Anecdotal evidence of security operations centre (SOC) tool overload is overwhelming — at CSO we hear complaints from industry sources about this problem all the time — but the 2019 SANS SOC Survey attempted to quantify the problem.
For most survey respondents, there were roughly equal numbers of SOC analysts as there were full-time employees tasked with maintaining the SOC security tools. That's on top of the expense of purchasing those security tools in the first place.
To solve this problem, IBM and McAfee launched the Open Cybersecurity Alliance (OCA) in October 2019. Together they have released two open source projects meant to improve interoperability among enterprise security tools.
One, STIX Shifter, enables federated search for indicators of compromise (IoC) across different security tools. The other, OpenDXL, is an open messaging format so that tools can share information, notifications and commands in a standardised way.
Market forces at work
The OCA talks a good open source game and seem quite serious about building a truly open standard under the auspices of OASIS (Organization for the Advancement of Structured Information Standards), the well-respected open standards group in which no single member — even a founding member like IBM — can dominate.
The OCA's motives, they say, are purely economic: Enterprise buyers, frustrated by tools that can't talk to each other and require substantial time and money to integrate fully in their SOCs, are demanding more interoperability.
At the same time, a growing suite of opensource security tools, like the Security Onion stack and The Hive, together offer a free, fully interoperable "SOC in a box." That might have the big players looking over their shoulders at the free alternatives to their bloated six-figure-per-seat licenses.
The Security Onion stack is open source, interoperable, and customisable at a license cost of zero dollars, forever. It's only going to keep getting better. Enterprise security solutions that want to compete with "pretty good" and "free" need to not only offer a superior solution, but need also to plug-and-play nicely in the modern SOC.
OCA's open source projects
Since October, 25 organisations have joined the OCA, and the alliance hopes to continue to grow to encompass all the major cyber security vendors today. Other members include Indegy, CrowdStrike, Fortinet and ReversingLabs.
"What we're trying to do as an industry, if we can align around a common data model and a common set of APIs, then that problem [a lack of interoperable security tools] becomes a much smaller problem than it is today," Chris Smith, senior sales engineer at McAfee, tells CSO.
STIX (Structured Threat Information eXpression), contributed by IBM, is useful "if you're threat hunting and you want to query all your other tools for evidence of a certain artefact use STIXShifter to ask that question in a vendor-neutral platform agnostic language," the GitHub repo said.
"STIX Shifter would be the technology that enables a company to search for an indicator of compromise across multiple tools, data repositories," Jason Keirstead, chief architect, IBM Security Threat Management, tells CSO. "If that search turns up a compromised device, OpenDXL Ontology would be the mechanism that would be used to issue alerts/notifications across other tools in order to begin remediation."
The other project, OpenDXL (the Open Data Exchange Layer), contributed by McAfee, enables "security devices to share intelligence and orchestrate security operations in real time," the OpenDXL web page said. "OpenDXL lets developers join an adaptive system of interconnected services that communicate and share information to make real-time, accurate security decisions.
"OpenDXL leverages the Data Exchange Layer (DXL), which many vendors and enterprises already utilise, and delivers a simple, open path for integrating security technologies regardless of vendor."
Open source: Coming to a SOC near you?
The market may have hit a high-water mark in terms of expensive, overhyped enterprise security solutions. Buyers are realising the latest AI thingamajigger isn't a magic wand after all. They are looking to trim their supplier list and consolidate and integrate what they keep. That makes interoperability a key selling point.
This may be one of the few occasions when economic incentives move the needle toward stronger cyber security.