The Security Operations Center (SOC) provides two major enterprise services:
For the last 20 years, innovation in the Security Information and Event Management (SIEM) product space has largely dictated the evolution of how these two services are supported. Over this time, the products have also shaped perspective on how to effectively perform these enterprise services. This influence on perspective has only increased as products have added more sophisticated features to meet more complex requirements.
The technology has come to dominate the thought space both within the enterprise and among practitioners as the market has matured. In some organizations, we have seen that the distinction has been lost between the SIEM and the enterprise services it enables. This also extends to the SIEM infrastructure itself - full commitment to a particular SIEM platform can restrict possible solutions to enterprise needs. These restrictions are often artifacts of vendor support, outsized infrastructure requirements, or (more depressingly) cost.
These artificial constraints are unacceptable for an organization whose mission is risk mitigation. Tectonic shifts in the threat space occur regularly (if not predictably). Each new high-impact vulnerability could require retooling infrastructure, analytics, and procedures to provide an effective countermeasure. This can even be considered an implicit third function for the enterprise SOC - an agile strategic response capability that can adapt to shifts in technology, attack techniques, and even the hard lessons learned in a compromise.
Furthermore, SIEM platforms will burrow deep into the systems they monitor and expand in scope over time, which can increase displacement costs. These include:
Image: Chris Wimbush - ShareAlike 2.0
Let me tell you about the law of holes: If you find yourself in a hole, stop digging - The Banker’s Magazine, 1964
Just thinking about a SIEM replacement often requires an examination every enterprise system no matter how large or small. The cognitive load alone can shut down any serious deliberation. This architectural inertia can become a strategic vulnerability over time if not kept in check.
ThetaPoint has time and again encountered these challenges in the Fortune 500 and Public Sectors, and we’ve developed an architectural remedy that we feel so strongly about, that we’re giving it away. ThetaPoint has developed the ThetaPoint Security Reference Architecture, a battle-tested design for SOCs based on open standards and our SOC services expertise.
ThetaPoint's Security Reference Architecture provides prescriptive guidance for the People, Process, and Technology needed for you to build a modern SOC that can
The ThetaPoint Security Reference Architecture provides guidance for staffing your SOC with qualified practitioners. First, we articulate the analytical and operational functions required to staff a future-proof SOC from talent pools available on the open market. We also provide the minimum qualifications you would need to select talent from available candidates. Finally, we provide guidance for skills development tracks in each position, along with measurable expectations for both achievement and performance.
The ThetaPoint Security Reference Architecture builds processes that create consistent analytical outcomes and provide repeatability as you adapt to new data, technologies, and threats. We establish clear Mission goals for strategic guidance, a policy framework that establishes authorities and governance, and modular workflows that are easily adapted to your requirements.
The ThetaPoint Security Reference Architecture establishes a highly performant and scalable Baseline Infrastructure that evolves at your own pace. The Baseline Infrastructure extracts commodity workload out of the SIEM and onto a utility infrastructure that can be reused for data distribution, filtering, aggregation, enrichment, custom analytics, and workflow automation. Once established, the Baseline Infrastructure lowers future migration cost and transition risk. This lets you execute on less disruptive transformations, either through addition, incremental displacement, or outright replacement of existing technology solutions.
Over the coming weeks, we will be publishing the framework in more detail on our blog. We hope to engage you in a collaborative discussion of the challenges we have encountered and the solutions we have developed.
In addition if you’d like to engage directly, ThetaPoint can partner with your organization to develop tailored solutions to meet your unique needs in the following areas: