Part 1 – Defining operational excellence in cybersecurity
This is the first in a three-part blog series from Bitdefender on how we have built principles of operational excellence (OE) into our managed detection and response (MDR) service, why it is important, and how others can do the same.
This first blog post focuses on how principles of operational excellence can enable greater scalability, automation and resiliency in cybersecurity.
Navigating the nebulous world of MDR services
As cybersecurity threats continue to grow, enterprise security teams are struggling to keep pace. The average security operations center (SOC) handles more than 10,000 alerts per day. It’s so overwhelming that most triage less than half of incoming alerts and often do not have time to conduct a full analysis when incidents do occur, leading to inaccurate reports and an incomplete understanding of attacks. Because of these challenges, organizations are increasingly turning to managed detection and response (MDR) services to help them hunt down, mitigate and contain cyber threats. According to Gartner, 50% of organizations will be using MDR services by 2025 .
Unfortunately, too often these services turn into “alert factories” that further overwhelm security teams and provide little value, leaving CISOs dissatisfied with their investments and their organizations no better protected than before.
A large part of the challenge surrounding MDR services stems from a lack of industry standardization around what actually constitutes MDR, how these services should be carried out, and how to measure their success. There is little agreement across the industry as to what exactly counts as threat hunting, what constitutes a response and what metrics should be used to judge the effectiveness of the service.
For example, some providers simply alert customers to an incident and consider that a response, leaving the customer to handle it on their own. Others try to demonstrate the value of their MDR service by measuring the number of incidents identified – but this merely measures quantity, not quality. It doesn’t help the customer understand what is happening in their environment, why they are having so many incidents, or what they can do to become more resilient against future threats. Even fewer MDR providers have operationalized processes in place for evaluating the lessons learned from each incident and carrying forward that knowledge so it can be applied to future events.
This lack of standardization throughout the industry makes it extremely difficult for organizations to accurately compare the MDR services offered by different vendors. It even makes it difficult for analysts to accurately assess MDR services in industry reports because approaches are so different, it’s impossible to make an apples-to-apples comparison.
But no CISO should be paying for an MDR service and getting an alert factory instead. They need to be sure they’re getting what they paid for. They need the ability to measure the value and effectiveness of the MDR service, and most importantly, know that they are more secure as a result.
That is why Bitdefender designed and built our MDR service from the ground-up with principles of operational excellence (OE) in mind, and why we use these principles to create a cycle of continuous improvement. With OE principles woven throughout every aspect of our MDR service, we’re able to ensure that our customers not only enjoy strong security around-the-clock but can also measure the value and effectiveness of the service.
Defining operational excellence
There is no universal definition of operational excellence. This is because every organization differs in their mission, focus areas, operations and strategic goals. However, most definitions of operational excellence include common themes. In general, OE is a business philosophy focused on problem-solving and continuously improving processes, technologies and procedures in order to achieve dramatic improvements in the business. These improvements could be increased efficiency, sustained competitive advantage, advances in innovation, or greater cyber resiliency. When done right, OE is more than just a workplace motto; it becomes a culture and mentality that is deeply engrained throughout every function in the business.
Traditionally, OE principles have typically been seen in large-scale operations in industries such as manufacturing and supply chain. They were developed in these industries as a way to make organizations more streamlined, improve performance, reduce mistakes, speed processes and more. Examples of popular OE models include Six Sigma, Lean Manufacturing, the Shingo Model, OKAPI method, the Baldridge Excellence Framework, and many others.
Applying operational excellence to MDR
Few, if any, organizations outside of Bitdefender have taken OE principles and applied them to something as dynamic and fast-paced as cybersecurity operations. By using OE principles as the foundation upon which we built our MDR services from the beginning, we were obligated to think strategically about the processes and metrics that make up our service: what we measure, how we define success, what should be the outcomes of a successful threat hunt, how we work with customers, how we will carry forward lessons learned, and more. We designed our MDR services to be very specific in the way we defined these metrics and how we would use them to improve procedures and create a cycle of continuous improvement – something that most MDR services in the industry are missing.
The benefits of applying OE to an MDR service are numerous. OE principles enable a security operations center (SOC) – whether in-house or as part of a third-party MDR provider – to achieve scale, enable greater automation, become more efficient, respond to threats faster and become more cyber resilient for the future. They do this by creating consistency and repeatability of security processes and outcomes. In short, OE principles make cybersecurity operations more effective, more resilient, and able to achieve more with leaner operations.
How OE enables scalability and automation in security operations
Time is of the essence in cybersecurity. When an attack happens, a SOC must be able to immediately detect and respond. For this reason, cybersecurity operations are increasingly turning to automation solutions like security orchestration, automation and response (SOAR) platforms. But simply deploying the latest and greatest automation technologies will not make an organization more secure.
For automation tools to be effective, a cybersecurity program must have highly mature processes in place, driven by accurate data. If the data going into SOAR systems or other security tools is flawed, the outcomes will be worthless. This is why applying OE principles for continuous improvement of processes is so important. It is the best way for a cybersecurity program to ensure accuracy, repeatability and reliability of data, processes, and decision-making in order to ensure faster responses in the face of an attack. And, it is the only way for an MDR service or in-house SOC to effectively scale in the face of increasing threats and a global workforce shortage.
Take, for example, the way most MDR service providers structure their operational model. Most use what is commonly called the “Squad Model,” where team members specialize in narrow roles – one team member is a threat hunter, another is a security analyst monitoring alerts, still another may specialize in a particular vertical industry. However, this approach is not scalable. As the MDR service grows, the provider would need to hire an entire new team of several people each time a customer threshold is reached. In an industry facing a worker shortage of more than 3 million people, this is simply not feasible as the MDR provider takes on hundreds, or thousands, of new customers.
In contrast, because we at Bitdefender designed our MDR operations with OE principles in mind from the beginning, we developed a different approach, one that leverages a cross-functional team of cybersecurity experts, where everyone is able to perform every role and is invested in the outcomes of their colleagues’ work. This enables far greater scalability because as the service grows, individuals can be added to the cross-functional team rather than needing to hire and train an entire new squad of people.
Coming up in part 2
A highly mature, high-quality MDR service is a combination of people, technologies and repeatable, well-defined processes, all driven by actionable threat intelligence. In part 2 of this blog series, we’ll detail how Bitdefender applied OE principles in the development of its MDR program. In part 3 we’ll discuss how OE impacts the day-to-day cybersecurity operations to drive continuous improvements.
Learn more about the MDR market and its dynamics with the 2021 Gartner Market Guide for Managed Detection and Response Services complimentary report.
 Gartner “2020 Market Guide for Managed Detection and Response Services.” https://www.gartner.com/en/documents/3989507/market-guide-for-managed-detection-and-response-services