North Dakota CISO Michael Gregg assists government agency customers through his state’s security operations center.

Jan 31 2023

Security Operations Centers and Related Services Augment Slim Government Staff

State and local agencies engage bundled SOCaaS or individual services, such as security information and event management or security orchestration, automation and response.

A security operations center, or SOC, can be the nerve center of a strong state and local cybersecurity effort. SOC teams are charged with detecting, preventing, investigating and responding to cyberthreats, ideally with round-the-clock monitoring of an organization’s network.

That’s a lot for any state office or agency to take on. That’s why North Dakota CISO Michael Gregg runs the state’s SOC delivered as a service.

“We support the cities, the counties, the schools. We’ve said to them, why should you run separate tools? Why should you try to staff and manage your own SOC?” he says. “When they allow us to do that for them, we can achieve economies of scale and reduce the costs.”

While North Dakota’s SOC is a centralized service, others choose to acquire SOC as a Service (SOCaaS) from a vendor that handles all the monitoring and reporting. And even North Dakota turns to a cloud service provider to augment its SOC. In either case, analysts say, SOC as a Service can help bolster cybersecurity by alleviating the strain on overworked IT teams and by broadening the defenders’ view of the network.

“SOCaaS systems gather data from various other systems,” says Aarti Dhapte, a senior analyst at market analysis company Market Research Future. “Teams have access to various security points of intelligence and data feeds, which can be further used for strategic initiatives.”

Click the banner below to receive featured content and tech solutions by becoming an Insider.

Finding the Right Security Operations Tools for Your Agency

A robust SOC will have a range of tools for ensuring network health. These may include log collection and management tools that gather the information needed to drive effective security analyses. Such tools, in turn, support security information and event management (SIEM), which aggregates log data, looks for signs of attack and issues alerts.

The SOC may make use of endpoint detection and response tools, which aim to detect and contain threats to endpoints or hosts. Some may also use technologies such as user and entity behavior analytics, a machine learning approach to identifying variations from normal user behavior.

In North Dakota, Gregg adds to this a security orchestration, automation and response tool from Palo Alto Networks. SOAR makes it possible to coordinate, execute and automate tasks, all within a single platform.

Armed with these tools, a SOC team can perform a range of key functions. It will do proactive monitoring, including log file analysis and threat monitoring. The SOC will also coordinate the response to a cyber incident and can help ensure that government is meeting its compliance obligations in regard to cybersecurity.

The “as a service” model helps to make all this more readily available to Gregg’s agency customers.

Michael Gregg
Why should you try to staff and manage your own SOC?”

Michael Gregg CISO, North Dakota

Utilizing SOCaaS Strategies for Enhanced Network Monitoring

Commercial SOCaaS appealed to Jeshirl Brice, IT director for Monroe, La., who needed a way to manage her SOC operations with a limited staff. To that end, the city opted to purchase SOCaaS from Arctic Wolf.

“We have a very small IT team. It consists of about nine people — seven full-time and two college interns — and we provide IT support for over 600 users in various departments. We just don’t have the capability to do all the monitoring,” Brice says.

Arctic Wolf’s SOCaaS offering gives her 24/7 network monitoring, along with a concierge service staffed by experts who alert the IT team to potential problems and help it work through remediations.

“They have a managed detection and response option. They have a managed risk capability. They monitor our cloud resources, and they also have a managed security awareness program that we can use to train our employees,” Brice says.

EXPLORE: Employing asset management for successful continuous monitoring.

Brice was attracted to the SOCaaS offering partly because the Arctic Wolf solutions could augment, rather than replace, her existing cyber controls.

“Working for city government, we don’t have the funds to just keep buying different things. We were happy with what we had, and they were able to integrate with that,” she says.

With an outside entity effectively running the SOC, Brice can free up her staff to do more than just routine blocking and tackling, and she has better information in hand to help guide her efforts.

“This gives us increased visibility across our network,” she says. “It has an excellent reporting platform for upper management if they want to see what exactly is going on with the city. It gives us a security score: It lets us know how many open tickets we have, as well as our vulnerabilities, if we have any. I get a report every Monday morning, and I look at it with my team to see what we need to work on.”

North Dakota CISO Is Ramping Up Security Measures

In North Dakota, Gregg does much the same thing as he delivers his SOC operation as a service to a range of agencies and other stakeholders in state government.

In addition to the SOAR tool, he has equipped his SOC with technologies that include a SIEM solution, as well as endpoint detection and response, vulnerability analysis tools and threat hunting capabilities.

By centralizing the SOC and offering its services to participating agencies, Gregg helps the state deliver robust cyberdefense at a time when IT staffing is a challenge for governments.

DISCOVER: 5 ways for teleworkers to improve cyberdefenses.

“It’s hard for agencies to attract staff. There are not enough qualified people inside the state if each individual entity were to staff and run its own security services,” Gregg says. “We take that burden away from them.”

There’s a financial benefit as well: Through a deal with the North Dakota Insurance Reserve Fund, agencies that use the SOC service get a four percent reduction in their insurance costs.

“With the price of cyber insurance doubling or tripling over just the past year or two, our delivering the SOC capabilities allows these entities not only to get our expertise and tools for free but also to reduce their insurance costs and to lower their overall costs over time,” Gregg says.


The percentage of state CISOs reporting confidence in the cybersecurity services of private sector vendors

Source:, “Cybersecurity Survey of State CISOs Identifies Many Positive Trends,” Oct. 11, 2022
Photography by Robert Seale

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.