Security Déjà vu: from SIEM to SOAR to ASPM

The need to consolidate, and prioritize security data is as important as ever

William Leichter

February 15, 2024

Security Déjà vu: from SIEM to SOAR to ASPM

Subscribe to AppSoc

Get the best, coolest, and latest in design and code delivered to your inbox each week.

When I think of the last 20+ years of cybersecurity, Yogi Berra’s famous quote comes to mind: “it feels like deja vu, all over again.” In both security and baseball, it’s natural to feel like you’ve seen it all before, even while the game continuously evolves.

If you’ve been around cybersecurity for more than a few years, it often feels like we’re repeatedly trying to solve the same basic challenges, yet the actual attacks and defenses are often unrecognizable from the past. 

Here’s what hasn’t changed: we’re still struggling to keep up. And the legitimate complaints of security professionals feel like deja vu. There’s always too much security data producing too much noise and far too many false positives. Compounding that, there are never enough trained staff to follow-up adequately, while front-line security analysts get frustrated and look for other jobs. And management is not satisfied that we meaningfully reduced risk.

This problem does not come from lack of effort, smart security teams, or breakthrough technology. In fact, many of these problems have been solved in certain security domains, only to have them re-emerge in new ones. Some notable examples are:

  • SIEM (Security Incident and Event Management): in the early 2000’s, responding to a flood of network security events, new tools emerged to successfully aggregate, consolidate, normalize, and reduce the burden of managing data from multiple network point solutions. SIEMs were successful for a time, but they were built on outdated and expensive data models, used relatively primitive policy engines, and required extensive expertise to make them effective. Also – they didn’t anticipate the explosion of cloud applications, and the fragmenting of security data.
  • TIP (Threat Intelligence Platforms): as threat research and intelligence evolved in the late aughts, many point solutions emerged with a range of threat detection techniques that were reasonably successful, until new attack patterns appeared. Once again, security analysts were faced with a flood of potential threat data from many sources, which became unmanageable. TIPs solved this problem for a time, aggregating, consolidating, correlating, and giving some guidance on how to prioritize threat intel. While many large enterprises adopted TIPs, they often proved too expensive, too complex, and out of reach for smaller organizations. 
  • SOAR (Security Orchestration, Automation and Response): In the mid-2010’s, SOAR became the next hot technology, that promised to make sense of SIEM, and TIP data, orchestrate across many tools, and take the next important step – to automate response. Often leveraging early machine learning models, SOARs promised better triaging of events and to dramatically reduce the labor required for manual correlation, enrichment, and response through automation. SOAR was effective in known use cases, with somewhat hard-wired automation. But the technology was often clunky, inflexible, difficult to use, and required extensive expertise and coding to make it effective.

It's not that these technologies don’t work – they do and have provided numerous examples of dramatic time and cost savings. They remain widely in use and are foundational pieces of many SOCs (security operations centers). The dramatic reduction in data storage costs, improvements in AI/ML, have improved many of these products – and seen these capabilities incorporated into larger platforms and commoditized.

What’s striking, however, is how the same language has been used to describe these series of security challenges over the year. The need to aggregate, consolidate, deduplicate, normalize, correlate, and prioritize security data has persisted even as generations of technology have promised to make these problems go away.

Shifting left, towards AppSec

Over the last decade, the frontline of security has shifted upstream – or “left” in traditional network flow charts. The valid rationale is that rather than relying on finding and patching vulnerabilities in production code, we should try to prevent them in the first place. This requires better coding practices and more effective detection and remediation of software flaws, before vulnerabilities become codified in production code.

This has led to the development of a new wave of point solutions including SAST (static application security testing), DAST (dynamic application security testing), SCA (software composition analysis – detecting supply chain vulnerabilities), container security, bug bounties, and much more. Along with this, the concept of DevSecOps – with its ubiquitous infinite loop diagrams, promised to integrate “shift left” security with infrastructure, and runtime security tools, to complete the virtuous loop of detection and remediation at all stages.

While the goals of DevSecOps are sound, in practice, we have a long way to go, and the explosion of AppSec tools has led us once again to déjà vu. With hundreds of point solutions across DevSecOps, there is again too much data and noise, too many false positives, and an inability to effectively prioritize what really matters to a specific organization, and what can wait. 

This has led to a new wave of technology designed to address today’s challenges of aggregation, correlation, normalization, prioritization, and remediation. 

Analyst firm Gartner, one of the world’s leading manufacturers of acronyms has given us some new, somewhat awkward:

While the acronyms don’t exactly roll off the tongue, the pain is real. These three terms all significantly overlap and try to address the same challenges, from different starting points. The key capabilities of all of these are:

  • Consolidating data from a wide range of security tools into one unified platform
  • Deduplicating, correlating, and normalizing data to make it manageable
  • Providing consistent visibility and a single source of truth for different security groups
  • Prioritizing vulnerabilities and remediation, pinpointing the most critical security issues, that are relevant to your business, and must be addressed immediately.

These new areas of security will certainly evolve, and the names may be consolidated, but the goals will remain the same. The feeling of deja vu is valid, and sometimes frustrating, but that doesn’t mean we’re doing the wrong things. As we’ve talked manageability, and consolidation of security data in the past, we need to apply the same principles to new areas of security, while demanding that more modern software help us keep up with exploding amounts of data, while doing a better job prioritizing what matters most.