Security Operations Centers: One User Interface for SOC Analysts?
Many organizations still depend upon a myriad of disparate point tools for security operations, leading to many challenges.
According to ESG research:
- 35% of cybersecurity professionals say that the biggest challenges associated with managing an assortment of point tools is that it makes security operations complex and time consuming.
- 35% of cybersecurity professionals say that the biggest challenges associated with managing an assortment of point tools is that it is difficult for them to get a complete picture of their security status at any time.
- 34% of cybersecurity professionals say that the biggest challenges associated with managing an assortment of point tools is triaging, prioritizing, and investigating all the security alerts generated.
- 33% of cybersecurity professionals say that the biggest challenges associated with managing an assortment of point tools is that each security tool demands its own management and operations, straining the organization’s resources.
- 25% of cybersecurity professionals say that the biggest challenges associated with managing an assortment of point tools is that their organization doesn’t have enough staff members or the right skills to manage all the tools effectively.
This problem isn’t new. Recognizing this problem in 2016, ESG came up with a new concept called a security operations and analytics platform architecture (SOAPA), designed to consolidate and integrate every layer of the security operations stack – from the raw data, through analytics, to day-to-day security operations processes.
What is SOAPA?
SOAPA is a bottom-up stack in that it is meant to give SOC teams the ability to act upon security telemetry in real-time. Think of actions like quarantining a system, patching a server, or investigating an incident, all based upon efficient data collection, processing, analytics, and well-orchestrated security processes.
Initially, I believed that the top of the SOAPA stack would be a security operations platform layer, populated with security operations technologies like case management systems, runbooks, and process automation capabilities. This has happened with the growing popularity of security orchestration, automation, and response tools (SOAR: Author’s note, I hate this term).
While SOAR tools help unify processes, however, there’s still a problem. SOC personnel are forced to configure, customize, learn, and operate numerous SOAPA tool UI/UXs. This situation is better than it was, but it still requires too much overhead.
Enter the latest chapter in the SOAPA evolution – the common security operations UI/UX. While SOC analysts tend to pivot from tool-to-tool today, they will live in the common security operations UI/UXs providing federated query across disparate data, common SIEM and analytics visualization, threat intelligence platform capabilities, role-based configurable dashboards, and comprehensive security operations platform functionality. Yes, analysts (especially tier 3 analysts) will still need to pivot to other tools, but most will spend the bulk of their working day in the common UI/UX.
UI and UX: Potential SOAPA Benefits
Think about the potential benefits here. Training costs should go down while efficiency improves. Tier 3 analysts can mentor junior people through common templates. All SOC personnel will have access to all the security data at the same time but still be able to customize dashboards to their specific roles, skill sets, and preferences. Communities of analysts from different organizations will be able to share dashboards, runbooks, and best practices.
Several vendors including IBM (Cloud Pak for Security), Palo Alto Network (Cortex/XSOAR), and Splunk (Mission Control) get this and have already released common security operations UI/UXs.
The development of a common security operations UI/UX has a lot of promise. I’ll be tracking progress in this area moving forward.