The volume and scope of security data are far outstripping a SOC’s capacity.  The very technologies that were deployed to stop the numerous threats all generate their own signals.  The often quoted “every SOC averages 40-60 vendor products installed” illustrates this factor.  For good reasons, SOCs have a lot of tooling – but because these devices were built to send alerts when something looks fishy, they both help and exacerbate the SOC’s ability to meet its objectives.

And, it isn’t just the volume that is the problem.  With every new tool comes necessary expertise to understand its output and engineer its on-going efficacy.  With limited resources to become experts at all those tools, some inevitably fall by the wayside. It’s no wonder that SOCs don’t want another alert.

This isn’t a new problem.  SOCs have been fighting data overload since they were first built.  In fact, the promise most associated with the now decades-old SIEMs category – bequeathed to Security Analytics and now machine learning products – is that technology will gather logs/data from security devices and contextual sources far and wide, correlate results and provide answers from this avalanche of data.

Unfortunately, the scale, variety of alerts and, of course, the shortage of people that can do the data science, engineering, and analysis, makes delivering on this promise out of reach for most every SOC.
We see the gap widening due to exponential data growth and the scarcity of skilled security professionals who could use the data to be effective.  The solution isn’t clearcut and we believe demands that the industry rethink the current approach.

Mike Armistead

Mike has led several software companies from inception through high growth and to successful IPO’s or acquisitions. Mike’s passion for technologies that change how people work is as intense today as it was earlier in his career when he was the first product manager for Pure Software, where he helped lead the company from an early-stage start-up to become a top 10 public software company. A keen interest in IT Security in the early 2000’s led Mike to co-found Fortify Software. Fortify defined application security and continues to be the market leader after its acquisition by HPE Security and now Micro Focus. At HPE Security, Mike was the VP and General Manager of the Fortify and ArcSight businesses until he left in 2016 to start Respond Software.

View all posts by Mike Armistead