SOC Monitoring

The mission of IT-CNP’s Security Operations Center (SOC) is to protect, detect, respond, and recover from information security threats to federal, state, local government, and university information systems. Our SOC operates 24 hours a day, 7 days a week (24×7), 365 days a year (24x7x365) to monitor and protect the customers’ information systems and infrastructure. IT-CNP provides the following SOC operations services as part of its defense in depth service delivery:

Monitoring and Analysis Support

We investigate and positively identify anomalous events that are detected by security devices or reported to the SOC from external entities, system administrators, and the user community. Our SOC monitoring team actively reviews all SOC data feeds, analytical systems, sensor platforms, output from other SOC tool products, and provides written or oral finding reports to the customers’ designated officials for further investigation or action. Our SOC personnel monitor systems’ status, escalate and report potential incidents, create and update SOC incident cases and perform risk assessment analysis. We finetune and implement custom detection content, tune the Security Event Information Management (SIEM) system and IDS/IPS events to isolate real events and minimize false positives.

Vulnerability Assessment Support

Our SOC vulnerability assessment analysts provide remote vulnerability assessment capabilities as a sustained, full‐time program independent of incident detection, recovery, or reporting activities. Activities include full‐knowledge, open‐security assessment of customers’ web sites, enclaves, and systems. Our SOC works with system owners and system administrators, to holistically examine the security architecture and vulnerabilities of their systems, through security scans, examination of system configuration, review of system design documentation, and interviews. Our analysts use network and vulnerability scanning tools, as well as invasive technologies used to interrogate systems for configuration and status.

Cyber Intelligence Support

IT-CNP SOC analyzes multiple threat intelligence feeds from various sources that provide information and indicators on cyber threat activity, adversaries, and recommended mitigations. We analyze threat information, determine the risk to customers’ information systems, and develop mitigations and/or countermeasures to mitigate or disrupt the threat.  Possible countermeasures include logical or physical isolation of involved systems, firewall blocks, DNS black holes, IP blocks, patch deployment, or account deactivation. Our SOC analysts apply their knowledge of adversary capabilities, intentions, tactics, and procedures to compile and distribute cyber intelligence information, fuse cyber intelligence data into SOC monitoring systems, and provide situational awareness to other members of the SOC.

Incident Assessment and Response Support

IT-CNP’s SOC coordinates with each customer’s Computer Security Incident Response Center (CSIRC), employees, contractors, and other pertinent parties as part of cyber incident impact assessment and recovery. Our incident response team is typically capable of deployment to a customer site within twelve (12) hours. On rare instances where it is not possible to deploy, support is delivered via phone and email, or remote system access. This service is provided in coordination with external service providers, system owners, administrators, and security personnel as appropriate. Our response team members maintain a set of portable vulnerability assessment, digital media analysis, and malware analysis tools to support high-impact critical incident response efforts.

Insider Threat Hunting Support

IT-CNP provides support to detect, prevent, and respond to threats posed by malicious, negligent or compromised insiders, by maintaining an in‐depth visibility into the customer’s information systems and having a means of filtering and prioritizing threat data into concise, actionable intelligence. We provide advanced analysis and adversary hunting support to proactively uncover evidence of adversary presence on customers’ networks and individual computer systems. Our SOC analysts are trained to recognize key insider threat technical indicators such as unauthorized privileged access attempts to sensitive data, or an un-authorized network configuration change as part of establishing a baseline of normal user behavior and detecting significant deviations in user activity. Our SOC also provides a variety of add-on services including Continuity of Operations Coordination, Intrusion Defense Chain Support, Penetration Testing Support and Digital Media Forensic Analysis Support.