It’s no wonder, then, that this trove of sensitive data and the DMV’s website can be a tempting target for malicious hackers and other nefarious actors. For instance, in 2013 the DMV was notified of a suspected attack on its credit processing infrastructure. Although DMV officials later asserted after a forensic investigation that no breach occurred, the incident convinced the department’s leadership to bolster its cyberpreparedness and response capabilities.
The result was the creation of DMV’s Security Operations Center, a new facility where the overarching goals are to actively manage security threats, vulnerabilities and incidents; reduce the impact of security incidents; and increase the department’s overall security posture.
At a secure location within an unidentified building, a team of analysts is busy at work using state-of-the-art tools to track Internet security logs and Web traffic; eradicate phishing campaigns; protect servers and critical infrastructure; and defend against other attack and intrusion vectors. They call the room the “SOC.”
With its low-slung fluorescent lights and rows of desks and cubicles, the center looks like a typical government office — except for the big-screen monitors mounted on one wall. The screens display real-time data from a variety of sources and systems, some of which DMV had at its disposal before the SOC went live in late 2015. Putting the tools all in one place, for the first time, is already paying dividends, officials say, because it now allows the security team to react more quickly, act proactively and find issues they wouldn’t otherwise.
The analysts sometimes stand up from their desks and gather around one of the screens to collaborate and study what could be a new threat. Some of the analysts — the team will eventually grow to 16 people (their identities aren’t readily public) — work during the day, others at night and some on swing shifts. The facility will be staffed around the clock, 24/7. In the SOC room, all of them access intelligence-based tools (the DMV will not disclose them publicly, either) that have been used in other settings, but rarely in government. The center’s centralized view of the DMV’s security landscape could be the first of its kind in California state government, the department says.
The state budget is funding the facility for the next two years. The DMV says its analysts already have rooted out cyberincidents at the SOC that are saving the department money or avoiding costs. So from purely a dollars-and-cents view, there likely will be at least some return on investment. But they concede it’s difficult to put an exact value on enhancing the DMV’s security posture as a whole. Officials say that it might make sense someday, if the SOC proves to have staying power, to bring in other state agencies and departments as customers, creating what could become a center of excellence.
From a wider perspective, the DMV says its Security Operations Center uses well established standards, practices and guidelines from the National Institute of Standards and Technology, Department of Homeland Security, and the White House, similar to how other SOCs have been formed around the country. The department also believes the SOC aligns with the executive order Gov. Jerry Brown issued last year to strengthen the state of California’s cybersecurity coordination, as well as the federal Comprehensive National Cybersecurity Initiative.
“Moreover, we believe that we are positioning the SOC to integrate across the state government space as other facilities come online. Our goal is to function as a component of a statewide effort, sharing information, communicating real-time intelligence and working collaboratively to meet the threat against all state information assets and resources,” the DMV said in a statement.
This story is published in the fall 2016 issue of Techwire magazine.
