A Definition of SOAPA, How It Works, Benefits, and More
A lot of companies rely on security information and event management or SIEM to take stock of their security. SIEM brings together the log files and other information from a variety of sources, making it easier to see trends and patterns that are related to your systems and security. A system administrator can use the aggregated log files and documentation to come up with a system profile, and used as a baseline to identify and detect anomalies in the future.
While SIEM has proven useful over the years, it is becoming more and more outdated. Cybersecurity is a fast-growing and ever-evolving sphere, and event correlation and log management would simply not be enough to keep up with it. As such, organizations are pressed to look for new technologies that could help them beef up their respective cyber security, which is what security operations and analytics platform architecture are all about.
A Definition of Security Operations and Analytics Platform Architecture
There is not yet a single, universally accepted, industry standard architecture for security operations and analytics platforms. However, API integration is an acceptable methodology recognized by most industry leaders currently. While an industry standard has yet to be defined, SOAPA does have some notable characteristics.
- It brings together all security data from different sources.
- It utilizes different sets of technologies and unifies them into one platform. This involves machine-readable security data that is be analyzed, managed, and reported by the different technologies working together.
Along with middleware, SOAPA makes use of several industry standards to connect the disparate sources of data and tools that today’s enterprises are faced with managing, including:
1. Cyber Observable eXpression (CybOX),
2. Trusted Automated eXchange of Indicator Information (TAXII), and
3. Structured Threat Information Expression (STIX).
By combining disparate data sources, tools, and technologies, SOAPA streamlines processes and makes overall security operations more efficient, while giving otherwise isolated data more context so companies can glean better insights from their data sources.
SOAPA and SIEM
The description of SOAPA may sound similar to SIEM. If SIEM is focused more on event information and logs, security operations and analytics platform architecture would look at a wider variety of tools and information. In fact, SIEM is actually a part of SOAPA, being one of several security and analytics tools used in the model.
However, SOAPA is a dynamic model, allowing for the addition of other tools and data sources, as well as enabling analysts and data scientists to move rapidly between tools and data sources to analyze and take action on insights in real time. Security operations and analytics platform architecture is a top priority for more than 1 in 5 organizations, according to Jon Oltsik, senior principal analyst of ESG.
Benefits of Security Operations and Analytics Platforms
With the ever-changing security market, security operations and analytics platform architecture has more capabilities than SIEM. In fact, indicators are pointing to the fact the SIEM will not be able to keep up with the demands of security operations centers. Security data is continually being collected and processed. According to Oltsik, more than 72% of organizations expect to collect more internal security data in the next two years. What’s more interesting, 55% of companies expect to gather more external security in the same time frame.
This means that more organizations are going to collect more security data, with some of this data coming from new sources. This new data would be analyzed independently, but would also give rise to the realization that security data could be more useful when analyzed together with other relevant information coming from other systems.
You can think of SOAPA as the upcoming next step for SIEM. It answers the need to centralize and normalize all types of security data that will make way for better analytics and intelligence guided decision-making. It also addresses the need for workflows and automation in order to effectively manage potential attacks even with limited staff.
Technologies and Components of SOAPA
From every indication, security operations and analytics platform architecture look like a more comprehensive SIEM involving more security data sources, using better technologies, to come up with better and more meaningful insights. But that doesn’t mean that SIEM is unnecessary; as mentioned previously, SIEM remains an important component in SOAPA, working with other technologies and services such as:
How SOAPA Works
All in all, security operations and analytics platform architecture is a new model that brings together different cybersecurity tools into one unified software system, helping you become more efficient and operative with your security. SOAPA will integrate, orchestrate, and automate several tools, including endpoint protection systems, UEBA, vulnerability scanners, threat intelligence, anti-malware sandboxes, and others.
SOAPA helps in addressing many of the common problems faced by cybersecurity professionals today, including:
Shortness of security staff (experts are very hard to find and hold on to)
Time-constraint responses
Too many tools
Trying to keep up with too many threats that are always changing
SOAPA aims to address these problems by reducing the need for them. It can help organizations focus on a few tools, automate them, and still get the insights and information they need to do their work, do it well, and respond to threats in real-time.