Vermont plans to launch a new cybersecurity operations center, or SOC, by the spring of 2019, an investment the state hopes will give it greater resources to monitor for threats.
In the last legislative session, Gov. Phil Scott’s administration proposed and the state legislature approved the creation of the SOC, which will be developed and coordinated by the state’s Agency of Digital Services (ADS) to mitigate cybersecurity risks. Vermont is opening the SOC through a public-private partnership with Norwich University, which will help educate students and provide hands-on job experience with real threats and cutting-edge technology products, according to a press release. The partnership is expected to create job opportunities in Vermont.
The goal is to boost Vermont’s cybersecurity posture by providing the state with 24/7 threat monitoring capabilities. Currently, threats are monitored only during normal business hours, according to Vermont CIO John Quinn.
Vermont Partners with Norwich to Bolster Cybersecurity
The purpose of a SOC is to have a facility or functional area that monitors, assesses and defends enterprise information systems like websites, databases, networks and servers, according to a state implementation plan for the center.
“Compromises of networks often happen in minutes and the State is not structured to identify and respond in our current configuration,” the plan notes. “A SOC contains the people, processes, and technologies to provide situational awareness of threats to information systems.”
The SOC will also serve as “the coordination point for any incident response involving information systems, using tactics, techniques, and procedures (TTP) to monitor for cyber security events, establishing if the threat is an actual incident, and determining the severity of the incident along with potential business impacts.”
Currently, cybersecurity operations consist of analysts who work on tasks such as security system configuration, VPN changes, compliance assistance, intrusion detection monitoring at the internet boundary and vulnerability scanning. Services provided as needed include incident response, IT project security reviews, security design and policy input.
However, Vermont does not perform active, 24/7 event and log correlation monitoring, and does not collect logs and audit results in a centralized location. As a result, the state plan notes, incident response “is often slow while information is gathered and business unit impacts are determined before remediation can occur.”
Norwich University has a widely respected cybersecurity program. In 2017 the university was named a Center of Academic Excellence in Cyber Defense Education by the National Security Agency and Department of Homeland Security through 2022. Also, the Defense Department’s Cyber Crime Center certified Norwich as a National Center for Digital Forensic Academic Excellence.
According to the implementation plan, Norwich “will create the physical facilities, host the monitoring systems and software, and staff the monitoring with a mixture of full-time professional security analysts and students from its Cyber Security Program.”
The university is “uniquely qualified” for this mission, the state plan notes, due to its proximity to Montpelier, its cybersecurity apprenticeship program and other ongoing initiatives with the state, such as internship programs and network assessment exercises.
Vermont will provide network security sensor logs and other log data to Norwich and will have trained personnel to respond to any events identified through Norwich’s monitoring facility.
Vermont to Take Phased Approach to SOC Setup
The SOC is being implemented in phases. ADS is using the current phase, which runs through the end of the year, to order the network security sensor equipment and incident response gear. Staff training is also expected to start during this phase “to ensure personnel have the proper training and are ready to support the initiation of the VTSOC.” The SOC analyst and ADS leadership will collaborate with Norwich to provide guidance on systems and structure.
During the next phase, which will run through March 2019, Norwich will establish the physical center at the university and commence initial operations. Activities during this phase will include recruitment of full-time staff and students to fulfill critical threat analyst roles in the VTSOC.
ADS staff will participate in coordinated training events to build a cohesive team with the Norwich staff. ADS will provide input to the standard operating procedures and will collaborate and assist Norwich with establishing the national partnerships. Also during this phase, ADS will coordinate with MS-ISAC to incorporate its member services, further extending the state’s capability in cyber incident response and forensics investigation.
Between April and June 2019, Norwich and ADS will establish full operational capacity of the SOC, meaning it will be fully staffed with trained cybersecurity professionals delivering services and threat warnings.
Quinn told Government Technology that Gov. Scott has been “very supportive of the new agency and cybersecurity funding.”
“We were able to increase the budget last year. But he’s also expecting us to think outside of the box and come up with solutions,” Quinn said. “Creativity doesn’t necessarily cost money, often.”
Quinn said that the state has been happy with the interns Norwich has been sending, who are getting real-world experience.
“Right now, we’re still kind of going through he playbooks of how exactly it’s going to work,” Quinn said of the SOC. “But we’re excited about it, because it’s been, historically, an 8 to 5 security shop. Now we’re going to be a 24/7 shop.”