Warakorn - Fotolia


Benefits of the Cisco OpenSOC security analytics framework

Cisco's open source security analytics framework aims to help enterprises address visibility and incident management challenges. Expert Kevin Beaver discusses OpenSOC and what to consider when integrating it into an enterprise security strategy.

Given all the active threats and vulnerabilities being exploited every waking moment -- often, right before our eyes -- many people in charge of enterprise information security are realizing the value in good, old-fashioned threat intelligence and incident response.

However, there are a few roadblocks.

First, everyone's security budget is limited. Also, everyone struggles to sell security to management and end users -- and keep them interested over the long haul. And perhaps worst of all, studies are showing that organizations today are struggling to implement just the security basics.

Whatever the reasoning may be, it's not going to matter once a breach occurs; what matters is how quickly enterprises are able to respond and take the appropriate actions to stop the bleeding.

How Cisco's OpenSOC can help

OpenSOC has some lofty goals, but after all, it's Cisco's answer to an industry in need of some lofty ideas.

In an increasingly crowded threat intelligence and security analytics market, Cisco recently released its OpenSOC big data security analytics framework to help address some of the visibility and incident management challenges enterprises are experiencing today.

OpenSOC -- short for Open Security Operations Center -- has been available since September 2014 and was in development a year prior to that. Rather than taking an "everything new from the ground up" approach, Cisco integrated well-known tools familiar to most people (namely the Apache projects of Hadoop, Hive, HBase, Flume, Kafka and Storm), and combined them with the open source ElasticSearch search and analytics product. This combination created an enterprise-ready security analytics platform that can be hosted in the cloud or on-premises.

OpenSOC has some lofty goals, but after all, it's Cisco's answer to an industry in need of some lofty ideas. According to the Cisco OpenSOC website, the framework hopes to hit the mark by providing "a collaborative open source community" that identifies deficiencies and key feature enhancements for "an extensible and scalable advanced security analytics tool."

Digging deeper into OpenSOC's enterprise security capabilities via a passive network tap and dual network capture cards, it can monitor any source (i.e., raw network streams, NetFlow, syslog, etc.), detect anomalies, provide real-time alerts, retain and index evidence, and correlate and report on the findings. OpenSOC can even be extended out to existing enterprise analytics tools via ODBC and JDBC connections.

When managing security threats and risks, enterprises will want to minimize their maximum regret.

For example, enterprises may already be using Tableau, R or some other enterprise analytics program. Imagine being able to pull in threat intelligence from the enterprise network environment and integrating it with existing business decision-making processes. The real-time capabilities of OpenSOC are a key differentiator here. Implemented and managed properly, this big data view of security may not only have a tremendous impact on risk management processes, but its actionable (and real-time) evidence of the enterprise's security posture could help bring security front and center among business executives.

Using Cisco OpenSOC in the enterprise

With existing threat intelligence and management technologies -- such as traditional security information and event management systems -- as well as other frameworks, including CyboX, OpenIOC and even Facebook's ThreatData, potentially already in place, what do enterprises need to be thinking about in terms of standardizing on one approach or integrating a new framework into a current strategy? Here are three things that must be taken into consideration:

  1. How will such a framework/platform integrate with existing network security controls? Is open source the best route? What worked for Cisco and what fits well for many other enterprises may not be good for the general public in terms of visibility, control and, most importantly, manageability.
  2. Are the internal resources required to properly implement and manage such a system available? Any new system or task that's taken on means that something else has to go. Unless, that is, dedicated staff can be hired to oversee such a function. Many organizations might be better off outsourcing such services. Perhaps the time, money and effort required to make such a project successful would be better spent towards fixing the basic security vulnerabilities that are present across the enterprise network today.
  3. Can existing security standards, policies and procedures be updated to accommodate a new threat intelligence platform? It's also important to consider existing contracts and SLAs on the legal side. As a recent MIT study shows, there can be unintended consequences of mining data and gathering analytics that legal counsel and management need to be aware of.

In the end, when managing security threats and risks, enterprises will want to minimize their maximum regret. It's safe to say that most organizations' maximum regret is having a network environment that is so out of control that it ends up facilitating a serious incident or data breach.

We know we cannot stop breaches altogether. Therefore, what enterprise security managers must do is minimize the impact of the security events that are eventually carried out. Doing so requires good information and quick decision making; security analytics frameworks such as Cisco's OpenSOC can do just that if enterprises are willing and able to do it right.

About the author:
Kevin Beaver is an information security consultant, writer, professional speaker and expert witness with Atlanta-based Principle Logic LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments and penetration tests of network systems, as well as Web and mobile applications. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio booksand blog providing security learning for IT professionals on the go. You can reach Kevin through his website and follow him on Twitter at @kevinbeaver.

Next Steps

Don't miss SearchSecurity's guide to security analytics

Learn how security analytics helps boost APT defense

Dig Deeper on Security analytics and automation

Enterprise Desktop
Cloud Computing