The concept is simple enough. All security systems worth their salt now share a common API architecture, meaning they will all at least accept API requests for data, status, configuration updates, and more. That is a good start, but to overcome the challenge of security domains we need a common hub around which we can consolidate our security operation and incident response activity.
As mentioned earlier, good solutions exist for consolidating security data. Since data is a foundational component of incident response, we see the natural evolution of SIEM platforms moving into the SOAR (Security Orchestration, Automation and Response) space. These solutions already have the data from across the security domains, and adding the capability to generate API calls to other systems unlocks the real potential to escape the complexity trap we find ourselves in.
Palo Alto Networks’ SOAR evolution took a different course, but arrived at similar capabilities as the traditional SIEM vendors. The company took its original strength in network security, expanded into the endpoint space, then the general data collection space, and ultimately combined SIEM and automation technology to create its SOAR offering.
Consolidated SIEM and SOAR platforms offer game-changing potential to Security Operations Centers or SOCs. The disjointed, siloed approach to incident response cannot succeed consistently in large enterprises. Gathering forensics from endpoint solutions, applications, servers, network devices, identity platforms, and elsewhere is painfully manual, yet relatively easy to automate with a SIEM and SOAR platform. Active threat mitigation is more complex to implement, but when using a SOAR platform the problem can be approached in a unified fashion.
Of course, fancy technology is just shiny (and expensive) baggage if not backed by human intelligence and effort. SIEM and SOAR technology is the ideal platform onto which we can accumulate human intelligence and effort. Patterns exist in the mitigation steps SOCs manually perform. Patterns can be generalized and implemented as security playbooks. Playbooks are enabled with comprehensive security data, which, conveniently, already exists in the integrated SIEM solution. And these playbooks can span across all the security domains from a single platform.
The wide mix of technology that makes up the IT world is what gave us the IT security sub-domain challenge. But today we have technology that can help us clean up the mess. Recognizing the foundational limits of approaching security as disjointed silos, and partnering with someone who can help you combine security, automation, and data expertise, will have a marked effect on your SOC’s effectiveness.
If you missed my first post in this series, then you can see how we got into today’s situation and the challenges that it poses.
Post Date: 8/10/2020