The Alphabet Soup of Security Analytics

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole Analysts. In each edition, I will have one guest joining me, often a fellow analyst or another interesting partner, and we will have a 15 minutes or so chat around current topics. My guest today is Alexei Balaganski, he's also an analyst at KuppingerCole. Hi Alexei. Hello, Matthias. Thanks for inviting me again. Great to have you again. And our topic today is really an interesting one. Nothing that is a topic that many organizations are currently talking about.

We'll be talking about the SOC the security operations center and all the technologies or some of the technologies behind that. So I think that's a good starting point.

Alex, say for a first definition, how would you define an SOC? Well, I really like first, like to address the actual topic of our episode to date. So it's called the alphabet soup of security analytics, and it's really the biggest challenge we are having now as analysts when talking to customers or to vendors, that everyone has a different understanding of what a particular letter combination actually means, beat a saucy or a seam or a CAEP or Thor. You have so many new acronyms to Lauren, and it doesn't actually add anything useful to the discussion. It's only confuses a lot of people.

So the goal of our discussion today is to make a little bit of sense of this alphabet soup, but you're absolutely right. We have to start not with our tool or a solution. We have to start with a challenge. It's a challenge for a modern digital enterprise, if just to stay on top of everything security related, which happens in that enterprise.

And for that, the usual approach is to establish a security operations center, which you've made might be a physical location with a team of your own employees, or it might be a cloud-based solution platform, or even a managed service where you basically just the friend, the team of experts with their own security operation center.

But the whole point of it is you collect all the events, all the security, you know, they want information, anything that happens across your infrastructure, in that particular place, somehow in Arab solution, let's say for the moment, and then you let your experts to sift through all this information, identify current or potential threats and hopefully mitigate or threats. And again, let me stress it, security operation center, the stock, if the only acronym that matters how exactly you build it is a secondary question. Okay. Understood.

But nevertheless, you mentioned the outer, but so if I'm right, the first term that, that you mentioned already, and that is involved here is a technology that is already some time around, and that would be the seam Exactly the SIEM security information and event management. If I remember correctly, or this acronym is already 15 years old, as of 2020, it was introduced 15 years ago or the ultimate solution to all of the enterprise security problems.

And the idea was that instead of having to use lots of different user tools, like an antivirus or a firewall or a intrusion detection system to kind of consult separately, you just let all of those tools feed their data into a single database. And that database would be your scene or security information management. And on top of it, you would run some kind of a rules engine or a filter or a search solution to allow your analysts to find relevant events and maybe even produce some security related alerts. That would be your Sam security event management and together they formed a scene.

And a scene is a until now is probably the most popular technology which powers a security operation center. Although, of course it's no longer the only one, Right? But if I think in a very naive manner, if I gather all the information from all the systems that provide relevant information, that could be integrated into such a solution, we end up with an immense mass of data, which is almost impossible, really, to filter or to analyze without any additional help. Exactly. And this is exactly what people have realized probably a year or two after the initial seams appeared on the market.

So first of all, a theme is a traditional theme solution, which would be a huge database running on an on-prem solar farm. And so on. It's extremely complicated to set up. It's extremely difficult to customize to a specific network and to infrastructure or a specific company that requires a team of experts to just operate, not even to use, just to operate, to maintain it to in a running state of Israel. And of course it collects huge amounts of data without making any difference between relevant and irrelevant data.

And we all know that that's irrelevant to the statistical noise would probably be 99 point 99% of all the collected data in a typical seam or in our modern large enterprise. You end up with tens of thousands of alerts, even with all the carefully crafted rules in place, because the total number of events collected through a date would be in millions. So of course, if you have 10,000 alerts a day, even your largest team of the best experts just have no time to react to all those events.

And that was probably like the, the single biggest challenge is what we would now call legacy seems In that form, still a thing for security operations center. If this is this really something that is used as of now, Let's use my favorite German word EIN. So yes and no, I see him, of course it's still relevant, but more than seen it's by far, no longer that scene, that used to be 15 years ago. And if we are lukewarm, at least if we here in our studio, look at our brief history of scene, and I can tell you that it involves at least four major generations over the last 15 years.

So that first generation of seams even predates the cloud because the first cloud public cloud appeared to be yield after the first scene. And of course they predate the still popular notion of big data. So basically adjuster about five or six years after the first generation of seams, you already had the second one, the major improvement, because they were already running on or big data frameworks instead of classical databases, they were able to be deployed in the cloud infrastructure.

So immensely more scalable and did not require that much professional effort, but still they're largely rule-based with color in order to configure your scene, to alert you on a threat, you first have to know about the threat, and then you would have to be able to craft a number of rules or anyone for that. So basically that second-generation scene while much more performance and easy to operate was still very much like a classical antivirus. It was quote unquote signature-based right.

