Federation: the Modern Security Data Architecture

This is part IV of a series exploring the concepts and potential of Federated Security. See more.

Introduction

The cybersecurity landscape is undergoing a fundamental transformation. Security organizations are becoming responsible for securing larger footprints across public cloud, SaaS, and private cloud or hybrid workloads. With this new responsibility comes the new currency: data, and a lot of it, if some statistics are to be believed that data is growing at nearly a 30% Compound Annual Growth Rate (CAGR). In scientific terms: that’s a lot of data!

Traditional approaches to data aggregation, like centralizing everything into a SIEM or log management tool, have proven to be unsustainable financially and operationally. Security professionals now face a new imperative: adapt to a federated model that meets the demands of real-time threat detection, scalable analytics, and composable architectures. The modern security data architecture is federated.

Federated Search is a paradigm shift that offers unparalleled flexibility and efficiency by allowing security operators, everyone from analysts to detection engineers to threat hunters, to search and utilize data at the source. In this blog you will learn more about Federated Search as the cornerstone of your modern cyber data architecture, culminating in a full Federated Security stack. You will learn why the old model of centralization and latency is not working for Security Data Operations (SecDataOps) teams. Finally, you will learn about the key capabilities and use cases unlocked with Federated Security, and how these improve security outcomes.

Why the Old Model is Breaking

The traditional centralized security model has reached a breaking point. Built around the concept of centralizing data into a singular SIEM or log repository, this architecture made sense when infrastructures were simpler and data volumes were modest. Now the data volumes are anything but modest – in fact, they’ve far outstripped expectations. The cost and complexity of centralization are unsustainable. The indirect costs of compliance, governance, operations, and privacy are taking their toll. Modern security teams need more than just their SIEM or log management partners, whole cottage industries have started just to move data and then write detections on it. Economically and operationally, this is unsustainable.

Data ingestion pipelines are brittle and expensive, whether they’re from a commercial so-called Security Data Management (SDM) tool or a homebuilt solution. Security teams struggle with latency, as data must travel from edge systems to central repositories before it can be searched or utilized, not to mention the extra latency associated with enrichment and transformation. This pipeline-centric approach to centralization introduces unacceptable delays in detection and response. 

Migrating from one platform to another, whether from a legacy SIEM to a modern data lake or data warehouse, is a major project, often requiring a complete rearchitecture of detection logic, query languages, and access controls. And it may not even be worth it. Eventually, any efficiencies you gained from storage or compute charges will meet your previous expenditure or quickly overtake it as you must maintain multiple pipelines and sources to stay above water.

Vendor lock-in compounds these challenges. Centralized systems typically enforce proprietary data formats and query languages, forcing organizations to become co-dependent on specialized vendors, not only for data movement, but also for writing and managing detections. As we mentioned, entire cottage industries have sprung up just to move your data from a SIEM to another “modern” source, which is still centralized. Then you need another tool just to effectively author detection content, another to author any automation or response, and the list goes on. You centralized again, this time with fivefold the technology and spend, with the same size teams. This severely limits the ability to adapt to new threats or business needs, let alone meet your status quo.

Worse yet, centralized architectures are misaligned with modern compliance and governance demands. Data sovereignty laws, such as GDPR and emerging regional mandates, increasingly require that data remain within specific geographies. Centralized ingestion and replication strategies frequently run afoul of these mandates, forcing teams to choose between compliance and capability. If you do make the choice that so many do to have geographically-constrained deployments of the same technology, you will have to likely make due with the same size workforce.

Latency, vendor dependence, regulatory constraints, and operational inflexibility have rendered this old and slow centralization model obsolete for modern security teams looking to keep pace with their threat environment. Federated Search represents the shift to a new model, one that embraces decentralization, modularity, and openness. It brings the search and utility to the data, rather than the data to the search, enabling a new era of speed, scale, and freedom in security operations with Federated Security.

Federated Search as the Bedrock

Federated Search is not merely a component of Cybersecurity Mesh Architecture (CSMA), it is the forge in which modern, decentralized security architectures are built. While CSMA provides a strategic blueprint for a modular and interoperable security ecosystem, Federated Search is the operational engine that brings this vision to life. It goes beyond integration and composability; it fundamentally redefines how data is accessed, searched, and operationalized in real time.

In this “post-centralization era”, security teams no longer have the luxury, or feasibility, of funneling petabytes of telemetry into a single nexus, be it a SIEM or otherwise. Federated Search breaks this paradigm by enabling direct, secure, and normalized queries across SaaS platforms, data lakes, cloud environments, and even legacy systems without requiring data movement. This means no more waiting on ingestion pipelines, no more query rewrites across platforms, no more porting detection content per migration, and no more duplicative storage. 

With all of these capabilities built upon Federated Search, you now have a Federated Security stack where you can bring your analytics, machine learning, artificial intelligence, reporting, and detection engineering efforts to your data that you own. If you wish to move your data to a best-of-breed platform for a specific use case, you maintain full visibility and retain full utility with Federated Security. With a single utilitarian view against the data you care about, you also gain a single place in which compliance, governance, operations, and privacy controls can be meted out.

The above is just a snapshot of the “what” of Federated Security in the context of building a modern cyber data architecture. Some of the use cases, the “so what”, that it unlocks are as follows:

• It gives detection engineers agility; they can iterate on detection logic directly against live data sources without rebuilding the data pipeline or waiting for their data lake to hydrate. Detection Engineers can use one lingua franca – powered by Query Federated Search and OCSF – to describe their detection intent and apply it against 100s of sources in parallel.
• It gives analysts context; they can correlate identity, cloud, endpoint, and application signals across domains, reducing time-to-triage and false positives. Instead of waiting for costly joins in your security data lakehouse or increasing latency from your pipelines by adding slow, serialized context and IOC enrichment to records, analysts of any skill can immediately collate and analyze 100s of TBs for exactly what they want. All context included, no assembly required.
• It gives architects choice; freeing them from vendor lock-in and letting them adapt their stack without operational overhauls. Instead of being limited to what destinations a SDM or Detection-as-Code tool constrains you to, Federated Search offers the most freedom of choice to unlock freedom of data navigation. Sail the Seven Data Seas without fear of being overtaken by privateers from the security cottage industries demanding a “tax” just to maybe use your own data.
• It gives CISOs control; offering a scalable model that aligns with both cost optimization and regulatory compliance. No longer will CISOs need to hamstring themselves by using a specific antiquated model or a specific vendor. With architects, analysts, hunters, and engineers unlocked, the security team will operate far more efficiently with their own data.

Federated Security empowers organizations to unlock visibility and actionability across the entire threat lifecycle without compromising data sovereignty, agility, or innovation. It doesn’t just enable CSMA, it transcends it, becoming the definitive interface between fragmented data ecosystems and unified security outcomes.

Unlocking the Full Federated Security Stack

Once Federated Search is in place, it activates the broader capabilities of a modern cyber data architecture. These capabilities are not bolt-on features; they are integral to enabling security operations that are adaptive, resilient, and intelligence-driven.

Analytics

For threat hunters, detection engineers, and security analysts, data is only as valuable as your ability to quickly and accurately analyze it. Federated Analytics, a term coined by Splunk, allows teams to perform real-time statistical analysis, behavioral profiling, and/or AI-driven triage directly on live, decentralized data.

In the past, analytics programs would require help from other data engineering and data science assets who did not understand the domain. While security organizations are moving towards domain integration and “all source” analysts and engineers in their SecDataOps teams, this is still a fledgling security team construction. In the centralization model, you would still need to build additional data infrastructure to plumb data out of APIs, SIEMs, and data lakes. 

You would need to store them in a central repository, often with more normalization and transformation rigor. You would have to slowly plan around what features to extract, what fields to aggregate, and what products to build. This was a slow, expensive, and static process. Federated Analytics peels back much of the complexity related to mobility and ETL, and instead makes all data available in a centralized fashion without having to centralize (and pay for) the data itself.

• This enables security leaders to prioritize security analytics projects based on current and full telemetry that matters to counter or detect salient threats.
• This enables Security Data Scientists and security researchers to run advanced models without needing to centralize massive datasets, and to extract features from datasets that are already normalized.
• This enables Security Operations to benefit from high-fidelity algorithms and statistical analysis to improve triage and containment outcomes.

This approach shifts analytics from being a periodic task to a continuous, responsive capability, one that aligns perfectly with the “always-on” nature of your threat environment. No longer is a security analytics program a very narrow-scoped “pie in the sky” aspiration, with Federated Security in your modern security data architecture, it is all but guaranteed.

Detections

Detection engineering is no longer limited to static rules within a SIEM, or based on reliance on first-party detections from EDR or XDR or CNAPP tools. With fFederated Detections, detections-as-code can be deployed and executed at the edge, on whatever platform hosts the relevant telemetry. This brings powerful benefits to a myriad of personnel in your Security Operations (SecOps) organization.

• Detection engineers are enabled to write, test, and optimize detections without waiting for ingestion cycles, dealing with false positives due to long latency, or being precluded from reaching important contextual and enrichment sources.
• SOC managers are able to correlate across control points in real-time and reduce noise for their analysts and escalation teams.
• Threat intel teams can quickly author recommendations and initiate their own hunts of all relevant sources relative to emerging Indicators of Compromise (IOCs) and their own Priority Intelligence Requirements (PIRs).

