Statewide approach to cybersecurity monitoring in California brings better visibility, faster threat detection

Chief Information Security Officer Peter Liebert reveals how California is rethinking its strategy with the launch of its new Security Operations Center.

An upgrade is coming for the cybersecurity operation in the state that spends the most money on technology annually.

In July, California officially launched its Security Operations Center — a 24-hour-a-day unit tasked with monitoring threats from the state’s dozens of departments, agencies and offices. While the center had been in the works for the past several months, the SOC is now entering its second of four phases of growth, Chief Information Security Officer Peter Liebert told StateScoop.

The former FireEye senior product manager joined the state in 2016, and he describes the massive endeavor as a critical milestone as California braces for a continuing onslaught of new threats, malware, ransomware, viruses and phishing attacks. The first phase involved the installation of new cybersecurity equipment, while the second will expand protections and defenses. The third and fourth stages will provide a platform for the state to pilot new cybersecurity platforms and connect additional state organizations to the SOC defense systems.

“To use an analogy, launching the SOC is almost like creating a sports team,” Liebert told StateScoop. “We just hired the team, we brought all of our players in and we stood it up in July. So now we have to train with the team and we have to make sure that they’re working as a team.”


In the following interview with StateScoop, which has been edited for clarity, Liebert dives into further details about what the SOC represents for the state and next steps going forward:

StateScoop: What is unique about California’s Security Operations Center?

Peter Liebert: It is the first Security Operations Center looking at statewide traffic — and what I mean by that is state “.gov domains” — about 138 different departments and agencies and commissions and boards and the executive branch. This is the first one that is addressing it from across that scope. The statewide network, known as the California Government Enterprise Network (CGEN), handles about 70 to 80 percent of state web traffic, and so, it was a natural fit for the California Department of Technology to provide some protection and analysis so that any department or agency that is on CGEN is able to benefit from that.

StateScoop: Months after the launch of the center, where is the state now in terms of development?

Peter Liebert: [Now], in phase two, we’re rolling in endpoint detection data into the SOC as well as a log management component — that’s for the California Department of Technology (CDT) only. So for the CDT, we have the statewide data center as well as the statewide area network which we manage. The statewide data center has a ton of different customers and we have multiple different platforms in there. We’re actually in the midst right now of testing a couple of different endpoint solutions, and we’re going to be rolling out an endpoint detection suite on anyone having data within the managed services environment. 


Of course, in that data center as well there are a lot of different logs from the different appliances and there are network firewalls, and we’re pulling all those logs back — which provides us a really good contextual analysis of bad things happening. So, if we do see something trigger at the edge or if we see something on the endpoint itself — like a user’s laptop gets infected — we’re able to actually stitch together exactly what happened from that point in that data to our SOC. 

One of the other things we’re doing in phase two is we’re actually making machine-to-machine connections with our partners at the California Cybersecurity Integration Sharing Center (Cal-CSIC) and that’s run by the California Office of Emergency Services (OES). We’re partnering them with directly to have a machine-to-machine connection. They act like the coordinating SOC for the state because they’re not just worried about state .gov domains, but they also have to worry about things like the education folks, and the city and municipalities’ critical infrastructure. We act as a primary gateway for .gov domains and by linking our systems together, they’re about to get a really good comprehensive threat intelligence view of all the .gov domains across the state.

StateScoop: How do you envision the pilot with other state agencies outside of CDT working?

Peter Liebert: As we move into like phase 3 — which is toward the end of the fiscal year — we’re going to start linking in the other platforms that are out there. That’s a key component of establishing visibility across multiple departments and agencies and getting a complete view of the entire state. We have a couple of government entities that have already volunteered for that, and we’re looking forward to being able to stitch their systems and our systems together so that we can share threat information.

StateScoop: Looking at the big picture, what are some of the main challenges the state faces with cybersecurity?


Peter Liebert: We’re just scratching the surface in terms of visibility. I have a stretch goal that within the next three years I really want to try to achieve 100 percent network and endpoint visibility across the state. That doesn’t mean that we’re literally sitting there on the box and watching people do stuff, that means there is like an endpoint anti-virus trigger so we can get a certain metadata back and we’re able to correlate that with network alerts. 

But getting that visibility is very difficult. We’ve got 138 entities that we deal with just in the executive branch — what that means is it really is like 138 different security solutions. So, to have all those play along in a traditionally siloed environment is very difficult. That’s why we’re giving ourselves three years to really try to achieve that. It’s a long-haul effort.

To use an analogy, launching the SOC is almost like creating a sports team. We just hired the team, we brought all of our players in and we stood it up in July. So now we have to train with the team and we have to make sure that they’re working as a team. We’re getting everyone to communicate, we’re able to make sure that everyone is able to pass the ball, that they’re doing what they need to do just like a sports team does. And that’s something that will continually evolve as we move forward. The most difficult part was getting that team together and now the long haul effort is getting them to work together and really train that team up to a level where we’re able to provide the best possible security we can for the state.

StateScoop: So to close it out, how will the SOC help improve cybersecurity in the state?

The biggest return on investment we’re seeing right now is twofold. One, as I mentioned, for the first time you have statewide protection, detection and analysis. And so now we have really top-tier technology sitting on the edge of CGEN, which is the Internet ingress and egress points. By the end of the month we’re looking to be 24-by-seven. So we’ll have people watching all time. This was a challenge before. It was usually eight by five — which is great if you can tell the attacker, “Hey we’re going home now can you go ahead and stop attacking.” 


Now that we’re able to do a 24-by-7 perspective, soon we are able to provide continuous monitoring and prevention. We’re covering the gate, and the departments and agencies now have to focus inward and try to get their houses in order. But they don’t have to worry about that gate as much since we’ve got that covered. 

This is also a big deal because it means they don’t have to have their own separate security suite at the edge. They can get the benefit. I think the other key thing that we’re seeing is that partnering with Cal-CSIC, we’re able to provide a threat intelligence sharing platform across all .gov domains and really get a tailored intelligence for just specific state entities. That’s really critical, because that now allows us to act like an immune system. Whereas before, we had 138 or so different bodies and if one person got infected they could probably infect everyone else. We wouldn’t know until it was too late. But now that you’re actually able to bring those folks together and share information and get a machine-to-machine connection, we’ll be able to act as one immune system, so that if one person gets hit, we’re able to immediately be inoculated against that across the board.

Editor’s Note: This article was updated October 19 to add clarifying comments regarding the new state SOC’s interaction with Cal-CISC.

This story was featured in StateScoop Special Report: Cybersecurity: 2017 - A StateScoop Special Report

Latest Podcasts