The Strategic Value of Modular, App-centric Security Operations Platform

Gorka Sadowski
8 min readOct 25, 2022


Security is a big data problem. More precisely, it is a right data problem. Solving the challenge facing security operations starts with the realization that organizations need to manage a staggering complexity of the right data points with big data characteristics in terms of volume, variety, and velocity. Then they must perform analytics to generate insights and present them so they can be consumed by many different stakeholders in the organization.

Is it efficient for each and every security operations tool to collect, index, and parse big data; implement analytics engines; and provide reporting/dashboarding capabilities? No, of course not, and many organizations’ failures executing threat detection, investigation, and response (TDIR) is a direct result of these inefficiencies.

What can security vendors do to help with this situation? Is it simply about offering a wide portfolio of tools loosely integrated via a paper-thin management wrapper? No, the answer must be the architecture — a single data platform with applications that leverage common data sets and components, using a modular and efficient approach that is security-centric and designed to support multiple use cases.

This is the Exabeam strategy: to design and develop a modular platform for security operations excellence. I am happy to announce that we launched the first phase of the Exabeam Security Operations Platform last week. It was a formidable effort and a strategic investment that yielded a platform that can scale to new levels, and that can power an infinite number of apps. Leveraging our expertise in user and entity behavior analytics (UEBA); security orchestration, automation, and response (SOAR); security information and event management (SIEM); and TDIR; we also have delivered an initial set of apps that solve customers’ TDIR needs regardless of their existing investments and where they are on their security operations journey. And it’s all built on the most advanced cloud-native technologies available: the all new Exabeam Security Log Management.

Here, I’ll discuss why we created the Exabeam Security Operations Platform, and specifically the benefits to:

  • Our customers
  • Our partners
  • Exabeam and our development teams

What is a security operations platform?

A security operations platform is a centralized architecture that powers several apps to solve multiple security operations use cases, and is defined by the following characteristics and attributes.

Build once and use many. The platform needs to offer several structural components that can be reused across multiple apps, essentially implementing a “build once and use many” approach. Common components are built once inside the platform, rather than rebuilt for every app supported by the platform. This allows the development team to spend time on the quality of these core components in terms of efficiency, performance, scalability, and attack surface security. Examples of these common components include:

  • Data collection engine
  • Data indexing engine
  • Data parsing engine
  • Analytics engine
  • Reporting and dashboarding engine
  • Set of APIs (Application Programming Interface) that individual apps can access to benefit from these components

Collect once and use many. The platform needs to intelligently reuse available data to power several apps that solve multiple security operations problems, essentially implementing a “collect once, use many” approach. As an example, performing different types of analytics on identity logs — in conjunction with other logs and other context enrichment information — can be used to:

  • Detect compromised credential-based attacks
  • Inform on the posture of an organization’s Active Directory and/or Lightweight Directory Access Protocol (LDAP)
  • Deliver on risk management and compliance use cases

One platform for many apps. A robust platform will be able to power many different apps that efficiently take advantage of common data sets and shared capabilities. Examples of such security operations apps that can benefit from this approach include:

  • TDIR-focused — Security log management, SIEM, security analytics, security investigations, cloud workload protection platform (CWPP)
  • Cloud security posture management (CSPM)-focused — Cloud service provider (CSP), CSPM, DevSecOps
  • Risk management-focused — Business intelligence for security and compliance
  • Fraud-focused — Insider threat, consumer fraud, vertical fraud solutions
  • And more

What it took to build the Exabeam Security Operations Platform?

The bar is extremely high for any vendor to deliver an efficient cloud-native, multi-tenant platform (of any kind) and a series of apps that solve complex and relevant problems for any use case, including cybersecurity. In the case of Exabeam, this has been a strategic priority — a Herculean effort based on a vision and strategy that the whole organization rallied behind.

Building such a platform requires a thorough understanding of and subject-matter expertise in:

  1. Security operations

· Security operations challenges

· People, process, and technologies (PPT) for security operations best practices

· Content centered on threats, use cases, and outcomes

2. Cloud-native software engineering

· Platform architecture

· Cloud-native development and tooling

· DevSecOps and continuous integration/continuous delivery (CI/CD)

3. Enterprise data management

· Data collection and transport

· Data preparation and availability

· Data storage

4. Data science, advanced analytics, and visualization

· Analytics in depth frameworks

· Data science and analysis

· Visualization best practices

Examples of technology platform providers

There are very few successful platform vendors, and this is very telling; it is difficult to bring a new platform and apps to market. The security industry is particularly fragmented, and many mega vendors have tried to solve this by acquiring point solutions. We see these security mega vendors often rationalizing their inefficient portfolios with a flimsy management casing. We’ve yet to see good examples of this working for both the vendor and their customers. Current platform vendors include:

  • Salesforce
  • Workday
  • ServiceNow
  • Exabeam

What is not a security operations platform

Simply calling yourself a platform doesn’t mean that you are a platform. Regardless of their posturing and marketing, few vendors claiming to be “platform vendors” actually are platform vendors. They may have a broad portfolio of tools with a shiny covering, but this is typically nothing more than a veneer that offers minor benefits.