Federated Detections are an essential part of the shift from reactive alerting to proactive threat management. They empower teams to detect earlier in the kill chain and tailor detections to their unique environment, and ultimately collapse the entire kill chain.

Data Mobility

In a modern security architecture, data should move only when, and if, it needs to. Federated Security supports this by enabling on-demand access, transformation, and integration of security data across environments. It allows you to use this model to pull the data from the sources and push them anywhere you want to unlock long term archival or more dedicated analytics research & development efforts.

• Security architects have the power to optimize infrastructure without reengineering costly pipelines. The same searches and utilization that powers Federated Analytics or Federated Detections can be used to move the data to a more persistent location.
• CISOs have the flexibility to evolve backend technologies without incurring technical debt or vendor lock-in.
• Security Data Operations (SecDataOps) Engineers can take advantage of the already normalized datasets to reduce reliance on potentially costly Extraction, Transformation, and Loading (ETL) infrastructure and immediately start to utilize the data.

With federated data mobility, your data architecture becomes modular and future-proof, capable of supporting growth, consolidation, or platform migration as needed.

Together, these federated capabilities define the modern cyber data architecture. They replace the fragile, costly, and rigid infrastructure of the past with a dynamic system that meets the operational, analytical, and compliance needs of today’s security teams.

Modern Cybersecurity Starts with the Right Data Architecture

The reality is clear: the modern cybersecurity stack demands a modern data strategy, and that strategy starts with Federated Security. This isn’t a single feature or a temporary integration layer. Federated Search is the architectural cornerstone that enables composable, scalable, and interoperable security programs. It not only fulfills the vision of Cybersecurity Mesh Architecture, it delivers it.

By operating from a singular federated security data mesh, organizations dramatically reduce the cost and complexity associated with duplicative data storage, brittle ingestion pipelines, and monolithic query engines. Federated architectures avoid the high capital expenditures of centralized infrastructure and the operational overhead of constant data movement. They also sidestep the opportunity costs of being locked into vendor-specific formats or pipelines that don’t scale and introduce the inherent risk of brittleness into your infrastructure.

More importantly, Federated Security brings unmatched velocity and simplicity. Detection content can be deployed and iterated faster. Analytics can be executed in real-time, in-place, and in-context. Governance and compliance are built-in, not bolted on. This enables an environment where CISOs gain control over costs, detection engineers gain speed, analysts gain clarity, and organizations gain agility. For a majority of first-line tools, you can onboard them in Query Federated Search in under 15 minutes or less. That means full visibility across CrowdStrike Falcon, MDE, Carbon Black, Google Workspace, Entra ID, Microsoft Intune, and dozens of more first-line sources in a single day.

With Federated Analytics, Federated Detections, and Federated Data Mobility as pillars of Federated Security, what emerges is not just a better way to operate, it’s an entirely new operational paradigm. One that’s built for cloud, for hybrid, for multi-vendor, for compliance, and above all, for scale and effectiveness of your Security Operations. While many segments have promised “sensor fusion” and increased operational and situational awareness, Federated Security delivers that and more for the benefit of your organization, your stakeholders, your shareholders, and your customers.

This is the modern cyber data architecture. It’s decentralized. It’s adaptive. And above all, it’s federated.

Conclusion

This blog has walked you through why centralized security architectures are no longer tenable in a modern security organization, centralization is a silent killer of effectiveness and cost management. We’ve examined how analytics, detections, and data mobility as pillars of Federated Security compose the foundational elements of a modern cyber data architecture. You’ve seen how this federated model enables cost savings, simplifies compliance, accelerates detection velocity, and unlocks operational scale that monolithic approaches simply can’t deliver.

Now is the time to evaluate whether your security data architecture is future-ready. Are your teams burdened by data movement, lagging detections, and tool fragmentation? Are you locked into a platform that can’t evolve at the pace of your threat environment? Are your analysts missing important context and enrichment capabilities that can make a difference? Are your threat hunters and escalation analysts hindered by the lack of data access? Are your advanced security programs such as analytics and machine learning dying on the vine?

If the answer is yes, now is the time to act, and act aggressively. Federated Security isn’t just a new way to search data, it’s a new way to architect. It empowers your team to build a security program that is agile, scalable, and resilient by design. Don’t wait for the next platform migration or budget cycle to force a change. Start charting your path to a Federated Security data mesh today, and unlock the future of cyber defense.

To become part of the future of Security Operations, see Query Federated Security in action here.

Stay Dangerous