Security Operations Center as a Service (SOCaaS)

The Security Operations Center performs 24/7 comprehensive monitoring for advanced cyber threats across on-premise networks, cloud environments, SaaS applications and endpoints, and event logs. The SOC has an internal group of senior analysts that conduct threat hunting in logs to improve detection capabilities and find anomalies that are not automatically detected. The SOC will be monitoring for the tactics and techniques based on a leading Cybersecurity framework. If an alert is generated based on the logs, an analyst examines the indicators of compromise. When an investigation cannot be ruled out as a false positive, the analyst sends Security Event Notifications to the affected organization. 

 

Initiation

  • High-level overview presentation 
  • Introductory meeting to SOCaaS 
  • Examination of the customer’s environment
k

Planning

  • Provide customer with system integration best practices
  • Consult with customer on prerequisite for configurations and installations
  • Validate customer integration

Monitoring/Detection

  • Comprehensive monitoring and detection of advanced cyber threats across multiple platforms 
CDT will:
Ingest security related network and endpoint logs
Notify customer of any detected security threats or events that require additional attention

 

Customers are expected to:
Comply with system requirements and prerequisites provided by CDT
Maintain a current list of contacts for CDT in the event a security threat/event is detected

Effective July 1, 2021, CDT received State of California General Funding to support essential CDT security services, including SOCaaS. At this time, there is no cost to State Departments for SOCaaS. 

  1. The customer submits the SOCaaS Case/Request to CDT.
  2. The Office of Information Security will review the Case/Request and schedule an intake meeting with the customer and process the Case/Request.

Direct questions related to submitting a case to your Account Lead.

For technical questions, email the Security Solutions Administration team at ciosecuritysolutions@state.ca.gov.

For Security Operations Center questions, email the SOC at CDTSOCNotify@state.ca.gov. To reach someone in the SOC by voice, call the SOC 24/7 hotline at 916-460-9954.

  1. What logs or data types can my organization send to the SOC?
      • Virtually any security related logs or data can be sent to the SOC; however, the SOC Engineering team will work with each organization to inventory, prioritize, and coordinate the ingestion of data. The SOC develops alerts based on the MITRE ATT&CK Framework, so the data types needed are largely determined by our implementation and usage of that framework.
  2. Regardless of log source or data type that our organization chooses to send, can you give us a commitment the logs will be retained for seven years, and we will have access to those logs in one method or another during an investigation regardless of whether or not we are still using this service?
      • Since most data requiring seven-year retention traverses the CDT network infrastructure, all CDT logs are automatically set to be retained for seven years. All organization indexes will also be set for seven years of retention unless otherwise requested. We maintain six months of data that is readily searchable and can pull data back from colder storage upon request.
  3.  How will my organization know that you are receiving our logs or data?
      • Once the SOC has begun the ingest process, dashboards and alerts will be created to notify our administration team if there is any interruption in the flow of data.
  4. Does the Statewide SOC monitor our logs only during business hours or is there extended coverage?
      • The CDT SOC is manned 24x7x365 and continuously monitors for hundreds of malicious tactics and techniques defined in the Mitre ATT&CK Framework.
  5. What type of activity is the SOC monitoring for and how will my organization be notified of suspicious activity?
      • The CDT SOC leverages the Mitre ATT&CK and Atomic Threat Coverage frameworks to continuously run hundreds of correlated searches across all indexes.  Correlated Searches that produce alerts are immediately fed into our case management system and picked up by an analyst for triage.  If the alert is determined to have the likelihood of being a “true positive”, a Security Event Notification (SEN) is sent via CalCSIRS.  For after-hours events deemed critical, CDT SOC personnel will attempt to contact designated organizational management and/or staff telephonically.  For less than critical alerts, the process listed earlier will be followed.
  6. If we need to run special queries or search our logs for troubleshooting purposes, can we be granted access to the SOC’s SIEM?
      • The CDT SOC can grant access for up to four staff.  CDT requires that these staff submit evidence of completion of the Splunk Fundamentals I online course.