Security Operations Center as a Service (SOCaaS)

The Security Operations Center performs 24/7 comprehensive monitoring for advanced cyber threats across on-premise networks, cloud environments, SaaS applications and endpoints, and event logs. The SOC has an internal group of senior analysts that conduct threat hunting in logs to improve detection capabilities and find anomalies that are not automatically detected. The SOC will be monitoring for the tactics and techniques based on a leading Cybersecurity framework. If an alert is generated based on the logs, an analyst examines the indicators of compromise. When an investigation cannot be ruled out as a false positive, the analyst sends Security Event Notifications to the affected organization. 

 

Initiation

  • High-level overview presentation 
  • Introductory meeting to SOCaaS 
  • Examination of the customer’s environment
k

Planning

  • Provide customer with system integration best practices
  • Consult with customer on prerequisite for configurations and installations
  • Validate customer integration

Monitoring/Detection

  • Comprehensive monitoring and detection of advanced cyber threats across multiple platforms 
RoleCDTCustomer
Initial onboarding and configuration of customer’s environment.XX
Identification and prioritization of available log sources in customer’s environment.XX
Supports the customer in threat monitoring, detection and alerting as an extension of their Security Operations Center.X
Monitors logs and notifies the customer of events that require attention. Event notifications follow the Security Event Notification and Response Standard, SIMM 5335-A. X
Notifies the customer of any planned service outages or disruptions.X
Responsible for threat monitoring and detection.X
Responsible for Remediation and Incident Response. Incident response and forensics services are available separately through the California Cybersecurity Integration Center (Cal-CSIC).X
Ensures technical SMEs are available for onboarding tasks and configuration changes in their environment.X
Periodically reviews dashboards and ensures all necessary log sources are being ingested.X
Notifies CDT when new log sources are deployed to ensure the necessary configurations and detection rules are applied.X
Maintains a current list of contacts for CDT in the event a security threat/event is detected.X

Effective July 1, 2021, CDT received State of California General Funding to support essential CDT security services, including SOCaaS. At this time, there is no cost to State Departments for SOCaaS. 

  1. The customer submits the SOCaaS Intake Form to CDT.
  2. The Office of Information Security will review the Intake Form and schedule a meeting with the customer.

For technical questions, email the Security Solutions Administration team at ciosecuritysolutions@state.ca.gov.

For Security Operations Center questions, email the SOC at CDTSOCNotify@state.ca.gov. To reach someone in the SOC by voice, call the SOC 24/7 hotline at 916-460-9954.

  1. What logs or data types can my organization send to the SOC?
      • Virtually any security related logs or data can be sent to the SOC; however, the SOC Engineering team will work with each organization to inventory, prioritize, and coordinate the ingestion of data. The SOC develops alerts based on the MITRE ATT&CK Framework, so the data types needed are largely determined by our implementation and usage of that framework.
  2. Regardless of log source or data type that our organization chooses to send, can you give us a commitment the logs will be retained for seven years, and we will have access to those logs in one method or another during an investigation regardless of whether or not we are still using this service?
      • Since most data requiring seven-year retention traverses the CDT network infrastructure, all CDT logs are automatically set to be retained for seven years. All organization indexes will also be set for seven years of retention unless otherwise requested. We maintain six months of data that is readily searchable and can pull data back from colder storage upon request.
  3.  How will my organization know that you are receiving our logs or data?
      • Once the SOC has begun the ingest process, dashboards and alerts will be created to notify our administration team if there is any interruption in the flow of data.
  4. Does the Statewide SOC monitor our logs only during business hours or is there extended coverage?
      • The CDT SOC is manned 24x7x365 and continuously monitors for hundreds of malicious tactics and techniques defined in the Mitre ATT&CK Framework.
  5. What type of activity is the SOC monitoring for and how will my organization be notified of suspicious activity?
      • The CDT SOC leverages the Mitre ATT&CK and Atomic Threat Coverage frameworks to continuously run hundreds of correlated searches across all indexes.  Correlated Searches that produce alerts are immediately fed into our case management system and picked up by an analyst for triage.  If the alert is determined to have the likelihood of being a “true positive”, a Security Event Notification (SEN) is sent via CalCSIRS.  For after-hours events deemed critical, CDT SOC personnel will attempt to contact designated organizational management and/or staff telephonically.  For less than critical alerts, the process listed earlier will be followed.
  6. If we need to run special queries or search our logs for troubleshooting purposes, can we be granted access to the SOC’s SIEM?
      • Customers are given full access to their log data for querying, reporting, and troubleshooting purposes.