How will SASE, SOAR, Zero Trust and SIEM technologies shake out?
If you have been reading this blog regularly, read our note on, or visited Microsoft, Cisco etc. conferences you will be aware of the terms Zero Trust, SASE, SOAR and SIEM. In this blog, we explain (in summary, trying not to fall asleep) what these acronyms mean, their history and try to predict what will happen in the market going forwards.
Patronising is not our style, so if you already know what we are going on about, please skip over it. Teaching your elderly relatives how to suck eggs is not our business.
Setting the scene – briefly
Way, way back many centuries ago, Enterprise security and SME business security were predicated on a ‘Caste and Moat’ philosophy with internal assets being protected from the outside world with Firewalls, more Firewalls, Anti Virus, Proxies, more Proxies, DNS and DDOS solutions, the whole bit.
Remote users accessed internal systems using VPN technology (based on IPSEC and SSL). Users even accessed the Internet indirectly via internal controls in order that traffic could be inspected and controlled.
Then along came ‘Bring Your Own Device’ initiatives, an absolute nightmare for security types, spreading like wildfire via, for instance, executive golf course selling (why haven’t I got one of those things?)
Massive businesses reselling datacenter capacity as ‘the cloud’ emerged, the initial promise being that companies could easily move workloads between cloud providers having automatically brokered CPU/Storage costs. This of course did not come to pass.
Like a small snowball rolling down Everest, the uptake of cloud gathered pace with AWS, Google and Microsoft being the major players. Of course, the individual functional technology of each cloud solution made them sticky to a customer, even unmovable.
With Total Cost Of Ownership models looking attractive, especially in a Capex versus Opex world, the cloud rush began in earnest and many businesses embarked upon the crusade.
Along comes Covid and now work from anywhere, not just work from home becomes an essential requirement and a new security management model is required.
SIEM – Security Incident and Event Management
As disparate security platforms generated more and more logs, operations teams,(at the time (The Early 2000s) there were very few dedicated Security Operations teams other than in, Governments and the Military), found it increasingly difficult to identify real attacks through all the noise, often described as looking for a needle in a haystack.
In order to facilitate the mass gathering of logs from different systems, along came SIEM systems which ingested logs, ran them against inbuilt and programmed rules and generated alerts that would be triaged by a SOC team and remedial action recommended and then implemented.
Examples of early SIEM systems were Protego, sold to Cisco who released Cisco MARS (Monitoring Analysis and Response System) in 2004 and Arcsight released in 2000 – still on sale today by MicroFocus.
The trouble with these systems was a large number of false positives, very little value in terms of actually finding bad stuff and cost – they were massively expensive often charging by the numbers of logs ingested which obviously increased as new technologies (IPS say) came around.
Of course, since these systems predominately were alert only, protection against attack relied upon rapid response to alerts and it was often difficult to have the appropriate support staff to hand to remediate (Wintel, Linux, Network Teams etc.)
SOAR – Security Orchestration Automation and Response
In order to respond better to attacks that were triaged manually or automatically to a high degree of probability, Security Orchestration Automation and Response systems were developed, often initially as scripts triggered by SIEM activities but then developed into standalone or integrated platforms, a situation that continues to this day.
SASE (Gartner coined)
“The Secure Access Service Edge (SASE, pronounced sassy) is a networking model first described by Gartner in 2019. It marks the necessary merger of traditional WAN management and security capabilities into a unified whole, one that is built, implemented and managed using cloud-native architectures.”
The promise of SASE was, and to a degree still is, to have the capability of managing, monitoring and controlling devices accessing your applications and data no matter where they are in terms of the perimeter.
Spooky isn’t it that after Gartner termed SASE, along came COVID-19 and the Global workforce was forced (at least the majority) to work from outside of the office, the big software outfits started talking about ‘the hybrid model’ which they predicated upon a very much older paradigm – Zero Trust? Read all about it in a previous Tiberium blog.
So where does all this leave the modern security team?
The rush to the cloud moves on apace, work from anywhere, anytime – the new hybrid model is now the norm and much investment in on-premise security tooling is not adding value.
At Tiberium, we have built services that absolutely support the new paradigm. While we are currently tightly built on and integrated with the Microsoft stack, we are investigating the integration of SASE solutions such as Netskope, which can offer rich enough logs to drive useful use cases and automated remediations.
Microsoft is pressing both Zero Trust and SASE and we are right with them. It is the right time for the right idea and will reduce your threat landscape significantly. There will be consolidation in this marketplace and we eagerly await the news.
We have designed and built our service ‘cloud first’ and ‘automation driven’. We are sure you would be impressed were you total the time to see them. Please contact us.
Automation is necessary to combat automated threats such as Ransomware in a timely and useful fashion rather than waiting for a phone call from your legacy SOC. Our team recently (we are very proud) won the Runners Up Spot in the Hackathon at the security south coast summit this weekend.
We have a seminar on our MYTHIC hybrid SOC service on November 17th. Sign up for it here and see the future.
Now the tune. Games Without Frontiers was released by Peter Gabriel in 1980. It includes the words:
In games without frontiers-war without tears
Games without frontiers-war without tears
Jeux sans frontieres
Jeux sans frontieres
Jeux sans frontieres
Andre has a red flag, Chiang Ching’s is blue
They all have hills to fly them on except for Lin Tai Yu
Cyber War is here. Not quite no tears, just fewer than in 1980.
Get yourselves modernised. Drop us a line.