- Service providers are starting to build their own IP and open source capabilities to provider better interoperability, richer features, faster rollout and market differentiation within their product capabilities.
- The market is changing from a defensive posture to one that can address security before, during and after an attack.
While 2017 has seen its fair share of security announcements across Asia-Pacific, with everything from the launch of a new SOC in one city (BT) to another portfolio refresh (CenturyLink), there have also been a few operators (e.g., NTT Group, Singtel and Vodafone) looking to consolidate and globalize their security capabilities. Some operators see a future not so much around filling out a portfolio with more and more products, but shifting focus from reselling to building their own ‘IP’ and using more open source at an accelerated pace. Two SPs with similar products leave little room for differentiation. Many businesses want to avoid vendor lock-in and demand interoperability. Providers, too, need better margins, as well as the ability to offer differentiation and wield more influence on roadmaps. Vendor roadmaps never seem to be fast enough in an era of DevOps.
Security has a special place in this context. While there are signs of improvement, vendors have not been very good at being open and interoperable. The buyer side is changing rapidly, too. Businesses are taking security more serious and in general moving to an ‘assumption of breach.’ As such, there is now more focus on the need to have a plan for security before, during and after the inevitable cyberattack. The frustration for many customers is vendors will offer more threat feeds, more SIEM modules and consulting to smooth over the other rough edges. The customer will often pay more without seeing improvements. If they cut back security budget, then they may need to decide which types of attacks shall remain invisible. IT managers and CISOs also need to reduce ‘dwell times’ and ‘false positives.’ A security breach can happen within minutes, but can take months for discovery. False positives can drain analyst resources and may even be a lure to cover a larger attack. Sometimes SIEM alarms will go unanswered due to the volume of alerts and lack of internal resources.
While no provider has the silver bullet, Telstra presented a unique position at Vantage 2017. The company is taking an open source route and implementing Apache Metron as a core strategy. It is working with partner Hortonworks and the Hadoop technology community to deploy the solution into its SOCs. This solution is hosted with Microsoft Azure, but can run on any cloud as bare metal and/or commodity hardware. Telstra will build out its own SIEM capabilities and use data from its network plus external feeds for threat intelligence. The Cognevo acquisition improves its ability to move detection beyond signature-based attacks, using analytics to search for anomalies (or unknown, unknowns) and react before an event occurs. Apache Metron offers ingest and correlation and a platform as its core, but this project is likely to move into other areas. Speculatively, this can include threat hunting, forensics, reporting, auditing and compliance. This can be bigger than SIEM. The beauty of open source is any provider can follow suit. Telstra appears to be calling out how it intends to be different in the emerging MSSP space and willing to take chances.