By Charlie Thomas, CEO, Deepwatch
The ever-increasing volume of security data is becoming unmanageable through conventional data analysis, security tools and management techniques. Security teams are deluged with logs, events, and alerts from traditional sources including firewalls, intrusion detection systems, and endpoint security solutions, as well as SaaS, cloud, and many other data sources. The avalanche of data isn’t just impacting analysts, it is overloading the very infrastructure that supports this cybersecurity data, leading to runaway data management costs, let alone the workload thrust upon analysts and their SOC peers.
Security Information and Event Management (SIEM) systems have been the cornerstone of this infrastructure for some time, and the security and economic challenges have been growing. The cost of getting all relevant security data to a single SIEM has been increasing as IT sprawl hits cloud, and now multi-cloud environments. Existing strategies to address this have been limited to choosing between spending for more capacity in SIEM licensing, data transit costs, and data processing capacity or choosing to discontinue sending some cybersecurity-relevant data to the SIEM. This leads either to unsustainable security operations costs, or a reduction in security visibility within the environment – neither is acceptable in the Cyber Resilient enterprise.
The solution is to more effectively utilize cybersecurity data where it lives. Cloud infrastructure solutions are starting to offer security data lake solutions, and we historically have not sent endpoint OS logs directly into a SIEM because those logs are already accessible inside of a quality EDR solution. Some cloud offerings include some level of SIEM functionality built into their environment which is focused on their particular cloud logs.
Indeed, if we could better utilize this fantastic data where it exists, instead of routing it all to a centralized SIEM located in some other environment, we could achieve a valuable cost savings without sacrificing visibility. And we can accomplish it without the need for “swivel chair” actions by our SOC resources (logging into multiple interfaces to interact with all the relevant data).
At Deepwatch, we’ve christened this solution the Open Security Data Architecture. Via this architecture, Deepwatch is expanding our footprint to allow customers to do more with cybersecurity data that is not consolidated in a singular SIEM. And not only analysis of data, but using that architecture to execute fast response actions within the security tools that are generating the data. Correlated, validated data may not have originated from a particular tool.
Indeed, the ability to utilize new technologies like hyperautomation to power the flexibility to interact with data where it lives, in a timely fashion, without relying on people to manually correlate data between systems, is opening up a new paradigm for security operations.
Open Security Data Architecture is a multi-technology solution – which is why you won’t see Deepwatch putting a logo on it and reselling it as a software license any time soon. We aren’t abandoning the best-of-breed technologies that have fueled our capabilities to date, but we are utilizing Open Security Data Architecture to expand our reach to solutions like Microsoft Sentinel, increase our interoperability with CrowdStrike’s ever-broadening portfolio, and many, many others.
About the Author
Charlie Thomas is the CEO of Deepwatch and is responsible for overall corporate strategy and execution. He has led and grown four different startups to market values from $25 million to over $1 Billion with four exits and an IPO. Charlie has been responsible for growth, expanding markets globally, and quickly adapting to industry dynamics at technology and software companies. He has led in all facets of growth including capitalization, branding, product, sales, channels, marketing, team recruitment, and corporate strategy. Charlie has served as a Board Member or Investor at fourteen (14) cybersecurity, software and technology companies. He holds a B.A. from the University of Virginia.
Charlie can be reached online at linkedin.com/in/charliethomasdc and at our company website www.deepwatch.com.