Beyond the XDR Model

Executive Summary

This white paper examines the limitations of traditional cybersecurity frameworks like Managed Detection and Response (MDR) and Extended Detection and Response (XDR) in the hospitality industry. It proposes an integrated model that combines Security Operations Centers (SOC) and Network Operations Centers (NOC), highlighting the need for a unified approach to address the complex, multi-vector threats this sector faces. This paper draws upon recent cyber incidents, including the well-documented Marriott breach, to underscore the urgency of enhancing cybersecurity measures within the industry.

Introduction

The hospitality industry's vulnerability to cyber threats is significantly heightened by its heavy reliance on interconnected digital systems. From check-in kiosks and digital keycards to automated lights, temperature sensors, and minibars, they are all essential and at the core of the industry’s operations. This extensive customer engagement framework clearly enhances service delivery but also increases drastically the cyber security risk and attack surface that hoteliers need to manage. Furthermore, given the processing of vast amounts of sensitive personal information such as credit card numbers, addresses, and personal identifiers, the industry becomes a prime target for cyber threats.

The average cost of a hospitality data breach in 2023 was $3.36 million, up from $2.94 million in 2022. That’s a 14% increase in the space of a year. A recent report from Trustwave found that almost a third (31%) of hospitality organizations have reported a data breach in their lifetime. Of those, 89% had been affected more than once in a year. (Trustwave 2023 Hospitality Report)

The complexity of the current threat landscape in the hospitality industry calls for sophisticated defenses that are going beyond the conventional paradigm of cybersecurity made of siloed measures, which while important, often fall short to unify the defense strategy. At Nexplay Secure, we believe that the integration of SOC and NOC functionalities into a unified cybersecurity framework represents a significant advancement in the approach to cyber defense. Such integration streamlines threat detection, response, and mitigation processes, enhancing overall security posture and resilience against evolving cyber threats.

Current Cyber Risks in the Hospitality Industry

Recent years have seen a significant increase in cyber threats targeting the hospitality sector. Notable incidents at major hotel chains, including Marriott, MGM, Caesars and Omni just over the last two years, have resulted in extensive data breaches and significant reputational damage as well as incurred costs north of 150M$ all combined.

The hospitality industry faces a range of complex cybersecurity challenges, from the absence of fundamental best practices to high staff turnover leading to untrained personnel and poorly architected franchise models causing inconsistencies in policy enforcement, resulting in unsecure networks. The risks associated with these challenges have never been greater and is perfectly exemplified by the Marriott 2018 Breach, which illustrates the culmination of these factors.

The Marriott 2018 Breach- Case Study

The Marriott breach of 2018 is not just a footnote in the history of cybersecurity incidents; it serves as a critical learning point for the hospitality industry and beyond. This breach exposed the personal data of up to 500 million guests and is particularly notable not only for its scale but also for the length of time the attackers remained undetected within the network.

·         Initial Access and Prolonged Presence

The attackers first gained access to the Starwood network in 2014, two years before Marriott acquired Starwood. The initial entry point is believed to have been through phishing emails or exploiting network vulnerabilities. Once inside, the attackers were able to do extensive reconnaissance to map internal resources due to insufficient monitoring and network controls.

·         Lack of Network Segmentation and Lateral Movement

A critical flaw in the Starwood network was the lack of proper segmentation. Network segmentation is a simple yet vital security measure that divides a network into multiple segments or subnets, each acting as a separate network and policed by strict firewall rules and inspection. The failure to implement this basic network principle allowed the attackers to pivot undetected inside the network and target the customer database.

·         Persistence and Data Exfiltration

The attackers maintained their presence in the network for four years, during which they had ample time to explore the network, identify valuable data, and exfiltrate it methodically. The prolonged presence of the attackers highlights severe deficiencies in threat detection, threat hunting, and response strategies at the most fundamental level. Their ability to remain undetected allowed them to gather personally identifiable information (PII), including names, addresses, phone numbers, email addresses, passport numbers, and more.

·         Implications and Lessons Learned

The Marriott breach highlights the critical importance of adhering to strict network security guidelines, alongside ongoing advanced network and endpoint threat detection capabilities. Implementing proper network segmentation could have greatly reduced the impact of the breach by restricting the attacker’s ability to pivot inside the network after initial access. Additionally, while not necessarily preventing the breach, implementing measures to monitor lateral movements and conducting thorough threat hunting at the network level could have significantly improved the outcome of the incident by drastically shortening the undetected dwelling time and their ability to explore and map the network resources.

