Security operations isn't a "one tool for one task" type of field. Most security operations centers (SOCs) have dozens of tools drawn from commercial and open sources, plus scripts and other homegrown tools. While it may seem expeditious to solve specific problems with specific tools at the time the problem emerges, there are two costs to this approach that must be taken into account.
First, the cost of operationalizing each tool must be factored into the decision. This applies even when the tool appears at first glance to be "free," and particularly when you consider operations and maintenance costs over the lifetime of the tool. Second, SOC leaders must evaluate how tools will perform and contribute across security operations requirements, and not just as point solutions.
To understand why operationalizing for value is an important point, we need to take a look at what drives the effectiveness of the security operations function. Although there are many variables at play here, the efficiency of the workflow is what most directly drives the effectiveness of the security operations team. When we begin to examine the security operations workflow, we find that it follows this general pattern (abbreviated and compacted to serve a high level discussion):
- Develop logic to populate the work queue with high fidelity, low noise content
- Vet and qualify alerts waiting in the work queue
- Investigate alerts
- Pull together supporting evidence and build the narrative around alerts
- Converge to decision
- Take any necessary response action
- Lessons learned and process improvement
When we begin to look over this high level list, we begin to see a few questions that arise from some of the "one tool for one task" products on the market.
Why buy a tool just to generate alerts based on perceived anomalies, or one aspect of behavior? What about the high volume of false positives and dead-ends that this approach generates?
Many tools don't integrate with modern SOC infrastructure and investigations. What about the need to craft detailed, custom content that requires a rich query language coupled with rich layer 7 meta-data? What about the need to provide an ultra-responsive network forensics investigation capability? What about the ability to automatically pull in required supporting data/evidence to reduce manual labor spent flipping between screens, cutting and pasting, and running multiple different queries? What about the need to consolidate all of the required information in one, central, organized place for ticketing, analysis, and reporting?
These are all valid, important questions that any serious network security analytics product should help you answer. With the amount of complexity in most organizations, the ability to cover more operational requirements with one solution becomes critical. It makes sense to push your security vendors to prove how they can help you address as many of these points as they can within your available budget.
If a product can only address one or two of these questions, it's probably not worth your money and time.
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2018/evaluating-analytics-for-secops/