Security Operations Center as a Service (SOCaaS)

Description

The California Department of Technology (CDT), Office of Information Security (OIS), Security Operations Center (SOC) performs 24/7/365 comprehensive monitoring for advanced cyber threats across on-premises networks, cloud environments, SaaS applications, endpoints, and event logs. The SOC has an internal group of senior analysts that conduct threat hunting in logs to improve detection capabilities and find anomalies that are not automatically detected. The SOC monitors for tactics and techniques based on the MITRE ATT&CK Cybersecurity framework. When an investigation cannot be ruled out as a false positive the analyst sends Security Event Notifications to the organization.

Included

Monitoring, Detection and Notification

  • 24/7/365 monitoring of logs for security related anomalies.
  • 24/7/365 customer notification when events are detected that require attention.
  • Event notifications follow the Security Event Notification and Response Standard, SIMM 5335-A
  • SOCaaS is offered as a federated integration:
    • The customer maintains control of and manages the SIEM in their own environment.
    • OIS assists with initial deployment and configuration of SIEM.
    • Customer owns and manages SIEM data, log retention, and access control.
    • The customer provisions federated access to OIS for access to their SIEM.
    • OIS supports the customer in Monitoring, Detection, and Alerting.

Administration

Federated Architecture

The federated architecture keeps the customer in full control of their data and administers the system logging for endpoints, servers, network, and non-standard devices. Additionally, the customer manages their SIEM including but not limited to; patching, updating servers, managing agents, monitoring performance, log retention, licensing, and storage. The customer will manage their routine technology refreshes, backups, restores, and user account administration. In partnership with OIS, the customer will share their SIEM via federated access and OIS will provide 24x7x365 Monitoring and Detection activities, deployment of threat queries, and alerting. OIS will periodically provide recommendations on optimizing log sources.

Onboarding

InitiationPlanningMonitoring/Detection
  • Introductory meeting to SOCaaS
  • High-level overview presentation
  • Examination of the customer’s environment
  • Provide customer with system integration best practices
  • Consult with customer on prerequisite for configurations and installations
  • Validate customer integration
Comprehensive monitoring and detection of advanced cyber threats across multiple platforms

Roles & Responsibilities

RoleCDTCustomer
Initial onboarding and configuration of customer’s environment.XX
Identification and prioritization of available log sources in customer’s environment.XX
Supports the customer in threat monitoring, detection, and alerting as an extension of their Security Operations Center.X
Monitors logs and notifies the customer of events that require attention. Event notifications follow the Security Event Notification (SEN) and Response Standard, SIMM 5335-A. X
Notifies the customer of any planned service outages or disruptions.X
Responsible for threat monitoring and detection.X
Responsible for Remediation and Incident Response. Incident response and forensics services are available separately through the California Cybersecurity Integration Center (Cal-CSIC).X
Ensures technical SMEs are available for onboarding tasks and configuration changes in their environment.X
Periodically reviews dashboards and ensures all necessary log sources are being ingested.X
Notifies CDT when new log sources are deployed to ensure the necessary configurations and detection rules are applied.X
Maintains a current list of contacts for CDT in the event a security threat/event is detected.X

 

Rates

Effective July 1, 2021, CDT received State of California General Funding to support essential CDT security services, including SOCaaS. Costs associated with SOCaaS, Log Ingestion, and Log Retention will be applied as shown in the chart below.

State Customers onboarded prior to June 1, 2023

ServiceCustomer Cost IncurredCDT Cost Incurred
Log Ingestion (first year)X
Log Ingestion (after one (1) year)X
Log RetentionX
SOCaaS Monitoring and DetectionX

All Other Customers (include State, Cities, Counties, Education, and other Public Sector Entities)

ServiceCustomer Cost IncurredCDT Cost Incurred
Log IngestionX
Log RetentionX
SOCaaS Monitoring and DetectionX

Request Service

Service Level Objectives

The priority of log types includes, but is not limited to, the list below. As more log source become available for the SOC to deploy threat detections, the MITRE threat coverage will increase.

 

MITRE ATT&CK Coverage by Log Type

IAM (Access Management)
  • Single Sign On
  • MFA
  • Host-based Collection (e.g. Windows Servers)
  • Priority 1
    Logs
    Security Controls
  • IDS
  • IPS
  • Email Quarantine
  • Endpoint Detection Response (Anti-Virus, Anti-Malware)
  • Data Loss Prevention
  • VPN
  • Firewalls
  • Network Infrastructure
  • Routers
  • Switches
  • Domain Controllers
  • Wireless Access Points
  • Application Servers
  • Databases
  • Intranet Applications
  • Priority 2
    Logs
    Non-Log Infrastructure Information
  • Configuration
  • Locations
  • Owners
  • Network Maps
  • Vulnerability Reports
  • Software Inventory
  • Priority 3
    Information
    Non-Log Business Information
  • Business Process Mapping
  • Points of Contact
  • Partner Information
  • Dependencies

    • MITRE coverage depends on the extent of logs available in the SIEM. The MITRE Coverage table lists the most common logs. The greater telemetry the greater percent of MITRE Threat Detections monitoring.
    • Availability of customer SMEs for technical working sessions as needed.
    • Availability of necessary licensing and infrastructure resources in customer’s environment.
    • Full and complete information provided in the customer onboarding survey.
    • Timely response to CDT requests for additional information.

