Transforming a Security Operations Centre (SOC) and building a Target Operating Model
A global financial services organisation faced challenges with their Security Operations Centre (SOC) operating model which increased their vulnerability to cyber-attacks.
The organisation was outsourcing monitoring and triage activities (Level 1) to a Managed Security Services Provider (MSSP) and therefore lacked visibility and customisation ability on the detection use cases implemented. They faced a significant false positive ratio, which meant the teams needlessly managed a high volume of tickets and lacked time to focus on value-adding tasks.
The client thus took the strategic decision to fully insource the SOC whilst improve its effectiveness by implementing a follow-the-sun model, virtual one-team mentality, improving the accuracy of use cases and leveraging automation to enable the teams to focus on value-adding tasks.
How did Wavestone help?
Wavestone commenced the project by conducting a maturity assessment based on SOC-CMM to establish a baseline from which improvements could be measured against and to identify key areas to focus on. The team then conducted remote interactive workshops using Wavestone’s digital collaboration tools to bring globally disparate teams together to develop the SOC strategy and define the target operating model.
Wavestone followed this by developing an implementation roadmap and governance structure for the client to execute the change. Wavestone also supported them to define their legal and regulatory requirements.
The relationship with our Client
The core Wavestone team – supported by subject matter experts – worked with the client team day-to-day, conducting workshops, analysing documentation, and building deliverables. Wavestone focused on building an operating model that was tailored to the client, and therefore progressed iteratively through the journey, getting feedback continuously. The team engaged multiple non-cybersecurity teams from the client to support on various topics (e.g. HR, Recruitment, Legal); and worked with Wavestone SMEs globally to challenge the deliverables and compare the client to its industry peers.
The results
Through this engagement, Wavestone enabled the client to initiate a transformation programme by providing assurance on their strategy and objectives, securing buy-in from relevant stakeholders and arming them with a robust roadmap to implement the target operating model.
This target operating model will make the client’s security operation more effective by:
- Increasing SOC coverage with a 24×7 follow-the-sun model
- Defining a virtual one-team mentality within the SOC function, allowing more collaboration and alignment between threat intelligence, threat hunting and incident detection and response capabilities.
- Increasing business alignment and building resilience, i.e. making sure that detection use cases are implemented on critical assets to protect what really matters
- Increasing the accuracy and flexibility of detection use cases, thus reducing false positives