Questions without answers plague security management leadership and staff. SOMP brings a promise of fusing strategy, workload and metrics into one capability-enhancing platform.
What’s your SECOPS team’s day-to-day utilization like? What activity is the bulk of your human capital going toward? How many different tools do your security analysts use just to execute on a single incident? What is your next technology investment, and what data do you have supporting that decision?
Running a Security Operations Center is not easy. Translating value can be pretty difficult when you haven’t identified a breach within your organization. It’s the old saying of IT: “If you don’t know you have an IT department, they’re doing their job.” It’s not so different in security. The problem is IT typically enables dollars in, whereas security looks like a cost center. It’s typical to see organizations fail to invest in their security. “What we’ve got here is failure to communicate.”
Personally, I’m tired of having to leverage APIs and spreadsheets to combine disparate data to articulate my operational needs. It’s exhausting and my time could be better spent elsewhere. We need something better…
We have myriad categories of tools, platforms and ticketing systems out there that are all attempting to solve only a sliver of the problem. CISOs and Directors feel the pain when attempting to communicate their needs to boards, CFOs, CEOs, etc., and analysts feel the pain when being pushed into a tool that solves only one (or in some cases, none) of their problems.
The closest we have to identifying a category that can solve this problem is “SOAR” (Security Operations Analytics and Reporting). However, those who have to operate and understand operations know this just isn’t enough.
Analyst Needs:
- Intelligence — Using a Threat Intelligence Platform (TIP)
- Automation — Using a Security Operations Automation Platform (SOAP)
- Controlled Process — Using a Security Incident Response Platform (SIRP)
CISO / Director / Manager Needs:
- Analytics and Reporting — Using Security Operations Analytics and Reporting (SOAR)
- Controlled Process — Using a Security Incident Response Platform (SIRP)
What we need is a Security Operations Management Platform (SOMP).
A SOMP will act as a combination TIP and SIRP by:
- Automating the front-end of every investigation by enriching the case with data like Whois, Geolocation, reputation, etc.
- Controlling the process through pre-defined workflows and making recommendations on next steps based on historical analysis of similar investigations.
- Scaling our superheroes and enabling our analysts to work quickly, consistently and efficiently.
SOMP will also be the SIRP for CISOs/Directors. This will enable us to quickly and easily understand:
- Our team’s real utilization (time spent in ticket vs “guessing” how much time a case takes).
- What our next technology investment should be based on historical data.
- Where our money is going now (e.g. tools, people, a specific case type, etc.).
At the end of the day, there continue to be a lot of terms floating around. They each are important in their own right, but its the synergy and capability that is realized when all are fused together. In one place. Putting that power into the keyboard and pocket of security analysts and execs.
