The Raytheon Missiles and Defense (RMD) Cyber Center is a nascent organization, founded in 2020 alongside the formation of the RMD group, the newest of Raytheon Technologies’ four business units. While RMD as a business unit is less than two years old, the organization already reports US$16B in annual revenue and has 30,000 employees in 28 countries. As one of the world’s preeminent threat detection and defense organizations, it is no surprise that RMD needed to build out a security operations center (SOC) alongside the technology used to prevent physical threats. As physical and logical security today are inextricably linked, RMD’s cybercapabilities must match the level of security required for physical assets.
RMD operates as a self-contained business unit under the Raytheon umbrella. The group maintains its own executive team, chain of command, budget and operating plan. The RMD Cyber Center (RCC), staffed by a fully remote team, was formed to fulfill the mission of becoming a fully functional cyberthreat management capability for RMD. The main goal of the cyber team is to predict, identify and understand threats—physical or digital—before they impact any business operations and/or the safety and security of RMD’s products, assets and systems.
RCC operates as an independent business entity, maintaining separate networks, data and end user requirements. RMD’s systems were divested from the Raytheon enterprise network and thus require different levels of protection and access, which is why RMD’s executive team decided to form its own cyber group rather than turn to the enterprise’s existing cyber team. Nonetheless, RMD’s operating plan warrants top-tier security and risk management, and shortly after the formation of the business unit, hiring for the RCC began.
Danielle Snyder was hired in 2020 to build the RCC. She and one other colleague were charged with developing a plan for the RCC and were given a budget and the necessary approvals to start. The pair quickly decided to form and hire for three main functions: cyberthreat intelligence (CTI), security operations (SecOps) and incident response (IR). Snyder and her colleague decided that the RCC would be staffed by the best team they could find, regardless of geographic location, and would be able to accommodate 24/7/365 security operations coverage. The three teams would focus on their individual areas of expertise while working collaboratively to support centralized visibility and management of operations and threats.
As of mid-2022, the RCC employs 15 people, including three managers (one for each cyberfunction), security analysts and subject matter experts (SMEs). The RCC supports 30,000 users and approximately 20,000 endpoints. It must consider and address the challenge of operational technology (OT), since antiquated security practices and procedures must be transformed to meet modern requirements for security coverage and management.
The charge for the RCC remains to secure and continuously monitor both OT and legacy systems (which are sometimes one and the same) with the most effective, modern capabilities.
Challenges With Outdated Tech
The biggest challenge RCC has is that despite being a new organization, RMD runs primarily legacy systems and operational technology. Though OT security has improved tremendously over the last decade, the systems RMD uses are proprietary to weapons and are thus more difficult to monitor and manage than commercially produced OT. As far as the legacy systems are concerned, there is no motivation to plan for a tech refresh since any new implementations or migrations would be extremely costly and potentially disruptive. The charge for the RCC remains to secure and continuously monitor both OT and legacy systems (which are sometimes one and the same) with the most effective, modern capabilities.
Further, the RCC inherited disparate systems, tools and processes from several Raytheon business units when those business units merged, and the result is unreliable, decentralized management of security functions. The RCC must therefore centralize and improve existing capabilities to support a full-fledged SOC, including expert-level functionality for incident response and CTI. The scope of this effort should entail all unclassified, nonstandard systems that are not covered under the enterprise domain. The vision for the SOC program is to collect, coordinate and manage data from relevant endpoints (approximately 20,000), servers and networks, correlate the data into one common data schema that can be analyzed and used for threat hunting and threat management, and develop a picture that highlights areas of threat and risk. The team plans to rely heavily on automation so that it does not encounter many of the same SOC struggles that are so prevalent within enterprise SOCs: data and alert overload, limited triage ability, unreliable prioritization mechanisms and/or siloed data sets that cannot be used for remediation.
However, this vision is predicated on a top-notch cyberthreat capability, which relies on the implementation and usage of the right tools and processes. And even though the RCC has existed for two years, at the time of this writing, it is still a ground up effort that needs to start with identifying security needs, tools and platforms, and acquiring a highly talented staff to run the SOC. Given the COVID-19 pandemic, a hot job market and global supply chain issues, the RCC has encountered many obstacles that have limited its ability to put all the pieces in place in swift fashion. Time and opportunity have been major challenges, says Snyder. In addition, because the existing team is so new and the program has yet to implement some of the major technologies and plans that are in the queue, a lack of repeatable processes has hindered progress. The cyber team at RMD is still working on building better relationships with the enterprise teams, which would be a significant benefit. But because RCC is separate from the enterprise’s cyber team, systems and priorities, RCC is not always able to rely on them for support that would smooth the path to building the RMD SOC with all its requisite functionalities.
Contending With Insufficient Staff and the Impact of COVID-19
Staffing is another challenge. Despite the allocated budget and support for hiring, new hires were not equipped to pick and implement products. Because of the way the staffing plan was written, the RCC could not hire engineers—only analysts. As a result, analysts had to learn how to engineer their own products, which was time consuming and not a best practice (although the analysts upskilled themselves and are now more valuable to the team and organization).
Nevertheless, Snyder thought future work would be more productive if talent with engineering experience and expertise were hired. Snyder worked with two RCC managers and convinced them to agree to hire engineers who would understand new products, top to bottom, as soon as they started at the organization. Two engineers were hired with mid-2023 start dates.
