Know yourself, know your enemy.
That’s the guidance behind the City of Los Angeles’ shiny new integrated security operations center (ISOC), which is part of the city’s Cyber Intrusion Command Center (CICC) created by executive order by Mayor Eric Garcetti in 2013.
Tim Lee, CISO at the City of Los Angeles, took to the stage at the FireEye Cyber Defense Summit 2015 to outline the challenges that the metropolis faced in maintaining an optimized security posture.
“LA is the second-largest city in the nation,” he explained. “So it’s difficult to secure our assets. The CICC mandated that we coordinate our cybersecurity efforts city-wide, and coordinate any response to incidents.”
With 100,000+ devices generating information and security events at the rate of 20-50 events per second across 40 departments, that’s a tall order. And making things even more difficult was the fact that the city’s security infrastructure was siloed and not set up for information-sharing.
The city has four key departments—water and power, LA airport, the Port of Los Angeles and the IT Agency (ITA) – and they each have their own networks and security operations centers (SOCs). There was no centralized incident management platform and no integrated threat intelligence.
“We were faced with siloed SOCs, limited situational awareness and a lack of operational metrics,” Lee said. “Plus, we had an imbalance in response capability. Each team has a different skill level.”
That’s where the ISOC came into the picture, focused on providing centralized situational awareness and threat intelligence across each of the four key departments.
The project, which was a $1.86 million grant project, which the city was able to implement in just six months, has four major components. The framework design and implementation itself is the main pillar; based on FireEye technology, this carries out data collection and supports a threat intelligence portal that carries out another key component: threat intelligence sharing and analysis. The ISOC has eight analysts in addition to automated reporting.
Also, the project includes incident management and systems integration, and the ISOC facility design and installation.
The four key departments’ incident platforms feed into the ISOC, along FBI information, information from the Multi State Information Sharing and Analysis Center (MS-ISAC) and feeds from third-party independent vendors. Once the information is collated and analyzed, it’s fed back to the same stakeholders via dashboards for situational awareness and actionable threat intelligence.
“ISOC is not just about information collection,” Lee said. “We needed a system that allows our internal and external stakeholders to extract the information from ISOC directly with near-real-time, read-only dashboards that show the current security posture city-wide.”
He added, “Know yourself, know your enemy. We had two very simple and clear objectives—objectives that we’ve now successfully implemented.”