Open source options offer increased SOC tool interoperability
12 March 2020 | 0
Anecdotal evidence of security operations centre (SOC) tool overload is overwhelming – CSO said it hears complaints from industry sources to that effect all the time – but the 2019 SANS SOC Survey attempted to quantify the problem. For most survey respondents, there were roughly equal numbers of SOC analysts as there were full-time employees tasked with maintaining the SOC security tools. That is on top of the expense of purchasing those security tools in the first place.
To solve this problem, IBM and McAfee launched the Open Cybersecurity Alliance (OCA) in October 2019. Together, they released two open-source projects meant to improve interoperability among enterprise security tools. One, STIX Shifter, enables federated search for indicators of compromise (IoC) across different security tools. The other, OpenDXL, is an open messaging format so that tools can share information, notifications and commands in a standardised way.
Market forces at work
The OCA talks a good open-source game and seem quite serious about building a truly open standard under the auspices of Organisation for the Advancement of Structured Information Standards (OASIS), the well-respected open standards group in which no single member – even a founding member like IBM – can dominate.
The OCA’s motives appear to be economic: Enterprise buyers, frustrated by tools that cannot talk to each other and require substantial time and money to integrate fully in their SOCs, are demanding more interoperability.
At the same time, a growing suite of open-source security tools, like the Security Onion stack and The Hive, together offer a free, fully interoperable ‘SOC in a box.’ That might have the big players looking over their shoulders at the free alternatives to their bloated six-figure-per-seat licenses.
The Security Onion stack is open-source, interoperable, and customisable at a license cost of zero dollars, forever. It is only going to keep getting better. Enterprise security solutions that want to compete with “pretty good” and “free” need to not only offer a superior solution, but need also to plug-and-play nicely in the modern SOC.
OCA’s open source projects
Since October, 25 organisations have joined the OCA, and the alliance hopes to continue to grow to encompass all the major cybersecurity vendors today. Other members include Indegy, CrowdStrike, Fortinet and ReversingLabs.
“What we’re trying to do as an industry, if we can align around a common data model and a common set of APIs, then that problem [a lack of interoperable security tools] becomes a much smaller problem than it is today,” Chris Smith, principal engineer at McAfee, tells CSO.
STIX (Structured Threat Information eXpression) is useful “if you’re threat hunting and you want to query all your other tools for evidence of a certain artefact use STIXShifter to ask that question in a vendor-neutral platform agnostic language,” the GitHub rep said.
“STIXShifter would be the technology that enables a company to search for an indicator of compromise across multiple tools, data repositories,” Jason Keirstead, chief architect, IBM Security Threat Management, tells CSO. (IBM contributed STIXShifter to the project.) “If that search turns up a compromised device, OpenDXL Ontology would be the mechanism that would be used to issue alerts/notifications across other tools in order to begin remediation.”
The other project, OpenDXL (the Open Data Exchange Layer), contributed by McAfee, enables “security devices to share intelligence and orchestrate security operations in real time,” the OpenDXL web page said. “OpenDXL lets developers join an adaptive system of interconnected services that communicate and share information to make real-time, accurate security decisions. OpenDXL leverages the Data Exchange Layer (DXL), which many vendors and enterprises already utilise, and delivers a simple, open path for integrating security technologies regardless of vendor.”
Open source: Coming to a SOC near you?
The market may have hit a high-water mark in terms of expensive, over-hyped enterprise security solutions. Buyers are realising the latest AI ‘thingamajigger’ is not a magic wand after all. They are looking to trim their supplier list and consolidate and integrate what they keep. That makes interoperability a key selling point.
This may be one of the few occasions when economic incentives move the needle toward stronger cybersecurity.
IDG News Service