Google puts a SOC in it

Google X

So Google (or Alphabet as the parent is now called) has announced today that they are joining the SOC market with proactive security defence based on capture and analysis of events.

This has come out of their X projects division which aims to rapidly develop new breakthrough products.

What's Google Planning?

Presumably Google aims to provide Machine Learning based measures capitalising on the scale of its services and analysis across customer environments hosted on its GCS platforms. This should give it certain predictive advantages, enabling it to home in on certain types of attack.

What would be good to know is how will Google differentiate between poorly configured devices, failing devices and real attacks. As many APT style in infiltrations will mimick poor configuration and failures to disguise their intents. Also what will they be doing around major incident management, remediation and forensics to provide a complete service?

Details are thin on the ground so far and this is bound to spur me too imitations from AWS and Azure.

SOC Fundamentals still Apply

However, as ever the fundamentals for a working SOC will remain:

• You need to know what assets you are managing and keep CMS/CMDB accurate, complete and up to date;
• As far as is practicable, ensure that all assets are implemented with standard configurations, to avoid mis-configuration and creating the noise in which APT infiltration can hide;
• Use automation and software as infrastructure to implement standardised asset configurations and maintain patching up to date;
• Then deploy logging, automated monitoring and analysis;
• Invest in remediation and incident management capability;
• Use scenario planning and practice exercises to ensure that there are no gaps and you are prepared for problems.

What Else is Google Doing?

The SOC services are only part of the offering. The new business unit called Chronicle will also be offering threat intelligence and products from its VirusTotal acquisition.

Does Your SOC Need Darning?

Microfocus (the new owner of much of HPE's former software division) has released the 2017 State of Security Operations Report.

This analyses the findings of analysis of the Maturity Model levels of practice in enterprise Security Operating Centres or SOCs. For those who are uninitiated, SOCs are a relatively new organisational construct within IT and are responsible for assuring that there is ongoing monitoring and analysis of an organisation's IT operations to ensure that vulnerabilities are detected, intrusions are caught and problems are rectified. Although there does seem to be a great deal of diversity in people's interpretation of the exact scope of this remit.

Maturity Models (see CMMI) typically categorises maturity in 5 levels which address process and practice standardisation as well as feedback loop control via metrics and optimisation. 1 is ad hoc, 2 is repeatable, 3 is uniformly standardised and so on. So most organisations will aspire to level 5 as an acceptable level of conformity. Though the actual scope of coverage is important too.

Many enterprises have adopted SOCs to help deal with the ongoing climate of cyber threats arising from things such as simple viruses,  spear pfishing, ransomware and Denial of Service attacks.

The report is quite sobering. Close to a quarter of the assessed organisations failed to achieve a score of even 1. only a fith appear to be making headway and the overall average score is less than 2.

The report finds that much SOC effort is wasted dealing with false positives arising from little standardisation and poor configurations of equipment. This underlines the operational hygiene issues of having accurate CMS data and consistency in build and installation. Knowing what you have and standardising as much as is practicable, does not just make it easier to operate an IT estate, but also to protect it by detecting anomalies and other problems. These are practices which not just ITIL but DevOps considers essential to robust operations and change management.

The report also shows problems with working out the right blend of insourcing and outsourcing as well as skills retention.

Overall there are signs within the report of slow but gradual maturing of approaches as well as better pooling of knowledge within organisations. But t is understandable, given the scale of issues that people face, that Splunk for instance promotes the adoption of a Lean SOC approach and gradual incremental implementation of SOC capabilities to address business priorities, 1 at a time.

The Way of DAU - The best a business can be

Just to let you know, The Way of DAU is now available from Amazon as a paperback. (click on Amazon to see) and the e-version should be available soon. 

This is a deliberately simple book on the quite complex subject of how to adopt a sustainable digital business model. It was inspired by my personal frustration with incomplete models and advice available for Digital Business.

Digital operations have now replaced traditional Business As Usual business models. The Way of DAU promotes 10 basic principles, an iterative Framework (the DAF or Digital Adoption Framework), and positive cultural values to achieve the behaviours needed in successful digital businesses.

The book is based on a mixture of personal experience (in an organisation struggling to reinvent itself) as well as collected best practices. The current edition represents an MVP version. I hope to collect constructive feedback via a LinkedIn Group to drive future releases of the book. (see: The Way of DAU Group ).

Digital Adoption Framework

A lot get's talked about Digital, but there are few comprehensive approaches to adoption available for reference. 

This is why I was interested when I came across Vadrim's DAF diagram, reproduced below. Enjoy!

Post Digital Outsourcing - Going for Value

One of the things which always has frustrated me when dealing with traditional outsourcing companies has been the huge gulf between the Sales Proposition and the Reality of Day-to-Day Service.

Companies usually think they are going to buy the best skills in the market and get access to superlative service from a transformational partner who delivers agility and control, so they can forget about the complexities of running IT. In reality they get bland, slow moving and unimaginative bottom up services which are slow and expensive to change. Where people have looked for partnership, this has usually failed to materialise as relationships descend into "Robust User-Supplier Conflict" (or RUSC). In fact the traditional model has been an anti pattern to progressiveness and this has only been made worse by offshoring to Asia, where extreme cultural differences and expectations have only made things worse.

As I mentioned in a previous blog, The Death of Outsourcing, this model is no longer sustainable in the light of all things digital. So what can a Post Digital Service Provider offer now that XaaS threatens to steal outsourcing's breakfast?

The reality is that, whilst XaaS does a lot to free an enterprise from the Tyrrany of Infrastructure, XaaS introduces new complications as the overall technical environment is much more complex; Digital also means that enterprises need to learn to move quicker with disciplined lean practices that enable continuous change. New IoT based models also bring new challenges of scale.

So the new breed of Digital Service Partner needs to position itself to avoid RUSC and focus on Assured Value, Integration and Speed. Where: 

• Assurance covers secure and consistent delivery of change and operations;
• Value focuses on user and customer experience, insight and the right quality at an affordable price;
• Integration deals with the complexity of identity and integrating multiple sources of XaaS services as well as working with multiple SI partners and in-house development teams to deliver joined up services;
• Speed addresses agility, continuous change, innovation and responsiveness to changing business and technical opportunities and risks.

Such services are likely to include 3 key elements:

1. a Foundational Use of IT Access Service - everything needed to deliver a user device centric service, e.g. smart phone, pad, laptop and supporting network, gateway, office automation software, storage, print, peripherals and anti malware based services.
2. a Service Integration And Application Management Service (SIAM) - which integrates and delivers services on a Hybrid Cloud basis. This is likely to include Architecture Management (AMO), Programme Management (PMO), Service Delivery (SMO), and Security Operations (SOC and Security Operational Processes), as well as Activity Based Costing (along TBM or OBASHI lines).
3. a Lean System Integration Service - which can provide specialist development and implementation skills, but also embraces partnering with internal and 3rd party partners and provides support for the full range of Agile and DevOps processes needed to deliver continuous change.

Naturally there will be other more specialist services which may come too, e.g. computer forensics and advanced threat intelligence, Fleet Management for IoT devices, or managing innovation communities as innovation goes social. But these will be value adds building on a core foundation.

Splunk - Digital Automation for CyberPunks

Last week I went to Splunk's event held at the InterContinental next to the O2 tent in Greenwich. 

This was a very well attended event and I got the impression that Splunk has now emerged to be a dominant player in the DevOps area around the automation of Operational Monitoring and Fault Analysis.

What I had not realised before going to the event, although I had coincidentally been discussing the potential the week before with a former colleague at Google's event, is that Splunk now provides a credible Security Event Management toolset for use in Security Operating Centre (SOC) activities, as well as a user activity analysis tool. In fact there were some interesting case studies focusing on building Lean SOC's incrementally.N.B. Gartner now positions Splunk as the leading vendor in its magic quadrant for SOCs.

It was also interesting to hear that Splunk now has a full scale partnering programme with other technology vendors, enabling integration with both new sources of data for exploitation within Splunk as well as value adds to Splunk, thus offering greater levels of automation.

However, Splunk was a little vague about future directions for the toolset. However, there does appear to be an opportunity around Application Cost Management and hooks into general Application Portfolio Management. This arises because to use Splunk effectively, you have to build a model of each application monitored which covers all the infrastructure (physical or virtual) elements used within an application in a similar manner to the models used in OBASHI or TBM (which are 2 similar but competing approaches to cost management) or in architectural tools such as Troux (now Planview) and alfabet used for application portfolio management.

This would enable a more integrated approach to some aspects of managing an application estate, gathering technical condition and cost information together to support continuous portfolio management.

The End of Outsourcing?

Most of us who have been in the trenches dealing with Outsourcing Partners in the last few years are puzzling over where it all is going. 3 major forces are changing the current model as we know it:

(A) Exhaustion of the Indian (or Off-Shore Labour Arbotrage) Value Proposition;
(B) The move to Everything as a Service (XaaS) as new players offer different types of service;
(C) The death of Monolithic Service contracts, as enterprises pursue increasingly complex Multi-sourcing models.

The original attraction of the Indian model was access to a large pool of well qualified talent which was artificially cheap as a consequence of exchange rate differences. As the offshoring model was pursued, the "Unseen Hand of the Market" has moved to erode the price benefits through year-on-year wage inflation and adverse currency movements. Additionally, as demand has risen, the talent has "followed the money" impatiently pursuing promotions, increased status and the opportunity to only work with the latest technology. This has led to unfettered job hopping, resulting in the loss of knowledge and the failure of individuals to develop deep experience. This has eroded the value proposition around talent. On top of this long distance relationships carry a heavy overhead in building them up and maintaining them, and the off shore players have developed business models and practices which assume that demand will continue to build at the same aggressive rate as previously. Many enterprises are actively taking things back on shore or in house.

The move to XaaS means that many of the traditional "box shifting and box running" services which were foundational to classic outsourcing are redundant. The traditional outsourcing players are losing the core "economy of scale" type services which they used to provide to IaaS and PaaS providers. Further more, the opportunities around traditional application based services are being eroded by SaaS providers. So although there are some niche opportunities where things like European data protection legislation or defence contracting requirements offer some opportunities, most of the market is moving to platforms such as those offered by Amazon and Microsoft. 

The continuous move to multi-sourcing started in the late 90s and has gradually built up steam over the last 20 years, especially as XaaS is now becoming the norm. This should also offer opportunity to move up the food chain to offer more value added services around Service Integration. Yet there is little evidence that any of the main outsourcing giants understand Service Integration or that there is appetite within customers to pay for it.

When I look at it, even in the area of Cyber where Security Operating Centre (SOC) services are in increasing demand, it seems that new entrants from the Aerospace and Defence industry have recognised and pursued the opportunities more aggressively, building both technical capability and market credibility.

So if you are looking at your service and sourcing strategy, it's time to think about what your model is, what kind of suppliers you need and to quiz them on their vision and direction. Otherwise you may be lumbered with a failing partner.