A platform is not a disjointed portfolio that offers a management wrapper to make it look like it’s a well-thought-out approach. A platform vendor is not one that opportunistically acquired other vendors to fill holes in their functional coverage. Add to this, how many of these “platform” vendor portfolio acquisitions involve top-ranking or proven products? Do these acquisitions involve commodity capabilities or differentiated ones? How many are struggling, potentially venture-backed companies that might be running out of cash? Interoperability requires complex and specialized development work; are the acquiring companies investing in making these integrations enterprise-grade?

What are the benefits of the Exabeam Security Operations Platform for our customers?

The primary beneficiaries of an ultra-modern security operations platform are its end-customers. There are several ways that a customer benefits from the Exabeam approach — robust architecture, high-performance platform, and powerful apps.

Robust architecture means faster iteration and improvement. Properly architecting a portfolio around a solid platform and a suite of apps allows a clean layering of functionality, proper reusability, and an ability to improve or add individual components without having to rewrite the whole stack.

Using advanced development techniques and cloud-native approaches, development teams can build solutions with iterative and short-cycled improvements, rather than using a periodic release of big bang changes that overwhelm customers at upgrade.

A high-performance platform — more scalable and more secure. Because core components such as data pipeline, analytics, and reporting and dashboarding engines are built once, it makes sense for the development team to invest in the best quality components for maximum performance, scalability, and security. Do it for all; do it well. These are shared components that are worth the investment.

Cost-effective solutions. Because core components only need to be designed and developed once in the platform, and apps are relatively lightweight compared to fully self-contained apps, it is more efficient to develop using a platform + apps approach. This efficiency allows for solutions that are more cost-effective compared to their monolithic equivalents. These benefits transfer over to the customer operating expense.

Less overlap between apps. When providers have a portfolio of point solutions, there is a fair amount of overlap that is expensive and cumbersome to deploy and use, and prone to exploits because of an expanded attack surface.

This is especially true for security operations domains because solutions are based on big data analytics. For legacy approaches, each point solution needs its own way to collect data, needs its own data pipeline, needs its own analytics engine, etc. For example, collecting the same piece of data and delivering it to multiple point solutions is a problem that creates overlaps that hamper the deployment and operationalization of these solutions.

A robust platform + apps approach does not suffer from these problems, and can minimize overlap between the different apps.

What are the benefits of this platform for our — and our partners’ — development teams?

A robust platform is a development team’s dream come true because of two main benefits:

Faster time-to-market, and more cost-effective apps. Because many of the core components of apps are already developed, tested, and available in the platform, app development teams can focus their development efforts on the specificity of the apps. This allows for a faster time to market and more cost-effective apps.

More innovation. Too many times, innovative solutions never see the light of day because the sheer complexity of developing the underlying big data foundation drowned the development teams. Now, development teams can focus on the IP (Intellectual Property) that makes a solution unique, unleashing innovation.

What’s coming in the future?

We hope that you will join us in this journey to the future. We have one of the best security operations platforms and app portfolios in the world because we are committed to innovation, and we will continue to evolve and execute on our vision.

This is what you can expect from Exabeam:

Improvements in the platform. We will continually improve our platform, making it ever smarter, faster, and more cost effective. We will keep delivering more core components for more apps in the future, and implement more APIs for better exchange of functionality and intelligence.

Many more apps. In addition to improvements to the security operations platform foundation, you can expect more apps that will solve more use cases in security operations. Security operations is a broad domain; there is lots of room to grow.


We’ve come a long way since pioneering UEBA in 2014 by augmenting legacy SIEM tools. While our UEBA is still the best in the industry, that’s only one area of development. The Exabeam Security Operations Platform is supported by three pillars:

  1. Cloud-scale security log management
    The industry’s most advanced cloud-native solution to ingest, parse, store, and search log data at scale, to enable solving any cybersecurity topic based on big data analytics — for example, expanding our leading UEBA beyond detections to add intelligence to the TDIR workflow.
  2. Powerful behavioral analytics
    Modern, granular threat detection designed for the most utilized and elusive threat vector: compromised credentials. Behavioral analytics baselines the normal behavior of users and devices with histograms to detect, prioritize, and respond to anomalies based on risk.
  3. Automated investigation experience
    We have taken automation and orchestration to new levels with the ability to automate and modernize the entire TDIR workflow to gain a complete picture of a threat, reduce manual routines, and simplify complex work — including the investigation of advanced threats.

Exabeam delivers an ultramodern security operations platform built for security people by security people. We are thrilled to not only be a leader in security operations, but also to be one of the reference security operations platform providers.



Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.