I came up with the security operations and analytics platform architecture (SOAPA) concept in late 2016. In November of that year, I wrote about how SIEM systems were becoming part of SOAPA.As a review, SOAPA is a bottom-up architecture featuring:
Common distributed data service. SOAPA creates a common data pipeline for high volumes of batch and streaming data. In this way, SOAPA can accommodate massive amounts of security data for all types of analytics – from real-time threat detection to long-term retrospective investigations spanning months' or even years' worth of security data.
Software services and integration layer. This layer serves as a bridge between security data and analytics engines that consume the data. In simple terms, the software services and integration layer delivers security data to analytics engines when they want it and in the format they want.
Analytics layer. Security data is scrutinized by a variety of security tools that monitor endpoint processes, network behavior, threat intelligence patterns, or all these areas at once. The SOAPA analytics layer is designed for efficient monitoring and analysis of all security data to help SOC teams accelerate threat detection, pinpoint problems, and prioritize actions.
Security operations platform layer. When security analytics discover a problem, it can then hand off remediation tasks to the security operations platform layer. The top layer of the SOAPA stack is programmable and can be instrumented to take automated actions, such as gathering data for an investigation, blocking a network connection, or opening a trouble ticket in a case management system. Security remediation operations can also be orchestrated to take actions across multiple security controls, such as firewalls, network proxies, web or DNS gateways, etc. Finally, the security operations layer acts as a workbench for SOC analysts for complex operations that require manual intervention.
[ Read also: The 5 CIS controls you should implement first | Get the latest from CSO: Sign up for our newsletters ]To read this article in full, please click here