New Security Reference Stack For Modern Enterprise

January 31st, 2022

The security stack is a crucial part of any company’s IT infrastructure.  However, Security teams increasingly report that traditional SIEM solution approaches are “costly, complex, and resource-consuming,” according to a recent ESG survey.  Fortunately, there has been significant innovation in how firms approach cybersecurity with new cloud-native technologies stack and breaking free from vendor lock-in and giving themselves more flexibility, cost advantage, and future-proofing. The following is one such reference stack that can be considered by the enterprises for achieving significant savings and flexibility.

  1. Observability pipeline fabric – The observability pipeline fabric is a key component of any company’s security architecture. They will be able to ingest a wide variety of log/event data from end points natively such as firewalls, IDS systems, VPN systems, IAM tools,  networks, hosts etc or through ITOM tools at very high rate and low latency using multiple protocols/interfaces. Once ingested, they will be able to  correlate, reduce, shape, mask and route to the destination of choice. Destinations typically will be Log analytics tools for real-time threat detection and low cost storage systems for long term retention, trend analysis and compliance needs. Some of the players which offer hybrid cloud data fabric are CloudFabrix software, Cribl.io, Edge Delta, Stream sets etc
  1. Log Storage/Indexing : Traditional approaches involved a  SIEM solution providing both indexing and analytics. But, they’ve become very costly and complex when dealing with large quantities of security data.  Cloud born analytics vendors like Snowflake, Google Bigquery offer highly scalable solutions at lower cost with an open architecture approach and API based access. 
  1. XDR : Open XDR solutions with advanced AI/ML capabilities on top of generic indexing platforms like Snowflake etc. can be both cheaper and offer faster detection of threats using pattern recognition instead of rules. This open approach is becoming best practice for security operations, reducing vendor lock-in while preparing the security program for the multi-cloud, petabyte-scale security challenges of the future.. Vendors like Hunters, Securonix etc can be a good choice for this.
  1. Incident Response Automation: When an enterprise detects a security incident, they need to be able to quickly resolve the situation – and ideally automate the process. Here you have a few options: first use a pure play SOAR system like Tines and second use Integrated SOAR systems like Splunk Phoenix. However, with the later approach there will be a lot of overlap with XDR systems making it a costly combination with narrow use case support.  

    There is a third alternative approach that could be even more cost-effective. This is using an AIOps solution that integrates well with XDR systems. AIOps tools like CloudFabrix Software Inc, BigPanda, etc. can take input from XDR systems and through integration with ticketing systems like ServiceNow, etc., and automation tools like Ansible, Terraform, etc orchestrate the remediation flow derived from the Knowledge base or with human assistance.  AIOps systems can also be used for NOC incidents handling, asset lifecycle analytics, and predictive analytics providing a much broader benefit than what can be achieved from SOAR &  XDR combination.

The right solution approach can save you time and money. Implementing a tech stack with best-of-breed technologies can help enterprises achieve 2 to 5X savings from both license costs and broader use cases support.