik, senior principal analyst of ESG.

Benefits of Security Operations and Analytics Platforms

With the ever-changing security market, security operations and analytics platform architecture has more capabilities than SIEM. In fact, indicators are pointing to the fact the SIEM will not be able to keep up with the demands of security operations centers. Security data is continually being collected and processed. According to Oltsik, more than 72% of organizations expect to collect more internal security data in the next two years. What’s more interesting, 55% of companies expect to gather more external security in the same time frame. 

This means that more organizations are going to collect more security data, with some of this data coming from new sources. This new data would be analyzed independently, but would also give rise to the realization that security data could be more useful when analyzed together with other relevant information coming from other systems. 

You can think of SOAPA as the upcoming next step for SIEM. It answers the need to centralize and normalize all types of security data that will make way for better analytics and intelligence guided decision-making.  It also addresses the need for workflows and automation in order to effectively manage potential attacks even with limited staff.

Technologies and Components of SOAPA

From every indication, security operations and analytics platform architecture look like a more comprehensive SIEM involving more security data sources, using better technologies, to come up with better and more meaningful insights. But that doesn’t mean that SIEM is unnecessary; as mentioned previously, SIEM remains an important component in SOAPA, working with other technologies and services such as:

1. Network security analytics which allows analysis of flow and packets.
2. Incident response platforms which enables system administrators to classify threats detected by SOAPA and get priority alerts, and take action on identified issues promptly.
3. Endpoint detection and response tools, allowing security personnel to also check the behavior of the host.
4. Machine learning algorithms, such as solutions provided by Sqrrl, Exabeam, and Splunk.
5. Anti-malware sandboxes, allowing security personnel to understand malware attacks, especially those that exploit vulnerabilities that are not yet known to the provider.
6. Threat intelligence, allowing cyber security people to compare and contrast anomalies happening within their network with those happening in the wild.
7. Security asset managers and vulnerability scanners, allowing security professionals to know which alerts to prioritize.

How SOAPA Works

All in all, security operations and analytics platform architecture is a new model that brings together different cybersecurity tools into one unified software system, helping you become more efficient and operative with your security. SOAPA will integrate, orchestrate, and automate several tools, including endpoint protection systems, UEBA, vulnerability scanners, threat intelligence, anti-malware sandboxes, and others.

SOAPA helps in addressing many of the common problems faced by cybersecurity professionals today, including:

• Shortness of security staff (experts are very hard to find and hold on to)
• Time-constraint responses
• Too many tools
• Trying to keep up with too many threats that are always changing

SOAPA aims to address these problems by reducing the need for them. It can help organizations focus on a few tools, automate them, and still get the insights and information they need to do their work, do it well, and respond to threats in real-time.