Security Operations Center as a Service (SOCaaS)
The California Department of Technology (CDT), Office of Information Security (OIS), Security Operations Center (SOC) performs 24/7/365 comprehensive monitoring for advanced cyber threats across on-premises networks, cloud environments, SaaS applications, endpoints, and event logs. The SOC has an internal group of senior analysts that conduct threat hunting in logs to improve detection capabilities and find anomalies that are not automatically detected. The SOC monitors for tactics and techniques based on the MITRE ATT&CK Cybersecurity framework. When an investigation cannot be ruled out as a false positive the analyst sends Security Event Notifications to the organization.
Monitoring, Detection and Notification
- 24/7/365 monitoring of logs for security related anomalies.
- 24/7/365 customer notification when events are detected that require attention.
- Event notifications follow the Security Event Notification and Response Standard, SIMM 5335-A
- SOCaaS is offered as a federated integration:
- The customer maintains control of and manages the SIEM in their own environment.
- OIS assists with initial deployment and configuration of SIEM.
- Customer owns and manages SIEM data, log retention, and access control.
- The customer provisions federated access to OIS for access to their SIEM.
- OIS supports the customer in Monitoring, Detection, and Alerting.
Federated Architecture
The federated architecture keeps the customer in full control of their data and administers the system logging for endpoints, servers, network, and non-standard devices. Additionally, the customer manages their SIEM including but not limited to; patching, updating servers, managing agents, monitoring performance, log retention, licensing, and storage. The customer will manage their routine technology refreshes, backups, restores, and user account administration. In partnership with OIS, the customer will share their SIEM via federated access and OIS will provide 24x7x365 Monitoring and Detection activities, deployment of threat queries, and alerting. OIS will periodically provide recommendations on optimizing log sources.
Onboarding
| Initiation | Planning | Monitoring/Detection |
|---|---|---|
|
| Comprehensive monitoring and detection of advanced cyber threats across multiple platforms |
Role CDT Customer
Initial onboarding and configuration of customer’s environment. X X
Identification and prioritization of available log sources in customer’s environment. X X
Supports the customer in threat monitoring, detection, and alerting as an extension of their Security Operations Center. X
Monitors logs and notifies the customer of events that require attention. Event notifications follow the Security Event Notification (SEN) and Response Standard, SIMM 5335-A. X
Notifies the customer of any planned service outages or disruptions. X
Responsible for threat monitoring and detection. X
Responsible for Remediation and Incident Response. Incident response and forensics services are available separately through the California Cybersecurity Integration Center (Cal-CSIC). X
Ensures technical SMEs are available for onboarding tasks and configuration changes in their environment. X
Periodically reviews dashboards and ensures all necessary log sources are being ingested. X
Notifies CDT when new log sources are deployed to ensure the necessary configurations and detection rules are applied. X
Maintains a current list of contacts for CDT in the event a security threat/event is detected. X
Effective July 1, 2021, CDT received State of California General Funding to support essential CDT security services, including SOCaaS. Costs associated with SOCaaS, Log Ingestion, and Log Retention will be applied as shown in the chart below.
State Customers onboarded prior to June 1, 2023
Service Customer Cost Incurred CDT Cost Incurred
Log Ingestion (first year) X
Log Ingestion (after one (1) year) X
Log Retention X
SOCaaS Monitoring and Detection X
All Other Customers (include State, Cities, Counties, Education, and other Public Sector Entities)
Service Customer Cost Incurred CDT Cost Incurred
Log Ingestion X
Log Retention X
SOCaaS Monitoring and Detection X
- To request an introductory meeting and consultation, submit a SOCaaS Intake Form.
- Questions about submitting a request can be directed to an Account Lead.
- Technical questions about SOCaaS can be directed to the Security Solutions team at ciosecuritysolutions@cdt.ca.gov.
The priority of log types includes, but is not limited to, the list below. As more log source become available for the SOC to deploy threat detections, the MITRE threat coverage will increase.
MITRE ATT&CK Coverage by Log Type
IAM (Access Management)
Priority 1
Logs
Security Controls
Network Infrastructure
Priority 2
Logs
Non-Log Infrastructure Information
Priority 3
Information
Non-Log Business Information
Dependencies
- MITRE coverage depends on the extent of logs available in the SIEM. The MITRE Coverage table lists the most common logs. The greater telemetry the greater percent of MITRE Threat Detections monitoring.