     

    For State entities, SEN response timeframes are outlined in the Security Event Notification and Response Standard (SIMM 5335-A). Please refer to the policy for detailed SEN response timeframes and escalation protocols.

    SEN LevelSEN Acknowledgement ResponseTrue/False Confirmation
    Critical1 clock hour2 clock hours
    High2 business hours4 business hours
    Medium2 business hours4 business hours
    Low8 business hours16 business hours

     

    A level is assigned to each Security Event Notification (SEN) by a SOC analyst to communicate the importance of the SEN; NOT incident severity/impact. The assigned level is to help the recipient entity understand how fast they need to respond to the SEN. The levels are Critical (Red), High (Orange), and Medium (Yellow). The table below provides the criteria used to assign levels and examples for each:.

    Event LevelCriteria Used to Assign Level and Examples
    Critical
    (Red)
    Exceptional events observed with 100% level of confidence of inbound and outbound attack traffic, traffic beaconing out, exfiltration of data, malicious payload, detonation of payload, ransomware.

    Example: Early signs of Ransomware events, such as an asset observed trying to reach a Domain Controller and/or file shares, or lateral movements associated with establishing elevated privileges.
    High
    (Orange)
    Observed with a very high level of confidence indicators of compromise (IOCs), such as inbound attack traffic typically associated with malicious and successful attacks, but SOC is unable to determine if entity has its own line of defense in place to block or stop attack.

    Example: An Active Distributed Denial of Service (DDoS) attack, but SOC is unaware of entity’s layered defense.
    Medium
    (Yellow)
    Observed vulnerabilities with imminent threat and very high level of confidence they can and will be exploited if not remediated. Do not yet see inbound attack traffic.

    Example: Meltdown Spectre or Emotet vulnerabilities.

    Compliance

    Continuous Security Monitoring Policy References

    There are 4 policy sections in the State Administrative Manual (SAM), Section 5300 that specify the high-level requirements that each State organization must satisfy for continuous security monitoring. Entities that cannot meet these requirements internally are expected to seek services that will help them comply and ultimately provide the critical visibility into their environments that these policies are intended to facilitate. The policy areas are as follows:

    SAM 5335

    Policy: Each state entity is responsible for continuous monitoring of its networks and other information assets for signs of attack, anomalies, and suspicious or inappropriate activities. Each state entity shall ensure:

    1. An event logging and monitoring strategy, which provides for audit trails and auditability of events and appropriate segregation and separation of duties;
    2. Event logging and log monitoring are performed with sufficient regularity that signs of attack, anomalies, and suspicious or inappropriate activities are identified and acted upon in a timely manner;
    3. Sensors, agents, and security monitoring software are placed at strategic locations throughout the network;
    4. Situational awareness information from security monitoring and event correlation tools are monitored to identify events that require investigation and response;
    5. Potential security events are reported immediately to the security incident response team;
    6. Response to security event notifications from OIS and other third parties comply with the Security Event Notification and Response Protocols, SIMM 5335-A.

     

    SAM 5335.1

    Introduction: Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support state entity risk management decisions.

    Policy: Each state entity shall develop a continuous monitoring strategy and implement a continuous monitoring program.
     

    SAM 5335.2

    Introduction: Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the right level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to events. Each state entity may determine that information systems must have the capability to log every file access, both successful and unsuccessful, but not activate that capability except for specific circumstances due to the extreme burden on system performance.

    Policy: Each state entity shall ensure that information systems are capable of being audited and the events necessary to reconstruct transactions and support after-the-fact investigations are maintained. This includes the auditing necessary to cover related events, such as the various steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions in service- oriented architectures.
     

    SAM 4983.1

    Policy: Enrollment in CDT’s Security Operations Center (SOC) monitoring services for all IaaS and PaaS cloud services is required unless the entity has an approved CDT SOC exemption. Cybersecurity risks increase as state technology assets are moved from state owned environments to vendor hosted environments (Cloud). State entities moving technology assets to a vendor hosted cloud environment must verify they meet the SAM Section 5335 policy requirements or enroll in CDT’s SOCaaS. The exemption process is used for entities to verify their compliance with SAM 5335.
     

    Continuous Security Monitoring in Cal-Secure

    Continuous security monitoring is a key strategic cybersecurity capability defined in Cal-Secure, the state’s multi-year cybersecurity roadmap. Cal-Secure calls for collaboration between CDT’s SOC, the California Cybersecurity Integration Center (Cal-CSIC), and all state entities to address threats across the state. These entities shall provide continuous security monitoring of all potential threats and ensure prompt response capabilities exist. This also means state entities must share vital threat intelligence with the Cal-CSIC in real time.

    Cal-Secure Cybersecurity Key Initiatives: Create a portfolio of cybersecurity as-a-service offerings. Outcome: Implement common cybersecurity as a service capabilities such as anti-phishing, security awareness and privacy training, and end-point detection and response.

