SecOps & Analytics Platform Architecture

Last weekend for the three kings day, I got an activity tracker watch for monitoring and tracking fitness-related metrics such as distance walked or run, calorie consumption, heartbeat, quality of sleep, steps climbed, and other personal metrics. What is amazing is the dashboard I have to monitor all of these things from my smartphone and the ability to set alarms and thresholds, connect with social networks and share training plans, connect with other sensors, etc. Therefore, it is a way to control, measure and monitor the health of our life.

Activity Tracker Dashboard

This is the gift that most CISOs want to manage the security of their organization. I mean, they need a dashboard to know the level of risk of their services, a dashboard to know the security operations and a single dashboard to analyse the security through graphics and tables.

Recently, I read about “Goodbye SIEM, hello SOAPA” (Security Operations And Analytics Platform Architecture) by Jon Oltsik where he wrote that a SIEM is not enough today because most CISOs have many different tools and a lot of information that they can't manage on time to make decisions. As a result, they would like to have a single dashboard to manage and analyse the security of their organization.

What Jon Oltsik proposes is a system called SOAPA which integrate many tools like endpoint detection/response tools (EDR), incident response platforms (IRPs), network security analytics, UBA/machine learning algorithms, vulnerabilities scanners and security assets managers, anti-malware sandboxes, threat intelligence, etc. To make this possible, SOAPA and security tools should use industry standards such as Cyber Observable eXpression (CybOX), Structured Threat Information Expression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) for sharing security information with each other.

I don't know if SOAPA will be a product or technology in the near future, but if I can ask, it would also be interesting to have an Information Security Management System getting indicators from assets and vulnerabilities scanners to make the Risk Management Process easily because if we can interact directly with assets and tools, we can know nearly real time the threats of our services and, therefore, the Risk Analysis and Risk identification would have better and more reliable metrics to calculate probabilities, impacts, costs, etc.

What's more, as we have interaction with incident response platforms (IRPs), we can mix this information with claims and satisfaction surveys to know if some attack or some failure has affected the service and, as a result, the satisfaction of our customers. This would be useful for the Business Impact Analysis and the Business Continuity process.

Last but not least important, another requirement for SOAPA would be to have compliance reports for PCI-DSS, HIPAA, ENS, ISO27001, etc. This is always useful for auditors and tracking activities.

I think to have a single tool, service or dashboard to monitor the whole security platform is a difficult task to do till manufactures agree how to do it with open standards. In the meantime, I have an activity tracker which interact with Gmail, WhatsApp, Android, IOS, Movistar or whatever telephone company, etc by Bluetooth.

Regards my friends, drop me a line with the first thing you are thinking!!!