The actual problem that you described for the initial seam versions was still not really cured because this signal noise ratio was, which was not good, was still in existence, but at a big, Yes. So the second generation seems if we're able to collect now probably billions of events, but they will still end up generating millions of alerts Was just sizing up the problem. Yeah. Yeah. So what kind of extensive evolution didn't quite work out for themes of that second generation?

How we had a major breakthrough in the machine learning and artificial intelligence, just a couple of years later on, on the chart, which I've prepared some time earlier for a presentation, there is a flag for the year 2014, which probably was the major breakthrough in commoditizing machine learning the technology, which was previously only available owners of extremely expensive mainframe systems. Now what's running in the cloud and everyone could train their own machine learning models and do something useful with it.

And of course we know that machine learning is extremely useful in looking for patterns in data on one hand and looking for outliers for anomalies in the same data on the other hand. And that was extremely useful. Even without creating a specific threat related model. You just could use the general purpose machine learning algorithm to reduce like 95, at least 95% of that statistical noise and reduce the number of alerts from thousands to maybe dozens, which alone was a huge improvement. At least now it was manageable for a human team.

However, I would say is the most important feature of that throat generation seat, if you will, or what we used to call real-time security intelligence platforms, more intelligent indeed, and real time. So they were fast enough to not just sift through historical data, but to react to incoming security events in real time apply some smart correlation. And most importantly, they were able to apply a threat model to the data.

So instead of having a flat list of security alerts, you would have a very colorful and enriched list of incidents ranked by risk score criticality level, and reached with some additional information relevant for forensic analysis. So basically instead of looking at a flat list of even a thousand alerts, you would immediately know where to start because the one on top would be the most relevant for you to deal with.

Okay, great. So that means that this third generation of SOC tools was capable of on the one hand filtering the data. So getting down to a, to a list of, of items that could be dealt with, and it even did some pre-filtering some, some pre-assessment based on the criticality of the events. So it really was off helped for the actual security analysts At work. Absolutely. And most importantly, it did not require you to write rules.

So yes, modern themes still rely on rules to a substantial extent. And when you buy a seam nowadays from, even from a large enterprise went or like say, IBM, it comes through the huge pecks of rules, but the beauty of our real time security intelligence platforms that are TSI, or it's something that's called now, FIP security intelligence platform in that they do not rely on rules. So they are able to react to a previously unknown threats, especially if those models, which they are built around are looking for behavior aspects of security events.

So don't just look at, say, for example, the fact that a file on your server is suddenly encrypted, which might be a sign of Frankston way attack, but it might be something else, but they would absorb it in time. And they would see, for example, that a hundred files are being encrypted one after another. And that has never happened before. That is a behavioral anomaly. That is a reason to raise a highly risky incident for your analysis.

So this combination of no need for rules anymore, and for incorporating behavioral analytics, that was probably the single biggest breakthrough in seam evolution. This also consume external information about, about threats. So information that is provided by third party providers of such information, Of course, and again, that threat intelligence feed, the notion is old, but the meaning has evolved 20 years ago.

They were probably already some providers or who would give you a list of known militia of domain names, for example, or a piece of command and control centers, or no one compromised file hashes. This is also threat intelligence. This is still useful and relevant, but what we have now, for example, we have the cognitive security platforms like IBM Watson.

For example, those platforms are really powered by again, quote unquote, next generation AI technology, the cognitive systems, which go through or previously unreachable information, the dark web forums, academic research libraries, online sites where hackers or security analysts discuss their recent discoveries and so on, and always is being converted by a huge cloud-based brain. If you will, into a threat intelligence, which can be consumed by modern SIEM solutions. Okay.

So what we have Learned in other podcasts that, that the attackers are using technology and they are using automation to, to increase the volume and the sheer power of their attacks through automation. So now we see that the operators of socks that are based on these technologies can counter this with automation again. So we see machines fighting against machines. Exactly. And it's not just any kind of automation because to be honest, like scripting is off the automation, but this is intelligent pretty much in the game.

It's something, some kind of automation, which first of all, does not require you to write a rule for everything. If a tool gives you a possibility to describe your security measures in a prescriptive manner, two, it lets you define a policy instead of a rule that alone simplifies your job as a security specialist mentally. But if the same technology helps you to automate your response to that this COVID problem, or at least to automate the additional forensic analytics and to only give you the final decision to make is a one button click.

That is a huge productivity boost to our security analyst in a sock. And that that would be the final acronym for today. Soar security, orchestration, automation, and response. This is probably the hottest recent development in the security analytics market.

Nowadays, the first solutions appeared just a couple of years ago. Now they are constantly evolving and some of those are finding their way directly into existing SIEM solutions. So basically you are now witnessing the emergence of the fourth generation of seams, both which actually combined all those acronyms. So the Thor or the CAEP, the UBA, the machine learning and the eye and so on and add additional internal response. But they still prefer to call themselves a scene 4.0, if you will, a next-generation theme, a smarter theme, it's just like an antivirus antivirus anti-malware solution.