    Cal-Secure Cybersecurity Key Initiatives: Provide all state entities with security operations services. Outcome: Create a constellation of existing state SOCs which act together as a network to share threat information and coordinate response activities.

    Cal-Secure Cybersecurity Phase 2 Capabilities: Security Continuous Monitoring 24×7 and Cloud Security Monitoring.

    Cal-Secure Technology Goal: Provide all state entities with security operations services.
     

    CDT SOCaaS Integration Efforts

    CDT’s SOCaaS program leverages a hierarchical approach that lets customers maintain control of their data within a local instance of a SIEM while still providing detection and response capabilities to CDT. The CDT SOC deploys customized detection rules into those local instances for 24×7 monitoring and response to potentially malicious activity. CDT continues to test and evaluate available application programming interfaces (APIs), but most do not allow the level of integration we require. The integration issues we typically encounter include:

    • Detection rules that meet the level of MITRE ATT&CK Framework coverage we require, which varies based on the specific technical aspects and log sources of a given entity’s environment.
    • Ability to deploy our detection rules in other SIEM environments.
    • Ability to send and receive query results.
    • Ability to perform detailed triage of alerts.

     
    CDT’s Security Operations Engineering team continues to work with multiple SIEM vendors and integration partners to ensure state entities continue to mature their SOC capabilities and achieve the State’s requisite outcomes documented in Cal-Secure.

    Cybersecurity remains a top priority for California and the state continues to invest in important services and programs to ensure we preserve public trust by protecting critical state services and resident data. CDT continues to lead the state in these important endeavors with innovative services and collaboration opportunities intended to increase the state’s cybersecurity capabilities as referenced in Cal-Secure, the state’s multi-year cybersecurity roadmap.
     

    CDT SOCaaS Compliance Benefits

    Participation in SOCaaS helps State entities comply with the following statewide policies.

    • SAM 4983.1: Cloud Computing Policy
    • SAM 5335: Information Security Monitoring
    • SAM 5335.1: Continuous Monitoring
    • SAM 5335.2: Auditable Events
    • SIMM 5315-B: Cloud Security Standard
    • SIMM 5335-A: Security Event Notification and Response Standard

     
    Participation in SOCaaS helps State entities support the following NIST Cybersecurity Framework objectives. These items are audited by the CDT Office of Information Security.

    • CM-01: Networks and network services are monitored to find potentially adverse events
    • AE-03: Information is correlated from multiple sources
    • DP-1: Roles and responsibilities for detection are well defined to ensure accountability
    • DP-3: Detection processes are tested
    • DP-4: Event detection information is communicated

     
    Participation in SOCaaS helps entities meet the Entity Log Generation and Retention objectives in the California Military Department ISA.
     
    State entities who participate in SOCaaS typically see an improvement in their Cybersecurity Maturity Metric (CMM) score.

    FAQs

    1. If an organization is onboarded to SOCaaS, do they no longer need to monitor their own environment for malicious activity and security threats?

    SOCaaS is a supplemental service designed to enhance the customer’s existing internal security operations, policies, and procedures. Customers are still responsible for following all applicable security best practices in their own environment.

    2. If a customer receives a Security Event Notification (SEN) from CDT, does SOCaaS provide incident response, mitigation assistance, and post-incident forensic analysis?

    SOCaaS does not include incident response, mitigation, or forensics. In the event of an incident, CDT will provide the customer all log artifacts relevant to the customer’s internal investigation. Incident response and forensics services are available separately through the California Cybersecurity Integration Center (Cal-CSIC).

    3. What does Federated model mean?

    The Federated model gives customers control and ownership of their logs, and provides a faster, smoother onboarding process. The SIEM is deployed in the customer’s environment and the OIS SOC gets visibility into that environment.

    4. What logs or data types can my organization send to CDT?

    No logs are sent to CDT. All logs stay with the customer in their own environment.

    5. How long are logs retained, and will we have access to those logs during an investigation regardless of whether we are still using this service?

    Non-state customers manage their own log retention policies and control all access to their own data. State customers’ data will be retained for 90 days of searchable data (hot) and 91-180 days of warm storage. Data archiving is available to export logs to cold storage for retention up to 7 years. Thawing data from cold to hot may require additional processing time or costs depending on the nature of the request.

    6. How will my organization know that you are receiving our logs or data?

    Logs will populate in the customer’s SIEM and be viewable by the customer. CDT will validate that the appropriate provisioning is in place for the CDT SOC to see the logs that the customer has onboarded.

    7. Does the CDT SOC monitor our logs only during business hours or is there extended coverage?

    The CDT SOC is staffed 24/7/365 and continuously monitors for hundreds of malicious tactics and techniques defined in the MITRE ATT&CK Framework.

    8. What type of activity is the SOC monitoring for and how will my organization be notified of suspicious activity?

    The CDT SOC leverages the MITRE ATT&CK framework to look for malicious activity. If the alert is determined to have the likelihood of being a “true positive,” a Security Event Notification (SEN) is sent via a case management system. For after-hours events deemed critical, CDT SOC personnel will attempt to contact designated organizational management and/or staff by telephone.