The Middle East’s threat landscape has been changing. This is not solely due to the increase in cyberattacks, but also to their sophistication and speed. As the regional digital environment becomes exponentially more complex, awareness towards the impact of the threats and preparedness need to increase across private and public sectors.
The first thing that usually comes to mind in this regard is a Security Operation Centre (SOC) – a hub that sits within companies tasked with the assessment and continuous monitoring of the organisation’s security posture.
According to Gartner 2022, government IT spending in the MENA region is expected to surpass $13 billion this year, with a focus on increasing the resiliency of digital government platforms to avoid large scale cyberattacks. The questions that we need to be asking is how to maximise the investments and increase the efficiency of security operations in a way that it is capable to withstand ever-evolving threat landscape?
Due to the changing cybersecurity environment, there are a lot more expectations from SOCs as facing attackers has become increasingly more challenging. This is where a Cyber Defence Centre (CDC) comes into play. The CDC is a modernised version of the SOC that makes the most of the collaboration between human intelligence and relevant technologies.
SOC vs. CDC: What’s the difference?
Amid the growing devastation of ransomware operations, it is clear that the cybersecurity game has levelled up. Threat actors are more diligent in their work than ever before as cyberattacks are no longer simply randomised. Rather, those behind them demonstrate more calculated behaviour, conducting research on their victims’ defences, the technologies they use, and the vulnerabilities that are disclosed by software vendors. Whether the attack is politically or financially motivated, or part of a wider “hacktivism” campaign, these groups are not your average attackers.
When implementing a CDC, CISOs must take into consideration a more complex approach. A few things differ from that of an SOC.
Skillsets
An average SOC consists of a few multi-taskers. A good SOC is composed of various cybersecurity experts including analysts, threat hunters, red teamers and more. The CDC rethinks the way a cyber defence team comes together. A smart CDC is modelled with a different approach in which each different expert category must go through a personalised training.
Within the regional cybersecurity talent pool, the following challenges stem from the existing approach to skillset development:
Lack of practical knowledge
Cybersecurity is not a theoretical science. One of the most important factors of the training programs are simulations in which skills are tested against a realistic, up-to-date, and relevant cyber-attack scenario. This is done to better project the environment and experience of a real-time attack to make sure that the team knows how to handle different situations as they arise.
The main challenge faced in these situations is the experts’ response towards a crisis situation. The anatomy of a cybersecurity professional is complex; they need to be calm yet attentive and disciplined at the same time. It’s a difficult balance to maintain. Each unique situation within simulations requires a different approach. When modelling a CDC, it is important to have experts trained against realistic threats.
Vendor-biased training
Another challenge faced within the regional talent pool is the type of training provided. Not only is the training non-specific towards different practice fields, it is also mostly vendor-dependent. With an evolving cyber-threat landscape, technology is bound to keep advancing, and learning how to operate one tool is non-transferable once it becomes outdated.
Training needs to be software independent and vendor agnostic if we are to expect adaptability from cybersecurity professionals. The skillset development process must be impartial, as it might otherwise end up developing a bias towards a specific vendor.
Smart technology
Another distinction between a SOC and a CDC is the type of technology employed. For example, a SOC will have Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) to collect, correlate cybersecurity events, and respond to incidents.
Due to the growing number of threats, expanding security perimeters, and rapid changes in the regional modern security environment, a SOC’s SIEM and SOAR are no longer able to deal with the flow and can execute only 80 percent of their function. At some point, they require more workforce to deal with the overwhelming number of alerts requiring companies to invest more.
Managed Extended Detection and Response capabilities (XDR) can help the CDC become more intelligent. Managed XDR is a cybersecurity service that combines technology and human skills to perform threat detection, monitoring, and response. The key advantage of Managed XDR is that it allows for the quick identification and mitigation of dangers without the need for extra personnel. A SIEM can only deal with the past while the Managed XDR can provide more accurate modelling of the future. Managed XDRs also allow for knowledge aggregation, which enables threat analysts from around the world to communicate the latest cyber-threat trends with those in other regions and warn them of a potential risk.
Optimising an organisation’s cyber defence strategy starts with evaluating the team behind it and the way they operate. Rather than spending exorbitant amounts on the technology used within an SOC, restructuring your team and adopting a CDC instead can prove to be a lot more efficient and effective. This, in addition to a larger focus on training and development of the experts behind the cyber-defence programs, are the key to successfully warding off cyber-attacks.
Ashraf Koheil is the director of business development in the Middle East, Africa, and Turkey at Group-IB.