But another staffing challenge remained. The staff who were hired often did not have enough work to do. Because they were hired based on an aggressive start-up plan, Snyder and her team envisioned being able to select and deploy more security technology than they had implemented in the last two years. The pandemic significantly impacted the production and shipment of hardware, so the RCC staff educated themselves about processes, procedures and best practices in anticipation of the tools’ eventual arrival. Still, with the time delay, morale was low and staff were eager to get started on the operational aspects of the jobs for which they were hired.
From a forward-looking point of view, the RCC has already piloted security information and event management (SIEM) and security orchestration, automation and response (SOAR) platforms and is anxiously awaiting delivery.
In the meantime, as with every organization (especially one as high profile as Raytheon), and even without the best-in-class technology deployed, RMD has incidents and vulnerabilities to address—threat actors do not wait for a slow supply chain. In fact, they are likely taking full advantage of the chaos it is causing. So, even though the SOC has not yet been optimized to meet the RCC’s needs, staff are handling all incidents and vulnerabilities manually and sharing information across a remote network. This process is problematic for a variety of reasons, not least of which is that they do not have a way to verify fixed vulnerabilities. Finding system owners is time consuming. Without a content management database (CMDB) deployed, all the work identifying assets and their owners is manual, slow and often out of date, creating more vulnerabilities.
Piling on the technical challenges, despite the lack of automation in the SOC, the RCC is required to keep pace with compliance mandates, which are complex and take time to understand.
Much is riding on the delivery of the technologies the managers at RCC ordered months (and years) ago. While Snyder says she would ideally like to move more capabilities to the cloud and cloud-based systems, RMD was not set up for it from a compliance standpoint, so it must proceed with on-premises (on-prem) and virtual appliances for the short term.
One challenge that Snyder and her team did not have to face was a limited budget. Unlike so many teams, the RCC was fortunate to have the full support of the RMD executive team, including the chief information security officer (CISO) of RMD. Snyder says the executives have been extremely helpful in “knocking down walls” so that the RCC has what it needs to build a world-class SOC and threat management capability.
Solution
While the lack of technology in the RCC is not ideal, Snyder says the team has been fortunate that no major incidents have impacted the organization to date, and the team is working diligently to overcome challenges. It has received assistance from external parties and has established a dedicated mailbox for incident reporting so that signals are not lost in the plethora of data the analysts have to manually parse. A ticketing system for triage has been recently deployed.
From a forward-looking point of view, the RCC has already piloted security information and event management (SIEM) and security orchestration, automation and response (SOAR) platforms and is anxiously awaiting delivery. The specific platforms were chosen for event and incident response automation and their abilities to provide CTI management. A forensics tool was also purchased to assist with investigations.
To support the deployment and management of these technologies, the RCC has hired and onboarded analysts, SMEs and managers. The staff are building best-in-class processes, procedures and playbooks for when the SOC is operational to ensure that the SecOps, IT and CTI functions are properly prepared to hit the ground running as soon as the technologies are shipped and deployed. Snyder says such careful planning will be a major benefit to the team and the organization in the long run; most security and SecOps teams, by contrast, are over burdened with day-to-day tasks and alerts, and they often do not have the bandwidth to plan carefully. For each of these solutions, RCC also purchased vendor support to ensure a smooth onboarding process and transition to the internal team for ongoing management. As soon as the hardware is delivered, the team will be fully prepared for rapid deployment.
Benefits
The benefits of launching an SOC and implementing digital transformation for the team are yet to be determined. However, Snyder and her colleagues anticipate significant improvements in their operation once the hardware is shipped and operational. The team anticipates:
- Increased efficiency and efficacy in identifying threat signals from the RMD environment and external sources
- An exponential reduction in manual effort and time required for SOC operations
- The ability to prioritize action based on risk and impact
- Orchestration of SOC data for improved decision-making
- A reduction in risk to RMD as a result of better CTI and vulnerability management
Results
The results of the SOC effort remain to be seen as of the time of this writing. Though all required and desired platforms have been thoroughly evaluated and tested against the organization’s needs and subsequently purchased, not all of the hardware has arrived yet. Implementation will happen immediately upon arrival and should be quick, given the amount of prep time the team has had. The team expected initial operating capacity in late 2022, with results soon to follow once all technologies and their modules were fully implemented in the RCC environment.
Snyder anticipates a data-driven approach to results and will rely heavily on metric improvements. This is the best way for the team to accurately demonstrate efficacy for operations, IR, and CTI, and build on those results to positively impact all RMD business units. Although Snyder is not entirely certain what measurements or metrics will be part of the results criteria, the team is currently accessing a demo environment for its SOAR product to learn the best methods of pulling business-relevant data from the environment and predetermining which data will be most useful for their individual SOC.
Author’s Note
The content in this case study is based on conversations and situations that occurred prior to this writing. It is important for the reader to know that the subject organization for this case study has been able to achieve many of its goals and implementations in the months between the content interview and the publication of this case study.
KATIE TEITLER
Is a senior product marketing manager at Axonius where she is responsible for the company’s cybersecurity asset management product messaging. She is also a co-host on the popular podcast, Enterprise Security Weekly. Prior to her current roles, Teitler was a senior analyst at a small cybersecurity analyst firm, advising security vendors and end-user organizations and authoring custom content. In previous roles, she managed, wrote and published content for various research firms including MISTI (now part of the CyberRisk Alliance), a cybersecurity events company; and was the director of content at Edgewise Networks, now part of ZScaler.