- Availability of customer SMEs for technical working sessions as needed.
- Availability of necessary licensing and infrastructure resources in customer’s environment.
- Full and complete information provided in the customer onboarding survey.
- Timely response to CDT requests for additional information.
For State customers please refer to the SIMM 5335-A for reporting requirements.
SEN Level SEN Acknowledgement Response True/False Confirmation
Critical 1 hour 2 hours
High 2 hours 4 hours
Medium 2 hours 4 hours
A level is assigned to each Security Event Notification (SEN) by a SOC analyst to communicate the importance of the SEN; NOT incident severity/impact. The assigned level is to help the recipient entity understand how fast they need to respond to the SEN. The levels are Critical (Red), High (Orange), and Medium (Yellow). The table below provides the criteria used to assign levels and examples for each:
Event Level Criteria Used to Assign Level and Examples
Critical
(Red)Exceptional events observed with 100% level of confidence of inbound and outbound attack traffic, traffic beaconing out, exfiltration of data, malicious payload, detonation of payload, ransomware.
Example: Early signs of Ransomware events, such as an asset observed trying to reach a Domain Controller and/or file shares, or lateral movements associated with establishing elevated privileges.
High
(Orange)Observed with a very high level of confidence indicators of compromise (IOCs), such as inbound attack traffic typically associated with malicious and successful attacks, but SOC is unable to determine if entity has its own line of defense in place to block or stop attack.
Example: An Active Distributed Denial of Service (DDoS) attack, but SOC is unaware of entity’s layered defense.
Medium
(Yellow)Observed vulnerabilities with imminent threat and very high level of confidence they can and will be exploited if not remediated. Do not yet see inbound attack traffic.
Example: Meltdown Spectre or Emotet vulnerabilities.
If an organization is onboarded to SOCaaS, do they no longer need to monitor their own environment for malicious activity and security threats?
SOCaaS is a supplemental service designed to enhance the customer’s existing internal security operations, policies, and procedures. Customers are still responsible for following all applicable security best practices in their own environment.
If a customer receives a Security Event Notification (SEN) from CDT, does SOCaaS provide incident response, mitigation assistance, and post-incident forensic analysis?
SOCaaS does not include incident response, mitigation, or forensics. In the event of an incident, CDT will provide the customer all log artifacts relevant to the customer’s internal investigation. Incident response and forensics services are available separately through the California Cybersecurity Integration Center (Cal-CSIC).
What does Federated model mean?
The Federated model gives customers control and ownership of their logs, and provides a faster, smoother onboarding process. The SIEM is deployed in the customer’s environment and the OIS SOC gets visibility into that environment.
What logs or data types can my organization send to CDT?
No logs are sent to CDT. All logs stay with the customer in their own environment.
How long are logs retained, and will we have access to those logs during an investigation regardless of whether we are still using this service?
Non-state customers manage their own log retention policies and control all access to their own data. State customers’ data will be retained for 90 days of searchable data (hot) and 91-180 days of warm storage. Data archiving is available to export logs to cold storage for retention up to 7 years. Thawing data from cold to hot may require additional processing time or costs depending on the nature of the request.
How will my organization know that you are receiving our logs or data?
Logs will populate in the customer’s SIEM and be viewable by the customer. CDT will validate that the appropriate provisioning is in place for the CDT SOC to see the logs that the customer has onboarded.
Does the CDT SOC monitor our logs only during business hours or is there extended coverage?
The CDT SOC is staffed 24/7/365 and continuously monitors for hundreds of malicious tactics and techniques defined in the MITRE ATT&CK Framework.
What type of activity is the SOC monitoring for and how will my organization be notified of suspicious activity?
The CDT SOC leverages the MITRE ATT&CK framework to look for malicious activity. If the alert is determined to have the likelihood of being a “true positive,” a Security Event Notification (SEN) is sent via a case management system. For after-hours events deemed critical, CDT SOC personnel will attempt to contact designated organizational management and/or staff by telephone.