Skip to main content

A SOC is cooking - with a sprinkle of Machine Learning and SRE

This week sees the start of an exciting new chapter in our ever-maturing InfoSec story, with our Group Security team forming a new Security Operations Centre (SOC).

It has been founded using key staff from our existing Network Information Security (NIS) and AppSec analyst capabilities and I believe we are taking an interesting approach to the its creation that sees us using our ASV (Surecloud) as our first internal SOC client:

The rationale is simple - Surecloud's consultants are tasked with poking and probing our applications, network and supporting infrastructure (all BAU as part of our PCI-DSS routines), and our SOC is challenged to be able to report back to the testers what it is they did.

To achieve this the new SOC team has been empowered (provided time, creative freedom, engineering resource access and budget) to architect whichever technical solution(s) they require to be gain the required insight, and so a Red/Blue team dynamic is born between 'them' and the 'outside'; a relationship that through regular iteration, investment and evolution will result in continual improvement and maturation into the best SOC capability our Group of brands will require.

Sounds easy but of course there are many key steps required to enable such insight, intelligence, alerting and reporting, and we are only at the start of this journey.

Whilst we have mature SIEM and other InfoSec solutions in place that are backed by external SOC centres, we felt that an in-house SOC capability be an important new string to our Security bow. Having internal SOC staff able to directly converse and share their dashboards with our technicians, engineers and product owners at a level that is both application-aware and 'trusted' breaks through the restriction a 3rd party SOC may be held back by as a result of distance. An internal SOC also offers faster remediation where human effort for remediation is required. However, our aim is for human intervention to be minimal and for automation to run the ship...which brings me on to the flip side of this coin...

Machine Learning (ML)

Our SOC - whilst modest in headcount - will initially be supported by a mature L1 NOC, brand teams of on-call Engineers, Operations Technicians and Incident Response procedures driven by Service Delivery Management.

Whilst not quite operating within the aspirational Google 'Site Reliability Engineering' (SRE) model of engineering, all of these supporting functions do a great job of keeping our brand's services available and responsive for our customers.

However - and paying attention to SRE's teachings - we wish to maintain a lean SOC team that is reliant on automation, and it is here that we believe ML will play a key role that can ensure we are able to remain lean but also be highly effective.

As you may imagine, a Group of our size generates an array of data that is rich food for a SOC that aims to be supported by a ML capability. The sheer data volumes dictate that signature-based and algorithmic detection won't offer sufficient protection and SOC insight. A SOC built upon the guiding principles of SRE and supported by ML (yes, I know I'm a keen user of acronyms) will ensure that SOC investment remain appropriate and service level objectives be met. Happy Tech. Happy Business. Happy Board.

So there's our vision - SOC aggregation of Group data with intelligence resulting from machine learning, fed into SRE-backed remediation practices.

Here's to making it a working practice.


Popular posts from this blog

The 'Big Five' behaviours - Building and maintaining a values-led business culture

Business culture is a topic that I frequently see popping up on my LinkedIn feed, and something I'm deeply passionate about.

Many of us have read the famous Netflix slide deck that describes their own business culture, and even last night whilst digesting the day's technology news I read an analysis of Bezos' meeting culture in a digital broadsheet.

For my business - Conosco - the culture I joined and the culture I knew that I would be proud to lead and be associated with, have maintained a high position in my everyday thoughts whether on my morning drive to work, walking through the streets of London at lunchtime or sitting with my young children as they fall asleep at night after their bedtime story.

Having just spent a week with our teams based in South Africa, it's become ever more apparent to me that a relatively small number of leadership values and habits can help to drive what I feel are the most valuable team member behaviours to support our business culture.

Designing a GDPR-compliant consent workflow for eCommerce

It's been quite a journey for me, to date, as I find my way along the twisty path that is understanding GDPR.

Through attempting to better understand what 'compliance' for the Photobox Group looks like, and in a renewed attempt to better understand its likely impact upon us, something I've found hard to find are good examples of 'GDPR compliant' user interfaces for eCommerce around the provision of user consent.

Ultimately we need to ensure that for each and every GDPR-relevant interaction our brands have with our customer's data, we have their appropriate consent.

The question is, how granular the explicit Opt-In requirements need to be?

The ICO does a good job of publishing high-level 'consent guidelines' as below:
Explicit consent requires a very clear and specific statement of consent. Keep your consent requests separate from other terms and conditions.Be specific and granular. Vague or blanket consent is not enough.Name any third parties who wi…

Preparing staff messaging around WannaCrypt/WCry

In the spirit of my ongoing InfoSec openness, here's the messaging I've prepared around our Group's education and call to action around WannaCrypt:
Many of you will have read about last week’s Global cyber attack that caused a number of organisations to be seriously impacted including the National Health Service in the UK and Telefonica in Spain. Over 70 countries were affected in total.
The attack took the form of ‘ransomware’ that caused computer-held files to be made unreadable (encrypted) unless a payment was made to the attackers via the 'Bitcoin' online currency.
Currently we have no reports of any impact to Group services or systems from this attack.
The attack relied upon a combination of malicious software being run, poor IT configuration practices, and the exploit of older, unpatched/out-of-support systems such as Windows XP and 2003.
The Group have a large and complex IT infrastructure that is continually being improved, strengthened and made more …