Today is nothing like the antivirus of 20 years ago, but, but the notion still sticks. Okay. And it still is a term at the scene that people are used to. So if we now look at what organizations should be looking for, when they try to acquire such a solution, where would they start? How do they get the best of all worlds that you described already?

Well, again, it's worth noting that the first thing that organizations should do is stop looking for acronyms to stop playing the alphabet soup game and start looking for capabilities. And those capabilities could probably be broadly classified in three major aspects. One would be increasing the productivity of such a solution and listen holes, primarily consolidating all those previous versions. You've security sources and security tools in one place will no longer. You just got to run your sock on top of your log management solution.

No, your sock should be able to consume real-time security data from the cloud services, maybe have API connectors to embedded systems or work with your endpoint security solutions to kind of share the crowd with them in both ways. But most importantly, it has to be flexible and open and allow for quickly adding new sources of that security data to provide your analysts can for reach or collaboration capabilities, because one person is already far behind in intelligence and maturity.

If you will, to work on a serious security incident, it's always be a team work and that team should be able to efficiently collaborate. And of course it has to be orchestrated and automated for as much as possible with which has discussed, or those security tools should be able to work together. If they can, if they are not smart enough, there should be some kind of scripting or playbook kind of automation, which manipulate them for you for your human analysts.

So ideally the goal is to give your security analyst a one button decision capability, one screen to show opener information, decision support based from previous experience or from hungry crowd wisdom, or even from the AI AI engine like Watson and just the bottom, fix it for me, that's kind of the ideal goal for the future. And of course, this is where the next aspects of our next theme comes into play it's level of intelligence.

So yes, talking about AI machine learning, cognitive psychologists nowadays, and of course, Emory seen product now, or they've come from label on the box, but you have to understand that not Emory AI is or equally mark. Some of those products probably don't even use machine learning at all. They are still relying on the old and trusted statistical methods of data correlation, which works absolutely fine if your data is simple enough and clear enough to be processed in that way.

But again, that alone is far by far not enough. So you should be looking for more advanced capabilities. The cognitive technologies have mentioned earlier how to unlock the unstructured security data and how to convert it into something. Machine-readable how to look for correlations with your past experiences.

Like if, for example, a security event, a similar security when they happened multiple times in the past, you already have a profile of your own decisions. Why not just ask a I assistance to, to suggest to you the best decision based on that history you should be looking at again for intelligent automation or automation, which is not rigidly rule-based or script-based, but can be automatically adapted to new types of security data, to new threats, to new types of security tools and so on.

And of course the ultimate goal, as I mentioned, it's the holy grail of cybersecurity and autonomous threat mitigation. Some people are still extremely scared while the possibility, especially if we are talking about like operational technology networks, where some slides, misconfiguration or blocking out a sensor can lead to or a catastrophe. But even though those are old school, hardcore OT engineers are already opening up to some levels of security automation because it saves so much time. I got it.

So As we are getting close to the, to the end of this podcast episode, and I'm sure that we have to catch up on that topic again, in a later episode, I understand that you are really the expert here when organizations, when people are trying to inform themselves, learn more about that topic. I assume there's research at KuppingerCole that they can look for and to, to learn more about the technologies behind that and also about the actual product implementing that.

Well, of course, this is one of the topics which we have quite a lot of coverage, both for individual solutions. So obviously on our website, you will find our executive view kind of reports of individual seam and related solutions. We're currently working on our leadership compass or multi-vendor comparison for security automation solutions, which will be released sometime later this year. That's not coming to that line yet, but again, we can also provide your lots of the visual kind of information just to study at your own pace.

So our past and upcoming webinars presentations, or just talk to us, we are open to all kinds of discussions, possibilities. Great. Thank you. And I think there, there will be a virtual event coming up later in June, I assume, which will be focused on cybersecurity. And actually we hope that we can run our cybersecurity leadership summit in Berlin, in November. That is something that we're currently planning and that we're looking forward to. And we hope that this can happen then again.

So Alex, thank you very much for your explanations in that area. I know there's much more in that topic available for us, so we will catch up on that and learn more about the most recent developments here for the time being. Thank you very much. Aleksei for, for joining me here today. Any final words from your side?

Well, first of all, thanks for having me again. This is really one of my favorite topics. I could probably talk about it for hours. Unfortunately, we are limited on time, but again, we are open to one on one discussions with any potential or let's let's call them customers. What's kind of any people who are looking for assistance and advice in that regard.

And again, thanks a lot to our audience. Stay safe, stay healthy and see you in future episodes. Nothing to Add from my side. Thank you very much, Alex say bye-bye thanks to the audience. .