Ensuring Customers Achieve Full Value from their Security Data Lake


This paper discusses the market trends as it pertains to gaining greater data source visibility retained for longer, and how HOOP can support customers successfully adopt a security lake as part of their overall cyber security strategy.


Whilst the market has broadly adopted SIEM for cyber security management, it is universally recognised that this approach is not only expensive and difficult to search, but also has limited data visibility for only a short period of time.

We appreciate that security breaches are complex, involving multiple sources and breaches are typically 3 months+ in nature, therefore the market is openly looking at a new approach.

With is in mind, the industry is fast moving towards the concept of a Security Lake.

The Market

Currently HOOP are seeing three major customer trends in the market today:

  • Large SIEM environments that need to be optimised from both a cost and visibility perspective.
  • A desire to migrate away from the existing SIEM environment over the next 12-24 months with a view to building a next generation cyber security management platform.

  • A lake and SIEM co-exist strategy, providing a richer and more holistic and scalable search capability, whilst retaining the incident alerting and visualisation capability of the SIEM, as well as the SecOps policy integration.

In order to achieve the full potential of the Security Lake, HOOP provides a complementary Proof of Concept programme (including our partners) and provides the following components:

  • HOOPJam to agree required items and outline requirements
  • PoC architecture approach and agreed success criteria measures (eg. Normalisation, compression targets, use case, search targets etc)
  • Stream processor provisioned and Security Lake instantiation configured with agreed pre-PoC criteria
  • 7-Day Data Collection
  • Use Case Driven Search against agreed pre-PoC criteria
  • Measures and business case, including filter effectiveness, lake compression, ingest costs, storage costs, license cost reduction
  • Go/no go Customer Decision
  • Provision and Build Map Model and Search Architecture and subsequent logic.
  • HOOP PoC project management, including daily standup

As part of the PoC engagement, the following pre-PoC information is typically required for a successful outcome, which usually takes no more than 2 hours to achieve:

  • An up-to-date DSA (anything completed in last 12 months that should be sufficient) – this has the specific aim of determining what, where and how we filter
  • Consideration for provisioning services, eg. Terraform, CloudFormation and user permissions etc
  • Consideration for stream processing into the lake – HOOP will advise on a consistent OCSF map, which provides consistency, categorisation, compression, and allows for multiple downstream access etc.
  • Consideration for data storage and access – what is accessed from the lake / retained by the SIEM and how / what is retained in long term storage, and other automatic 3rd party reporting considerations, eg. GRC
  • Consideration for search – how and where do we search in a more scalable and optimised fashion.
  • Consideration for use case – HOOP will advise on the development of an advanced threat hunting capability using the agreed search tool of choice.

To find out more about how HOOP Cyber can support you on your Amazon Security Lake journey, contact us via .

Download a copy of this paper here.