How DTCC Upgraded their SOC into a Cyber Threat Fusion Center

By Shawn Baird, Associate Director, Offensive Security and Tactics, DTCC
Based on a session given at PenteraCon 2024

When the speed and complexity of cyber threats outpace traditional security measures, it’s time for a fundamental change. At The Depository Trust & Clearing Corporation (DTCC), we faced this challenge head-on by evolving our Security Operations Center (SOC) into a Cyber Threat Fusion Center. This transformation has significantly enhanced our ability to detect, respond to, and mitigate cyber threats. In this article, I’ll unpack the driving forces behind this shift and the tangible benefits we’ve realized.

Why a Traditional SOC Isn’t Enough

Before jumping into why we transitioned to a Cyber Threat Fusion Center, it’s crucial to understand where traditional SOCs struggle.

At DTCC, we realized that while our traditional SOC was doing its job, it wasn’t built to handle the complexity of today’s threats. The siloed operations—where threat intelligence, incident response, and hunting all functioned separately—meant slower, less coordinated responses. This fragmentation created gaps that sophisticated attackers could exploit.

The sheer volume of data was another challenge. With endless streams of information coming in, it became harder to focus on what really mattered, leading to slower decision-making.

And when it came to response time, our SOC could detect threats but wasn’t fast enough in mitigating them. When seconds matter, we needed something faster and more integrated.

Lastly, collaboration between departments—like legal and marketing—wasn’t happening in real-time. We needed to break down these barriers to better coordinate during critical incidents.

These limitations pushed us to evolve, leading to the creation of the Cyber Threat Fusion Center.

The Stakes for DTCC’s Cybersecurity

DTCC is the premier post-trade market infrastructure in the industry, processing over $2.7 quadrillion in financial transactions annually. With every stock trade, bank transaction, and credit card swipe needing to go through a clearing and settling phase, we are responsible for processing more zeros than I can comfortably count. This immense responsibility demands the highest level of cybersecurity, which led us to rethink and revolutionize our approach.

What Exactly is a Cyber Threat Fusion Center?

If you consider a traditional SOC as a series of independent gears, each running its own function at its own pace— imagine combining these gears into a single, powerful engine. In our case we wanted to combine cyber threat intel, threat defense operations, incident response, attack surface enumeration, threat hunting, and government compliance— their cohesive integration was the essence of our Cyber Threat Fusion Center. The aim was not only to speed up our response times but also make us more efficient overall in handling incidents.

Overcoming the Challenges We Faced

Transitioning to a Cyber Threat Fusion Center came with its own set of challenges:

• Integration Challenges: Integrating security tools and technologies to work together can prove difficult. There may be compatibility issues between existing systems and potential for disruptions during the integration process. With a slew of different security tools in use, centralizing all the data can be tough.
• Skilled Personnel: Finding skilled personnel, especially outside major tech hubs, was another hurdle. In regions like New York, DC, and Virginia, skilled engineering labor is relatively accessible. However, in other areas, such as Tampa, Florida, it can be challenging to find and retain the necessary talent.
• Privacy Concerns: Unifying operations and facilitating information sharing naturally means opening access to a lot of sensitive company data. This raises the stakes because there’s potential for misuse or mishandling. When you have that many players in one room, you want to make sure that all of your secrets are being contained.

To overcome these challenges, we focused on creating a centralized command center modeled after the ICS4ICS structure, notably used in The Federal Emergency Management Agency (FEMA) response. By establishing a command hub with predefined roles, communication channels, procedures, and resources for everyone to use when processing incidents, we’ve been able to improve efficiency in our response.

We also emphasized cross-department collaboration. During an incident, it’s not enough for only the SOC team to be involved. We had the threat intelligence team brought in to provide context on the threat landscape, legal teams to handle compliance and potential legal ramifications, and marketing to manage communications. This cross-department collaboration ensures that every aspect of the response is covered, and all teams are on the same page.

The Results We’ve Seen So Far

Despite these challenges, the benefits have been substantial. Centralized monitoring provided a comprehensive view of our entire environment, enhancing our ability to detect and respond to threats. Another huge benefit was resource optimization. By making sure our best people were focused on the right tasks, they could work better. For example, we used level three analysts and engineers for high-level analysis instead of writing emails, maximizing our efficiency.

The results speak for themselves. We turned every test into a purple team exercise, fostering real-time collaboration between red and blue teams. This approach improved our mean time to respond and contain incidents by 30-50% over the past two years.

“We turned every test into a purple team exercise, fostering real-time collaboration between red and blue teams. This approach improved our mean time to respond and contain incidents by 30-50% over the past two years.”

We also moved beyond traditional tabletop exercises to live fire exercises. Instead of just discussing potential scenarios, we performed real malicious activities in the environment without informing the blue team beforehand. This included having them contain threats, coordinate with marketing to manage fake data leaks, and consult with legal on response strategies. After the exercise, we’d inform the team that it was a drill and evaluate their performance. For these blue/red team exercises, we use Pentera’s platform, which allows us to validate our security in real-time. Pentera makes it easy to repeat these tests, enabling even less experienced team members to conduct thorough assessments and improve their threat mitigation skills.

Evolving our SOC has also empowered us to engage in content validation and creation in real time. We now develop content based on activity rather than just predefined threat signatures, thanks to performance amplifiers like Pentera’s platform, which make processes easily repeatable and highly cost-effective. We no longer need to pay a tester with thirty years of experience to run routine NMAP scans across a network. Someone with much less experience can now run the same tests reliably on an ad hoc basis.

Where We Go From Here

Our journey to a Cyber Threat Fusion Center has been transformative. It’s cost-effective, improves our skilled labor, and eliminates needless processes by automating repetitive tasks. For those of you considering this transition, my advice is to start small, integrate gradually, and focus on collaboration across all teams.

Ensure your SOC is always on-guard. Start with a demo to see how well your SOC detects and responds to attacks.

Please note that all information below is solely the opinions of Shawn Baird and do not represent the beliefs or opinions of DTCC and its subsidiaries.