Everyone in InfoSec/IT has heard of the SIEM. Most of you reading this have had varying levels of success or satisfaction working with them.
I won’t trash the technology, but will openly tell you that Security7’s been looking for something more evolved. You see, we knew there had to be more to detection, alerting and prevention than the aging traditional SIEMs.
Starting in 2010 we started really looking at existing SIEMs and all of them seemed to come up short. Nothing really fit what we we were looking for.
“They were too difficult to maintain and manage and had little out of the box value,” said Brian Thomas, Security7’s CTO. “However, With the advances that we were seeing in machine learning & artificial intelligence, we knew there had to be a better way to address the problem that SIEMs were originally supposed to address. Namely to provide meaningful and actionable security alerts that would detect potential compromise and suspicious behavior.
“We called the strategy ‘Intelligence in Depth’ as it was taking form (you can read more about Inteligence in Depth in our eBook),” Thomas said. “We were really excited when we saw we weren’t traveling alone down this road when we noticed analysts in the industry were starting to think the same way we were.”
What is SOAPA?
Jon Oltsik, a senior research analyst at Enterprise Strategy Group (ESG), coined the term SOAPA in late 2016 (you can read more about Jon’s take on SOAPA here) right around the same time we were developing our ‘Intelligence in Depth’ concept.
Oltsik believes SOAPA takes the existing functionality of a SIEM and adds things like:
- Endpoint detection and response tools (EDR)
- Incident response platforms (IRP)
- Network security analytics
- Machine Learning
- Vulnerability scanners
- Threat intelligence
“The two concepts are really very similar. When we stumbled upon SOAPA, we realized that we had a codified version of our approach to security that we had coined as Intelligence in Depth,” Thomas said. “It made sense to co-opt the SOAPA terminology.”
What are the Differences Between Security7’s SOAPA solution and Oltsik’s?
“At the base of Oltsik’s SOAPA is a Common Distributed Data Services model where normalization, encryption and compression occurs,” Thomas said. “We find this to be extraneous because most of the products in our security stack analyze their respective data in context and provide meaningful alerts that can be acted upon further up the stack.
“We also flip the Software Services and Integration layer with the Analytics layer. In our variant of SOAPA we take structured and unstructured events and metrics into an intelligent logging and analysis platform that is used for notification or triggering additional workflows via an Incident Response Platform.”
Security7’s SOAPA solution also focuses more on the End-point Detection & Response systems first before implementing additional technology and techniques further down the road.
“EDRs provides nearly immediate time-to-value, from the point of deployment on because they are designed to identify current and complex attack such as lateral movement, privilege escalation, command and control callbacks, malware and ransomware,” Thomas said. “Out of the box they are focused on the things that keep us up at night and because agents are deployed throughout your infrastructure, you have much greater visibility of your entire IT infrastructure.
EDR doesn’t mean you don’t need to collect and analyze log data though. There is still a need to capture information for non-agent sources, domain controllers, cloud based systems and security products, etc. Oh yeah and then there is the check-box compliance issue that mandates the logging of certain data. Here is where we depart from traditional SIEMs to handle what a secure cloud native Intelligent Logging and Analysis platform can do with a much lower TCO.”
What’s the Difference Between SIEM and Security7 SOAPA solution?
SIEM and SOAPA differ in three fundamental ways. Traditional SIEMs focus on a Collection > Detection > Respond model whereas SOAPA (at least the way we see it) focuses on a more intelligent Respond > Detect > Collect model.
Primarily a traditional SIEM works like this:
Step 1. Collection:
Traditional SIEM encourages you to collect as much data as possible. It focuses only on a subset of “potential” data sources. The traditional SIEM does not offer visibility across the entire Enterprise.
Step 2. Detection:
Traditional SIEM uses static correlation models. Offers little chance of success when detecting complex threat scenarios. The traditional SIEM generates a high volume of false positives, resulting in “Alert Fatigue.”
Step 3. Response:
Automation typically doesn’t exist. Investigation and Remediation become manual efforts and can be very time-consuming for your SecOps team.
That means if you’re implementing a SIEM you still actively have to hunt for threats to your environment. SOAPA flips that model on its head and begins to automate the threat hunting process for you.
How Security7 Network’s SOAPA Solution Works:
As stated above, a SOAPA solution (in this case our SOAPA solution) uses a Response > Detection > Collection model.
Step 1. Response:
SOAPA focuses on end-points first to prevent the unwanted & automates the response process. SOAPA blocks the known bad before it even reaches you.
Step 2. Detection:
SOAPA is designed to detect complex threat scenarios & offers full attack life-cycle detection. SOAPA uses a combination of static correlation, anomaly detection & threat intelligence to create actionable alerts.
Step 3. Collection:
SOAPA focuses on data collection from meaningful logs and high-value assets while providing a holistic view of your security posture.
That means a SOAPA solution proactively hunts threats for you. It uses what it already knows about bad actors and existing attack methods to actively defend you. It’s a continually evolving and updating active defense solution.
How Does Integris Apply our SOAPA Solution?
We use a multitude of different technologies for our SOAPA Solution and there isn’t a lit of components that are set in stone (however we do have a few that we always recommend out of the gate).
We’ll be launching a series of Podcasts, Webinars and White-papers regarding our SOAPA solution over the next few months. If you’re interested in finding out more please register for our SOAPA news updates here.