Too many security tools in your SOC, and none of them talk to each other, but new vendor-supported open-source projects might lead to greater interoperability. Credit: Matejmo / Getty Images Anecdotal evidence of security operations center (SOC) tool overload is overwhelming — at CSO we hear complaints from industry sources about this problem all the time — but the 2019 SANS SOC Survey attempted to quantify the problem. For most survey respondents, there were roughly equal numbers of SOC analysts as there were full-time employees tasked with maintaining the SOC security tools. That’s on top of the expense of purchasing those security tools in the first place.To solve this problem, IBM and McAfee launched the Open Cybersecurity Alliance (OCA) in October 2019. Together they have released two open-source projects meant to improve interoperability among enterprise security tools. One, STIX Shifter, enables federated search for indicators of compromise (IoC) across different security tools. The other, OpenDXL, is an open messaging format so that tools can share information, notifications and commands in a standardized way.Market forces at workThe OCA talks a good open-source game and seem quite serious about building a truly open standard under the auspices of OASIS (Organization for the Advancement of Structured Information Standards), the well-respected open standards group in which no single member — even a founding member like IBM — can dominate.The OCA’s motives, they say, are purely economic: Enterprise buyers, frustrated by tools that can’t talk to each other and require substantial time and money to integrate fully in their SOCs, are demanding more interoperability. At the same time, a growing suite of open-source security tools, like the Security Onion stack and The Hive, together offer a free, fully interoperable “SOC in a box.” That might have the big players looking over their shoulders at the free alternatives to their bloated six-figure-per-seat licenses.The Security Onion stack is open-source, interoperable, and customizable at a license cost of zero dollars, forever. It’s only going to keep getting better. Enterprise security solutions that want to compete with “pretty good” and “free” need to not only offer a superior solution, but need also to plug-and-play nicely in the modern SOC. OCA’s open-source projectsSince October, 25 organizations have joined the OCA, and the alliance hopes to continue to grow to encompass all the major cybersecurity vendors today. Other members include Indegy, CrowdStrike, Fortinet and ReversingLabs.“What we’re trying to do as an industry, if we can align around a common data model and a common set of APIs, then that problem [a lack of interoperable security tools] becomes a much smaller problem than it is today,” Chris Smith, principal engineer at McAfee, tells CSO.STIX (Structured Threat Information eXpression) is useful “if you’re threat hunting and you want to query all your other tools for evidence of a certain artifact use STIXShifter to ask that question in a vendor-neutral platform agnostic language,” the GitHub repo said.“STIXShifter would be the technology that enables a company to search for an indicator of compromise across multiple tools, data repositories,” Jason Keirstead, chief architect, IBM Security Threat Management, tells CSO. (IBM contributed STIXShifter to the project.) “If that search turns up a compromised device, OpenDXL Ontology would be the mechanism that would be used to issue alerts/notifications across other tools in order to begin remediation.”The other project, OpenDXL (the Open Data Exchange Layer), contributed by McAfee, enables “security devices to share intelligence and orchestrate security operations in real time,” the OpenDXL web page said. “OpenDXL lets developers join an adaptive system of interconnected services that communicate and share information to make real-time, accurate security decisions. OpenDXL leverages the Data Exchange Layer (DXL), which many vendors and enterprises already utilize, and delivers a simple, open path for integrating security technologies regardless of vendor.”Open source: Coming to a SOC near you?The market may have hit a high-water mark in terms of expensive, overhyped enterprise security solutions. Buyers are realizing the latest AI thingamajigger isn’t a magic wand after all. They are looking to trim their supplier list and consolidate and integrate what they keep. That makes interoperability a key selling point. This may be one of the few occasions when economic incentives move the needle toward stronger cybersecurity. Related content brandpost Shifting security left: DevSecOps meets virtualization By Anthony Ricco, CMO of Corellium. 01 Jul 2023 4 mins Security news analysis Attackers add hacked servers to commercial proxy networks for profit Proxyjacking allows attackers to sell unknowing victims' unused network bandwidth. By Lucian Constantin 30 Jun 2023 4 mins Cybercrime news Command-and-control framework PhonyC2 attributed to Iran’s Muddywater group PhonyC2 was used to exploit the log4j vulnerability in the Israeli software SysAid, the attack against Israel’s Technion institute, and the ongoing attack against the PaperCut print management software. By Apurva Venkat 30 Jun 2023 4 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news First state-sponsored cyberattack against UK government revealed two decades later Rare insight marks the 20th anniversary of a state-backed malware attack on a UK government department. By Michael Hill 30 Jun 2023 3 mins Cyberattacks Government Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe