At a high level, the SOC will employ Intrusion Protection Systems (IPS) and Intrusion Detection Systems (IDS) to guard three egress and ingress points on the CGEN network.
"The idea is we can block bad traffic if it's known previously and we can also detect across this traffic to determine if there's evil going on within the environment, and then, accordingly, provide rules," said Peter Liebert, the state's chief information security officer, during a Department of Technology customer forum last week.
Liebert summarized the solutions the SOC is standing up:
1. The correlation engine, he said, is going to be Splunk. "The correlation engine will be ingesting all the traffic or alerts from the IPS and IDS, and then allowing our analysts in the SOC to go through and see what's going on — and conduct investigations based on that traffic," Liebert said.
2. They're in the process of procuring a workflow engine, and well as determining an IDS vendor. The workflow engine will enable analysts to send tickets through the enterprise in order to take action.
3. Third-party intelligence also will be piped into the SOC, Liebert said, and they're still determining what platform that will be. They're also considering a pilot of an email platform for security.
4. The SOC is staffing up now, and the state of California is looking at partnering with the Military Department to bring in some state active-duty personnel to round out the personnel at the SOC, Liebert said. In fiscal year 2017-18, there's potential for a managed security service provider (MSSP) contract to provide an "overwatch" capacity for the SOC, as well as some additional contractor expertise to augment the SOC on an as-needed basis.
5. Liebert said there has been another bid on the street recently for a contractor to help build out the processes, procedures and playbook for the SOC and its operations. That agreement could be wrapped up at the end of May, he said.
Liebert added that California will be standing up an "IPS Governance Group" again to gather input from state agencies and departments. The reason: If you block something at the edge, it affects everyone, so they'll decide what they will and won't block at an enterprise level.
Here's an overview of the SOC from Liebert's presentation:
