As a follow up to the part 1 posting of this topic, and the XDR topic posted by our CTO, let’s discuss how we must deal with the decentralization of security operations yet the need for a unified view of the state of security and ways to secure the enterprise.
How do we deal with it?
As said before, we must embrace the next-gen cyber-security operations of an enterprise which shall be run by security domain experts rather than the traditional IT/developer persona. This certainly means the end of a traditional, central SIEM as we know it, and augmentation of the security infrastructure with a federated, content platform which operates as a fabric across all security silos – this is the ONLY way to embrace the next generation of enterprise security.
Security silos are not necessarily a bad thing – in fact, we see the next-gen SOC being quite decentralized and operated in a best-of-breed fashion. The key is to bring the intelligence (detections and response playbooks) together such that a unified coverage and action plan emerges for the enterprise. In order to achieve that, a few key paradigms need to be shattered:
1. The concept of a central, primary SIEM at the heart of a SOC into which all security data sources feed into is disappearing – a more distributed model is emerging
2. No more developer/IT skills needed to program rules/logic – security experts will be able to author and implement detection content without code and without needing to tie into a specific underlying run-time engine
3. Content will no longer be developed only within the confines of a SOC – a more collaborative approach will emerge, with other business units and control points, as well as outside the enterprise
4. By virtue of the above, content will no longer be in a single platform or SIEM-specific “language” – it will be more of a framework-led logic construct easily portable to any runtime environment
5. Data prep – normalization, unified data model etc. – will no longer be an after-thought; this becomes a first-class citizen in building out the next-gen SOC, where the content and data interlock from the design stage onwards
Needless to say, much of this new world is going to be cloud-based; this offers the optimal path to collaboration and maximizes the CI/CD-style rate of innovation for the SOC. Naturally, private-cloud, hosted environments and hybrid deployments will be supported but the brains will be in the cloud.
In short, think of the new security infrastructure world as more inclusive and connected yet distributed.