Security Operations Center (SOC) Security Experts

Position : Security Operations Center (SOC) Security Experts

Duration : 1 Year

Location : Minnesota (Remote)

Deliverable Project)

Job Description :

The modernized SOC needs to complete and maintain documentation related to Incident Response Management in the form of an Incident Response Plan with enclosed playbooks.

The modernized SOC will use and maintain a philosophy of continuous process improvement. MNIT is seeking a vendor to initiate development of a glossary and assess, develop, gather approval for, and implement relevant policies and procedures.

Current SOC Overview

MNIT's current Security Operations Center (SOC) consists of the Information Security Incident Response Team (ISIRT) and Cyber Navigators (CN) within the Information Standards and Security Risk Management (ISRM) Division.

• The current SOC is responsible for : planning, developing, and delivering incident response services; logging and monitoring;
• alert triage and investigation; threat response; remediation and recovery; and root-cause analysis across the executive branch and external governmental partners pertaining to the State of Minnesota'

s Whole-of-State mission and vision.

MNIT currently serves departments, agencies, boards, counsels, and other pseudo state agencies, governmental partners including counties, cities, tribal nations, and K-12 schools, protecting data of 5.

5 million Minnesotans, providing IT security for state employees, including MNIT staff. MNIT has more than 2,080 supported applications, 10,000 network devices, and 300+ hosted websites.

The SOC currently monitors approximately 50,000 endpoints for the executive branch and additional endpoints for governments throughout Minnesota.

The current SOC's services include :

• Security Monitoring
• Log collection and analysis for entities / services participating in SOC services.
• Security Incident Response
• Incident handling and response capabilities to assist with active cyber incidents impacting MNET. networks or customers.
• Intrusion Detection and Prevention
• Intrusion sensor monitoring for all activity between MNET resources and the Internet.
• Intrusion Prevention services also available for entities on MNIT Exec VRF.
• NetFlow Monitoring
• NetFlow monitoring and detection for all MNET networks.
• Daily Security Brief
• Provided every weekday to update State and local partners on current cyber threats detected within and throughout the MN Government cyber network.
• Daily updates include attack indicators and malicious site / email information to allow partners to quickly identify and prevent potential threats within their environments.
• Security Collaboration Group
• Minnesota Information Security Council is open to state and local cybersecurity partners and meets bi-monthly with urgent updates on cyber issues shared by email.
• Baseline Security Policies
• State security policies shared and available for adoption by local agencies Web Content Filtering. Endpoint Protection / Endpoint Detection and Response.

MNIT's environment overview :

Endpoint Detection and Response :

Tool : Endpoint detection and response (EDR) is a cybersecurity tool that uses behavioral analytics to automatically identify suspicious activity and provides real time responses.

Process :

• Reveal attackers.
• Integrate with threat intelligence.
• Isolate endpoints
• Record events and activities
• Provide real-time visibility into endpoints.
• Speed up investigations.
• Enable quick and decisive remediation.

Security Information and Event Management :

Tool : SIEM (Security Information and Event Management) is an on-premises solution that analyzes network activity and log events to provide visibility across a security environment.

It offers security intelligence capabilities such as threat hunting, security content, and advanced threat detection.

Process :

• Advanced threat detection
• Threat hunting
• Ransomware
• Compliance
• MN Impact and utilization
• MNIT SOC processes up to 80 events per second and sends roughly 4 terabytes of data per day to the data lake.
• MNIT SOC currently utilizes an on-premises SIEM solution.

Security Orchestration, Automation, and Response :

Tool : MNIT SOAR is a hybrid, cloud-based and on-premises security orchestration, automation, and response (SOAR) platform that helps manage security alerts and incidents.

SOAR centralizes security operations activities, automates response processes, and standardizes notifications to help mitigate risk and speed up resolution.

Process :

SOAR manages and automates the response to security alerts and incidents identified by existing monitoring and detection systems.

MNIT SOAR standardizes response and notification processes to mitigate risk, speed resolution and streamline communications through a purpose-built SecOps management dashboard.

A single interface enables the consolidation and visualization of threat intelligence and provides access to cases, reports, dashboards and metrics for individuals and teams.

• Automation
• Orchestration
• Collecting and centralizing relevant event data.
• Presenting consolidated incident response context
• Initiating actions on third-party systems.
• Case management
• Reporting and Analytics

Deliverables :

Phase 1 Assessment and Roadmap

Perform a comprehensive assessment of current SOC capabilities, gaps, and build future state recommendations upon the work already done by MNIT and SOC teams. The vendor should :

• Build on MNIT's current state assessment of the SOC workforce, infrastructure, processes, and capabilities.
• Analyze existing technologies, tools, and methodologies utilized within the SOC.
• Identify gaps, weaknesses, and areas for improvement in the current SOC environment.
• Provide a holistic assessment based on the current state work already done and provide future state recommendations.
• Benchmark MNIT against other large organizations similar in size and capabilities.

Provide an assessment report / strategic plan to MNIT with an implementation roadmap that includes at a minimum :

• Recommended data management technical architecture, platform and management tools including identification of existing assets for reuse, modification and / or new assets to be acquired.
• Recommendations for new or updates to existing standards, processes, and governance frameworks for managing the data platform.
• Recommendations for organizing SOC's talent and skills to increase maturity, innovation, and support broadening the data analytic capabilities across the business.
• Recommended migration plan for current data stores to be moved into a new data platform.
• Risk Analysis and Mitigation Plan for the implementation of the recommended solution.
• Opportunities to accelerate execution.
• Critical technology investments required.
• Critical success factors that balance speed of execution with long term approach to the architecture of the data platform and associated data.
• Presentation of roadmap to key stakeholders

The implementation roadmap should be structured to allow for early and continual successes while maintaining movement toward a more robust analytics capability aligned with financial and resource availability.

Phase 2 Implementation and Transition (optional at State's discretion)

Technology evaluation and selection documentation, including vendor proposals and implementation plans :

• Assist the State in evaluating modern cybersecurity technologies, including SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation, and Response), XDR, threat intelligence platforms, and advanced analytics solutions.
• Help ensure Generative AI is incorporated into future tool stack to enhance automation and productivity.
• Assist the State in selecting appropriate technologies based on organizational requirements, budget constraints, and scalability considerations.
• Help ensure compatibility and integration capabilities with existing IT infrastructure and security tools.
• Provide appropriate documentation.

Security Operations & Incident Response Process Improvement :

• Help the State improve incident response processes, including triage, investigation, containment, and remediation.
• Conduct tabletop exercises and simulations to test and refine incident response procedures.
• Provide appropriate documentation.

Proactive Threat Management

• Assist in integrating threat intelligence feeds into the SOC environment to provide real-time information on emerging threats and vulnerabilities.
• Assist in automating the ingestion and analysis of threat intelligence to improve incident detection and response.

Security Automation

• Implementing automation (AI) and orchestration capabilities to streamline repetitive tasks and response actions.
• Developing playbooks.
• Developing workflows for common security incidents to enable faster response times.
• Finalizing / documenting the Incident Response Plan.

Vendor Qualifications

MNIT is seeking a vendor who has :

• Extensive experience in providing independent assessments.
• Proven history of creating roadmaps for complex organizations.
• Extensive access to industry related research and ability to conduct independent research.
• Demonstrated knowledge of and proven success in the security operations industry.
12 hours ago