ThetaPoint's Security Reference Architecture

The Primary Function of Security Operations Has Been Subverted

The Security Operations Center (SOC) provides two major enterprise services:

  1. Situation Awareness (SA) for enterprise systems in the Cyber Domain
  2. Incident Response (IR) for events that require intervention

For the last 20 years, innovation in the Security Information and Event Management (SIEM) product space has largely dictated the evolution of how these two services are supported. Over this time, the products have also shaped perspective on how to effectively perform these enterprise services. This influence on perspective has only increased as products have added more sophisticated features to meet more complex requirements.

The technology has come to dominate the thought space both within the enterprise and among practitioners as the market has matured. In some organizations, we have seen that the distinction has been lost between the SIEM and the enterprise services it enables. This also extends to the SIEM infrastructure itself - full commitment to a particular SIEM platform can restrict possible solutions to enterprise needs. These restrictions are often artifacts of vendor support, outsized infrastructure requirements, or (more depressingly) cost.

     A map is not the territory it represents, but, if correct, it has a similar structure to the territory, which accounts for its usefulness. -  Alfred Korzybski, Science and Sanity, p. 58

The SIEM is not the SOC

These artificial constraints are unacceptable for an organization whose mission is risk mitigation. Tectonic shifts in the threat space occur regularly (if not predictably). Each new high-impact vulnerability could require retooling infrastructure, analytics, and procedures to provide an effective countermeasure. This can even be considered an implicit third function for the enterprise SOC - an agile strategic response capability that can adapt to shifts in technology, attack techniques, and even the hard lessons learned in a compromise.

Furthermore, SIEM platforms will burrow deep into the systems they monitor and expand in scope over time, which can increase displacement costs. These include:

  1. Labor to scope, design, implement, and test replacement functionality on the new platform
  2. Capital expenditure for equivalent hardware and software
  3. Operational commitment to run a parallel system in transition
  4. Disruption risk for transitioned business services

This image was taken from the Geograph project collection. See this photograph's page on the Geograph website for the photographer's contact details. The copyright on this image is owned by Chris Wimbush and is licensed for reuse under the Creative Commons Attribution-ShareAlike 2.0 license.

Image: Chris Wimbush - ShareAlike 2.0

Let me tell you about the law of holes: If you find yourself in a hole, stop digging - The Banker’s Magazine, 1964

Just thinking about a SIEM replacement often requires an examination every enterprise system no matter how large or small. The cognitive load alone can shut down any serious deliberation. This architectural inertia can become a strategic vulnerability over time if not kept in check.

A New Path Forward - The ThetaPoint Security Reference Architecture

ThetaPoint has time and again encountered these challenges in the Fortune 500 and Public Sectors, and we’ve developed an architectural remedy that we feel so strongly about, that we’re giving it away. ThetaPoint has developed the ThetaPoint Security Reference Architecture, a battle-tested design for SOCs based on open standards and our SOC services expertise.

ThetaPoint's Security Reference Architecture provides prescriptive guidance for the People, Process, and Technology needed for you to build a modern SOC that can

  • Provide safe transitions for retooling and technology migration
  • Maximize existing investments with more flexibility
  • Sustain present value while breaking vendor dependence

People

The ThetaPoint Security Reference Architecture provides guidance for staffing your SOC with qualified practitioners. First, we articulate the analytical and operational functions required to staff a future-proof SOC from talent pools available on the open market. We also provide the minimum qualifications you would need to select talent from available candidates. Finally, we provide guidance for skills development tracks in each position, along with measurable expectations for both achievement and performance.

Process

The ThetaPoint Security Reference Architecture builds processes that create consistent analytical outcomes and provide repeatability as you adapt to new data, technologies, and threats. We establish clear Mission goals for strategic guidance, a policy framework that establishes authorities and governance, and modular workflows that are easily adapted to your requirements.

Technology

The ThetaPoint Security Reference Architecture establishes a highly performant and scalable Baseline Infrastructure that evolves at your own pace. The Baseline Infrastructure extracts commodity workload out of the SIEM and onto a utility infrastructure that can be reused for data distribution, filtering, aggregation, enrichment, custom analytics, and workflow automation. Once established, the Baseline Infrastructure lowers future migration cost and transition risk. This lets you execute on less disruptive transformations, either through addition, incremental displacement, or outright replacement of existing technology solutions.

What’s Next

Over the coming weeks, we will be publishing the framework in more detail on our blog. We hope to engage you in a collaborative discussion of the challenges we have encountered and the solutions we have developed.

In addition if you’d like to engage directly, ThetaPoint can partner with your organization to develop tailored solutions to meet your unique needs in the following areas:

  1. SOC Engineering Services
  2. Touch-Free SIEM Operations and Maintenance Support
  3. SIEM Value Assessment and Consulting Services
  4. SOC Workflow Automation