The Marriott 2018 breach is a stark reminder of what can go wrong when cyber security is not taken seriously. It illustrates the critical need for staff training, advanced threat detection for endpoints (MDR/XDR) combined with rigorous network security to avoid similar incidents in the future. For the hospitality industry, and more broadly any industry where customer trust is paramount, ensuring the security of personal data is not just a regulatory requirement such as PCI, but a fundamental business necessity.

Gaps in Current Cybersecurity Offerings

Although MDR and XDR services are now widely accessible, there is a notable gap in their coverage, especially regarding network security and incident response. Small and medium-sized enterprises in the hospitality -and it all SMB and SME- sector often face a dilemma. Despite contracting MDR or XDR services in accordance with their cyber security insurance policy, they still need solutions for managing their firewalls and network nodes, both operationally, and in case of Incident Response. This often leads to hoteliers having to engage additional providers, resulting in fragmented defense strategies that are both less effective, more complex, and costly to manage.

The Need for a Unified Cybersecurity Provider

At Nexplay Secure it is our core belief that there is a pressing market need for a comprehensive cybersecurity provider that combines XDR capabilities with thorough network security and operation management. The inefficiencies of juggling multiple security service providers can lead to significant gaps in a company’s cybersecurity posture. A unified approach that provides streamlined, integrated security services, reducing complexity and enhancing the effectiveness of threat detection and response.

Benefits of Converging NOC and SOC Operations

·         Enhanced Visibility and Rapid Response

The integration of Network Operations Centers (NOC) and Security Operations Centers (SOC) functions results in significantly enhanced visibility across the network and IT infrastructure. NOC focuses on maintaining the network secure configuration and patching of the network nodes, while SOC is dedicated to security monitoring while both works jointly to tackle incident response. This dual visibility ensures that any signs of security anomalies are detected more rapidly, allowing for quicker responses to potential threats.

·         Streamlined Operations and Reduced Complexity

Having a single provider manage both NOC and SOC simplifies the IT operations landscape considerably. Organizations often face challenges in managing multiple vendors that may have overlapping or disjointed responsibilities. This can lead to inefficiencies and gaps in both network management and security defenses. A unified provider eliminates these issues by offering a cohesive strategy that aligns network management with security protocols, leading to more streamlined and effective operations and incident response.

·         Cost Efficiency and Resource Optimization

The convergence of NOC and SOC under a single provider also leads to better resource utilization and cost efficiency. Managing two separate operations requires more staff, tools, and separate management oversight, which can be cost-prohibitive, especially for small and medium-sized enterprises. By consolidating these services, companies can optimize their spending, leveraging shared resources like technology tools, expertise, and administrative overhead, which in turn can lead to significant cost savings.

·         Improved Incident Management and Reduced Downtime

Integrating NOC and SOC services enhances the capability to manage incidents more effectively. With combined resources, the incident response can be both swift and more comprehensive, addressing not only the security aspects of an incident but also its operational impact. For instance, when a network anomaly is detected, the integrated team can assess whether it is a security threat or a performance issue and address it accordingly. This leads to reduced downtime and ensures business continuity, which is critical in the hospitality industry where service availability directly impacts customer satisfaction and revenue.

·         Proactive Security and Enhanced Threat Intelligence

A converged NOC and SOC can proactively enhance security measures by leveraging shared threat intelligence and coordinated security practices. The combined insights gathered from both network performance data and security data provide a richer context for making informed decisions about threat mitigation strategies, patch management, and other security practices.

Conclusion

The convergence of NOC and SOC functions into a unified framework offers numerous benefits, including enhanced visibility, streamlined operations, cost efficiency, improved incident management, proactive security measures, and the ability to provide customized, scalable solutions.

Nexplay Secure is leading this transformation in cybersecurity by delivering an all-encompassing solution tailored for the hospitality industry and broader SME and SMB. Our approach not only addresses today's challenges but also enhances accessibility—operationally and financially—by optimizing the total cost of cyber defense and facilitating reductions in cyber insurance premiums.

We invite industry leaders and IT executives to engage with Nexplay Secure to discover how our converged solutions can be tailored to meet specific organizational needs, providing enhanced protection and peace of mind in the face of the ever-evolving landscape of cyber threats.