Hacking Book | Free Online Hacking Learning


goodbye siem, hello soapa!

Posted by chiappelli at 2020-03-19

Siem system is becoming a part of a dynamic and evolving security analysis and operation architecture.

Security information and incident management (Siem) system has been around ten years since it came out. During this period, Siem developed from a border security incident correlation tool to a corporate governance, risk and compliance management (GRC) platform, and then to a security analysis system. Those early vendors have become distant memories, such as esecurity, guardednet, intellitactics and netforensics. Today's Siem market is dominated by several leading manufacturers: logrhythms, McFee (nitro security), HP (arcsight), IBM (qradar) and Splunk.

Magic Quadrant for security information and event management 2016 (from Gartner)

Of course, there are a group of young and bold innovators who think of Siem as a legacy technology. They claim that log management and event correlation cannot keep up with the pace of today's network security field, so you need new technologies, such as artificial intelligence, machine learning algorithm and neural network, to use, process and analyze security data in real time.

As an industry analyst, I should wave my arms wildly and declare "Siem is dead" because those in my industry often do so. But I'm sorry, I don't think Siem is dead at all. On the contrary, the requirement of enterprise security operation and analysis forces Siem to merge into new technology rapidly, which is called security operation and analysis platform architecture (soapa) by ESG.

In soapa, Siem like functions still play an important role, often aggregating analysis data into a common database. But unlike in the past, Siem is now one of several security tools in soapa. These technologies are designed for asynchronous collaboration, so that security analysts can quickly change tools, find data in real time, and take action in real time when needed.

Soapa is a dynamic architecture, which means that new data sources and control platforms will be added gradually over time. However, I do believe that today's soapa is built by Siem (or similar log management and search products / services) and the following:

Endpoint detection / response tool (EDR): security analysts often want to study security alerts in depth by monitoring and studying host behavior, so EDR (i.e. carbonblack, counterback, crowdstroke, guidance software, etc.) is a necessary component of soapa.

Event response platform (IRP): in addition to collecting, processing and analyzing security data, network security professionals also want to prioritize alerts and resolve issues as soon as possible. These requirements lead to many IRPs, such as hexadit, phantom, resilient systems (IBM), servicenow, and swimlane.

Network security analysis: the log analysis and EDR host behavior monitoring of Siem are complemented by data flow and packet analysis in soapa, which are provided by arbor networks, blue coat / Symantec, Cisco (lancope) and RSA.

User behavior analysis (UBA) / machine learning algorithm: Although these tools have received too much attention and hype in the industry, there is no doubt that machine learning will be built into security analysis tools from now on, so manufacturers such as Bay dynamics, caspeda (Splunk), exabeam, niara, sqrrl and varonis should belong to the category of soapa.

Security vulnerability scanner and security Asset Manager: part of security operations is knowing which alerts should be prioritized. These decisions must rely on reliable data from the vulnerability management system (i.e., qualys, rapid7, Tanium) and other tools that monitor system status and network configuration (i.e., redseal, skybox, Verdin, etc.).

Antimalware sandbox: this technology is another key point to help understand targeted attacks that may exploit Zero Day malware. Sandboxes from fireeye, Fidelis and trend technologies are definitely part of soapa.

Threat Intelligence: enterprise organizations want to compare the abnormal behaviors of internal networks with malicious "field" activities, so soapa extends to threat intelligence sources and platforms, namely brightpoint (servicenow), fireeye / iSIGHT partners, recordedfuture, threatconnect, threatquote, etc.

In addition to these technologies, let's talk about other ideas about soapa:

1. In addition to data exchange between security tools, the next major innovation will be centralized soapa command and control to analyze and manage (i.e. configuration management, policy management, etc.) security infrastructure.

2. This market has been developing in the direction of soapa. IBM's acquisition of resilient systems (looking at IRP), Splunk's acquisition of caspida (looking at UBA) and elastic search's acquisition of prelert are evidence.

3. Since McAfee is independent of Intel, it is expected to invest in Enterprise Security Manager (nitro). In addition to acquisitions aimed at filling architectural gaps, McAfee will accelerate the integration of soapa technology with its own tools and ecosystem partners.

4. Considering that Siem still plays a core role in soapa, a manufacturer (Guanqun? Palo Alto? Symantec? Trend technology?) Will acquire logrhythms.

5. Each of the above necessary technologies can be provided locally or through SaaS solution. Soapa must be flexible to support these initiatives.

6. Soapa must be designed for a large model, especially because enterprise organizations are increasing the use of cloud computing and the Internet of things. Cloud analytics or storage may become part of this architecture.

7. A few manufacturers can provide their own proprietary soapa solutions, but enterprise customers may avoid the solutions of a single manufacturer and seek soapa from leading manufacturers and ecosystem partners. However, small businesses and small and medium-sized companies may purchase a single product or from SaaS manufacturers.

Cloud top bar compilation unauthorized no reprint

Related reading:

Middle and high end it group, welcome to join!