When it comes to network security solutions, the prevailing industry wisdom may be leading well-intentioned SOCs astray.
On the surface, an “incremental stacking” approach to correlative analysis platforms like SIEM, XDR and UEBA is logical. Organizations can overcome some of the inherent limitations present in their security solutions by adding a network traffic analysis (NTA), for example. Industry analysts have been touting this approach for some time now as necessary for full coverage enterprise security.
What’s Wrong with Stacking Correlative Analysis Platforms?
Today, the cost to operate a SOC has dramatically increased, thanks in large part to the additive nature of popular security solutions, each of which carries a hefty operational price tag to deploy, run, and keep these systems in tune.
Vendors tend to gloss over a glaring foundational issue related to stacking platforms on top of other platforms in order to achieve a singular goal: how to work within and across multiple siloes of proprietary data.
Vendors position their SIEM platforms in a way that requires customers to aggregate and format data into the vendor’s exclusive, proprietary format. This is the only way to obtain the data the SIEM needs to compare against historical data to detect anomalies.
Not to worry – vendors are ready and eager to suggest yet another layer of correlative analysis, often SOAR (Security Orchestration, Automation and Response) software, to normalize the siloed data into a common format.
This idea, that by creating multiple silos of information, each with their own aggregate level of summarized information and analytics, and then tying them together with yet another correlative analysis platform for triage is a fundamentally flawed perspective. SOCs would be hard pressed to come up with even anecdotal evidence that this is an effective approach, functionally or economically.
How Did We Get Here?
In truth, we can look back over the past 20 years and see that the incremental stacking approach to network security has proven ineffective. Not only are we not seeing a return on investment when it comes to the basic measurement of resolution meantime, but SOCs have had to make significant, often unplanned, investments into human capital (and then investments into overcoming inherent human limitations).
To stay ahead of the bad actors who have been evolving their techniques right alongside the market, companies find themselves making nearly continual technology and resource investments into security solutions and processes.
For some organizations, the result is a patchwork of incompatible, often redundant, tools. These “additive solutions” focus on essential security goals focused on system oversight. For example:
- Tapping into historical data efficiently.
- Aggregating and analyzing network events captured by endpoints and machine-generated data sources.
- Log collection.
To get to the point where SOCs can have access to these basic security functions, organizations invest heavily in add-on solutions. Despite the investment, these teams remain vulnerable to a long and growing list of internal and external threats.
The current state of the SOC is an add-on solution cycle, where providing adequate cybersecurity requires a whack-a-mole approach, with a new issue popping up immediately to take the place of a resolved issue. Here’s an example of how this scenario tends to play out:
- Invest in a new SIEM to correlate, search, and investigate historical log data.
- Add an NTA platform.
- Deploy a UBA vendor for internal threat detection lacking in the SIEM and NTA.
- Invest in a costly third party SOAR platform that promises to make all these moving parts work together.
- Consult with an XDR vendor and get ready to make yet another additive purchase that may or may not deliver on overall network security goals.
- And so on.
There’s no jumping off this cycle once it begins, if every “solution” is just a band-aid or a new source for new problems and another contract to justify to the CFO.
Get Off the Merry-Go-Round
Sick of the cycle? MixMode is different. By providing real-time threat analysis powered by authentic, self-learning AI, our clients stop the madness, gaining control over complex network challenges with a unified solution. No more add-ons. No more lengthy vendor negotiations centered on accessing and using your own data.
MixMode establishes a baseline of expected network behavior and adjusts to fluctuating network conditions as they occur. The result is fewer false positives, less overhead and less babysitting. SOC teams can focus on true threats. Learn more about how MixMode can help your team jump off the cycle of incremental stacking and set up a demo today.