Imagine this: A cleverly devised email evades your anti-spam filters. It arrives with a malicious link into several thousand state government email inboxes at 2 p.m. on Saturday.
Or, a series of unexpected connections to South America are initiated from inside local government firewalls just after midnight on Sunday.
Or, several large file transfers to Asia containing gigabytes of sensitive data are flagged deep within your system logs at 9 p.m. one evening.
Now some questions: Assuming that your enterprise monitoring systems could learn about these events from key indicators, would the right technical staff be available to take action or start risk mitigation steps? How long would it take? Could your team react in time to stop security breaches from happening?
Cyberattacks keep coming. From spear phishing emails to “drive-by” malware placed on websites to advanced persistent threats, cyberspace never sleeps. Though technology organizations have employed computer operators who work nights and weekends for decades to back up mainframes, manage servers and monitor networks, new security questions are now being asked in governments nationwide.
What can stop this new breed of time-sensitive cyberattacks? Do state and local governments have the skills and expertise (including people, processes and technology) to defend their data, critical infrastructure and systems every day? The bottom line: Does your government need a security operations center (SOC) that operates 24/7/365 to battle cyberattacks?
For a growing number of government executives and cybersecurity leaders, the answer is yes. States like Georgia are connecting their cybercenters with state fusion centers or general network operations.
What are the essential elements of a 21st-century SOC? While there are many detailed white papers on this topic, it’s essential to outline the mission, objectives, services and responsibilities. I like this mission statement from McAfee: “The SOC is responsible for monitoring, detecting and isolating incidents and the management of the organization’s security products, network devices, end-user devices and systems. This function is performed seven days a week, 24 hours per day. The SOC is the primary location of the staff and the systems dedicated for this function.”
Some services provided by a comprehensive SOC include: status monitoring and incident detection; initial diagnostics and incident isolation; problem correction; computing equipment and endpoint device monitoring; and work with third-party vendors.
The question that faces government teams is how to realign for new cyberattack threats from adversaries that actively seek to penetrate your systems. Should new security capabilities be added to existing mainframe monitoring services or should a new approach be taken?
Three basic options include: building your own SOC with government staff, outsourcing this function, or building a hybrid model with offerings from trusted partners and your team.
First, government enterprises must evaluate whether they have the in-house expertise to build an effective SOC, what types of training might be necessary, and whether they can recruit the right personnel. There are also integrators who can help establish the tools and processes required to maintain SOC operations.
Second, consider companies — like Symantec, McAfee, HP, IBM, AT&T and Unisys — that have been building worldwide SOCs for years across multiple business sectors. Some governments partner with an external company to run these functions. They’re issuing RFPs for a managed SOC service.
Perhaps the most popular model is a hybrid of government and contractor staff in the SOC. Michigan is following this model as we build new 24/7 cybersecurity capabilities. The Multi-State Information Sharing and Analysis Center, U.S. Computer Emergency Readiness Team and the criminal justice community will also help us in offering security services.
A final thought, regardless of your SOC approach, you can never outsource government’s responsibility to protect citizen data. Public-sector security leaders will be held accountable, no matter which path you chose. My advice: Start thinking about a 24/7/365 SOC.