Tag: innovation

Posted on

Cyber security outlook 2020/2021

Cloud View

I am always keen to read what the industry believes the future will hold with respect to cyber security. It might be focussed on threats or advancements in technology outside security or even geo-politically. I am starting to see posts regarding the oncoming capability of quantum computing and it made me think it is time to pen some thoughts.

Many of the security roundups and predictions are published by vendors in the security industry which means there is usually an angle and struggle for independence away from the core purpose of that organisation. I have the lucky perspective not to be concerned with that or getting content past a marketing team with a strong view on what should and shouldn’t be published.

Let us recap on a quite unusual year to date. Many large companies (FTSE 250 size) were, and may still be, concerned with their journey to cloud. Cloud is still such a loose concept but it is settling to mean, in many cases, that the organisation is planning on directly using more public cloud capability. Software-as-a-service is exploding with growth too and I believe both of these hosting models have been accelerated by the onset of the Corona virus. I also believe that many enterprises have had to make rapid decisions to adopt cloud technology and that the delivery may have been necessarily faster than they would have liked.

This leaves risk in two areas. The thinner spreading of risk assurance persons who need to bring overall IT and Information security risk within acceptable levels across both on-premise and cloud, leading in some circumstances to a lack of oversight and consequent treatment of new solution risk. It also means that the opportunity to treat risk in cloud and SaaS solutions may be missed in the scramble to adopt. Who cannot remember the fun everyone had adopting zoom and realising about waiting rooms & passcodes?

In the industry there have been some mega shifts in market power. Symantec, now Broadcom is not centre stage just now and seems to be waiting in the wings for something. At the same time Microsoft has taken the opportunity to strengthen its solutions around information protection and DLP. No coincidence there I would wager. Acquisition has been a key factor in sweeping up already household names. Demisto -> Palo Alto Cortex XSOAR, Puresec -> Part of Prisma, Portshift becoming part of Cisco and Sqrrl becoming part of AWS.

The threat landscape has continued to change and significant blending of previous exploit technologies has resulted in a multiplication of ransomware attacks and how they are born within an organisation. This is playing on the existing fear of the unknown as the world is in lockdown. It translates to a desire to hold on to what we have and in this case, our data.

So what does this add up to? My personal view is that this is bringing about a realisation and a convergence of thought. Where before the weight of investment has been on later stage kill chain technology, which has evolved more towards the endpoint and planned response approaches I see that investment has begun to tip. The majority of investment would now appear to be in cloud technology and for the first time perhaps, the legacy monolithic enterprise security applications may be a second thought when budgets are being formalised. A useful indicator is the job market (something I am familiar with at the moment). There is a commoditisation of cloud security human resource demand. Engineering, architecture and operations personnel in particular.

Nothing new here Phil, we already know that investment in cloud is high right now. Well, yes indeed I am not suggesting people haven’t been putting time and money into cloud approaches. What I am suggesting is that the purpose of that investment is changing. I sense that people are becoming more confident in what cloud technology can offer and the possibility that executing business endeavours is safer and requires less monolithic security solutions. Now the focus is on getting the guardrails in place (more of an IT function but security defined), simplifying authentication and authorisation and ensuring that the telemetry that is generated in cloud can be consumed appropriately.

What this means is that it is not only enterprise companies who can afford to keep their business secure. The scalability and per unit pricing for cloud security is now becoming within reach for all. A democratisation of security approaches can only be a good thing. The leaders may continue to lead but the door is now open for genuine innovation in the security space using building blocks in native cloud technology to kickstart. Remember how dropbox made AWS S3 accessible?

While the security industry is still hyper focussed on detection there is a huge opportunity across the other domains and disciplines such as information protection, quantum computing safe encryption and identification. Also I believe the time is right for another go at identification. Asset identification and classification has failed so many times, maybe now that software defined and labelled environments are becoming more prevalent than traditional structured and unstructured data we have the chance to put this one to bed.

I think we will see a standardisation on the simple around productivity solutions which will further impose identity and authentication pressures but less innovation, more evolution here. I see that all net new applications continue to be born in the cloud and the complexity that this can give rise to result in a scramble to better understand and control cloud to cloud communications. Now there are an infinite number of perimeters to manage, zero trust no longer is the target to reach for but the only sensible way to operate.

Perhaps, from up in the clouds, you really can see more.

Posted on

The Declarative SOC

Declarative SOC

When our kids were growing up we were terrifically fond of the books by Julia Donaldson and Axel Scheffler.  The phrases from the books have lived on and transitioned into a part of our family vocabulary.  What a lasting legacy they made with that simple pleasure of reading to your children.

One of my favourites was room on the broom and the phrase “The witch tapped the broomstick and woosh! They were gone”. Wouldn’t it be cool if everything was as simple as tapping something and then all of a sudden you were off?

I am writing this post at 05:07 in the morning because I am compelled to consider how we can evolve the CSIRT or Security Operations Centre (SOC) team past the industry of the last 15 years by leapfrogging many legacy solutions that cost time and energy with questionable value.  I also feel that at the moment there are many SME companies who need to do something about being prepared to respond to a cyber incident, yet they have neither the resources, expertise or time to address it.

I was dreaming of a scripted solution that builds itself, is easy to maintain and provides up to the minute visualisation of the current state of security affairs.  It assists with responding to incidents and allows some documentation and metrics for continuous improvement. Most of all these functions are implemented as interpreted code and the resultant resources, save the storage, are ephemeral. A declarative SOC.

What would this Declarative SOC look like in practice though?

It would need to be configurable on public cloud and not cost so much that it could be affordable to small and medium enterprises but could scale to whatever size was required.

It would need to be expressed as a self updating solution that was tolerant of failure  conditions and which could be rebuilt with no loss of state.

It would need to meet a variety of compliance regimes but achieve this by being built and managed in a way that had the hallmarks of prevention so that compliance was a by-product.  We are talking about a solution that is zero trust in use and administration.