Dec 03 2021

What Are Security Operations Centers and How Is Their Role Evolving in State Governments?

SOCs help state agencies manage a wide range of cybersecurity threats.

Earlier this fall at the annual conference of the National Association of State Chief Information Officers (NASCIO) in Seattle, CrowdStrike Executive Strategist Debbi Blyth, formerly Colorado CISO, extolled the value of machine learning, automation and threat intelligence in state government cybersecurity.

“The security operations center must evolve to incorporate all of those things,” Blyth said. That’s especially true in SOCs with small staffs, some of whom might be tempted to leave for the private sector.

Automation can help free up time for SOC staff to perform higher-level work. “There are better things for analysts to be doing with their time than looking at their monitors,” she said.

Although security operations centers have been a staple of state government cybersecurity efforts for years, they are evolving to meet an increasingly complex threat landscape.

What Does a Security Operations Center Do for Government Agencies?

Traditionally, a SOC has been thought of as a “facility where security information is housed, monitored and analyzed to protect data from cybersecurity threats,” as a U.S. General Services Administration blog post notes.

California launched a new SOC in 2017 to help the state stay ahead of threats. As a NASCIO report on the SOC notes, the center is colocated with the California Department of Technology’s statewide data center and “provides network protection and detection for all 100+ state entities utilizing the state’s wide area network as well as IT resources managed by CDT.”

As McAfee notes, a SOC serves as “the hub or central command post, taking in telemetry from across an organization’s IT infrastructure, including its networks, devices, appliances, and information stores, wherever those assets reside.”

As cybersecurity treats have evolved, government agencies have needed to collect additional context. “Essentially, the SOC is the correlation point for every event logged within the organization that is being monitored,” McAfee notes. “For each of these events, the SOC must decide how they will be managed and acted upon.”

Click the banner below to get access to a customized cybersecurity content experience and exclusive articles.

What Are the Components of a Security Operations Center?

SOCs are made up of both people and technology designed to monitor and block security threats to the government agency or a statewide enterprise.

“Depending on the enterprise, SOCs may also include team members with specifics skills in forensic analysis, cryptanalysis, malware reverse engineering, and more,” a blog post from BMC notes.

“The team then has actual tasks, like monitoring and analyzing activity across servers and networks, endpoints, databases, applications, websites, and more — always looking to identify anomalies in activity which may indicate a security event occurred or may soon occur,” the post adds. “These tasks can be automated to certain degrees, too.”

A major and common component of a SOC is a security information and event management system, which helps analysts identify security threats and increase their visibility. SIEM platforms collect data from multiple sources, find threat matches, signal specific areas of concern and then take specific action.

As BMC notes, a SIEM system “can include dozens of tools and processes to track and maintain security,” including data correlation from network discovery, firewalls and anti-virus detection, threat intelligence, intrusion detection and prevention systems, log management and more.

There are different ways to structure a SOC, depending on the agency’s objectives, according to the BMC post:

  • Control: This involves testing for weaknesses and ensuring compliance
  • Monitoring: This focuses on events and responding to them with log monitoring, SIEM administration and incident response
  • Operational: This approach focuses on identity and access management and security operations such as firewall administration

MORE FROM STATETECH: Diver deeper into incident response tools for state and local agencies.

What Is the Difference Between a NOC and a SOC?

A SOC and a Network Operations Center (NOC) are related entities for government agencies but are distinct.

According to a blog post from Check Point, the NOC team is responsible for ensuring that the enterprise network infrastructure is capable of meeting the needs of the organization.

“Every organization uses the corporate network for certain purposes, and the NOC optimizes and troubleshoots the corporate network to ensure that it is capable of meeting the needs” of the organization, the post notes.

There are some key differences between a NOC and a SOC, the post notes. Those include a difference in objectives. While the SOC is focused purely on protecting the network and assets from threats, the NOC’s objective is to ensure “that the network is capable of meeting [service level agreements] during normal operations and addressing natural disruptions, such as service outages, natural disasters, etc.”

The NOC and the SOC are also monitoring against different adversaries, according to Check Point. “The NOC is primarily focused on preventing network interference by natural or not human-driven events,” according to the post. “This includes power outages, Internet outages, natural disasters, etc. SOC analysts, on the other hand, protect against human-driven disruptions. Their role is to identify, triage, and respond to cyberattacks that can disrupt operations or otherwise cause harm to the business.”

NOC and SOC analysts require similar skill sets, according to the post, including the ability to monitor the network and identify issues.

However, while NOC analysts focus on diagnosing and correcting “natural” issues within their infrastructure and optimizing network infrastructure, according to the post, SOC analysts are “tasked with protecting the organization against human actors and human-driven threats.” SOC analysts need to know how cyberattacks work and how to remediate infections.

RELATED: What are the top five questions a cybersecurity assessment should answer?

How Are States Evolving Their Use of SOCs?

Recently, some states have taken steps to evolve their approach to SOCs. In October, Arizona Gov. Doug Ducey announced a new Cyber Command Center, which will serve as the state’s main hub for coordinating statewide cybersecurity operations, according to a press release.

“The center will be a central location for cybersecurity professionals and local, state and federal agencies to prevent and respond to cyberattacks,” the release states. “It will provide an ideal location to enhance public-private partnerships to protect Arizonans against cyberthreats.”

The changes in Arizona reflect a desire to better coordinate cybersecurity responses across the state. As StateScoop reports:

The new command center, officials said Monday, is meant to increase threat information sharing between state agencies, as well as their federal and local counterparts. Ducey’s announcement also rebranded a service known as the Arizona Cyber Information Program as the Arizona Information Sharing and Analysis Center, or AZ-ISAC.

Meanwhile, in neighboring California, the state earlier this year abandoned a model that previously required state agencies, departments and other government entities to “absorb the cost of mandated security services,” a state blog post notes. As of July 1, the state stopped billing for SOC services.

And in Texas, a new law earlier this year created a pilot program to test a regional security operations center on the campus of a state university, StateScoop reports. That law also created a new entity to verify the security of cloud services, dubbed TexRAMP.

“Cybersecurity has long been a priority here in Texas,” Texas CIO Amanda Crawford tells StateScoop. “This demonstrates a commitment the legislature and Gov. Abbot have that it remains a priority and becomes a reality. It’s a big bill and we’re excited to get it in action.”

gorodenkoff/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT