Case Study

Launching a Next-Generation Autonomous Security Operations Center to serve citizens makes North Dakota a respected leader in protecting its enterprise-scale network

Palo Alto Networks solutions and Professional Services help the state modernize and strengthen security for its citizens and systems

In brief


State of North Dakota Information Technology




United States of America

Featured products

Technology and IT services for 800,000 citizens and state organizations

Organization Size


  • Secure and protect North Dakota’s citizens’ data and the state’s network and systems.
  • Plan and build a Next-Generation Autonomous Security Operations Center (SOC) to fortify the state’s security posture.
  • Build resilient security capabilities to detect and defend against cyberthreats.
  • Automate tasks and processes with AI and ML for added protection and efficiency.
  • Cortex® XSOAR
  • Cortex® XDR™
  • Cortex® Xpanse™
  • SecOps transformation services
Download PDF Share

Though the population of North Dakota, hovering at around 800,000, makes it among the least densely populated states in the US, it has outsized ambitions to provide information technology services for its citizens and has had noteworthy, practically unparalleled, success among public sector IT programs.

The vision that’s guided North Dakota Information Technology (NDIT) to become a leader amongst its peers and early adopter of ground-breaking new technologies can be credited, in large part, to three people: Governor Doug Burgum, a former tech company executive; Chief Information Officer Shawn Riley, who has provided thought leadership to global enterprises; and Chief Information Security Officer Michael Gregg, the author of more than 35 books on cybersecurity.

Unlike in most other states, where each municipality, down to the county and city levels, builds and manages its own internet connectivity, North Dakota information technology is federated and resides in NDIT, which serves the entire state—urban centers and remote rural regions alike. The scale and complexity of its network—the equivalent of a Fortune 30 company in the private sector—makes securing North Dakota’s IT a matter of persistent urgency and the highest priority.

NDIT relies on Palo Alto Networks in its continuous journey to ensure and strengthen cybersecurity across the state. Palo Alto Networks has been a trusted partner for over a decade, helping NDIT to better secure its network, data centers, and citizens statewide.


Our great people are our most important resource. But adding more people isn’t the answer to achieving exceptional results. You’ve also got to have good processes and the right technology.

— Michael Gregg, Chief Information Security Officer, North Dakota Information Technology


Defending the network against rising global cybercrime

In keeping with North Dakota’s mission of transformation through technology, and to optimize its network defenses, NDIT has responsibility for cybersecurity and the protection of citizens’ information and the state’s data and systems.

The challenges facing NDIT are significant—the same as those facing any large enterprise with hundreds of thousands of users, thousands of integrations and applications, and innumerable endpoints. These include defending the network against breaches, adhering to regulations and compliance, maintaining an enterprise security architecture framework, and protecting data and user privacy.

As data has become central to citizens’ lives and the operations of state agencies and all the entities served by NDIT, the value of the data, both to stakeholders and cybercriminals, has increased. The global cybersecurity threat continues to grow as state-sponsored actors, social hacktivists, and criminals seek opportunities to exploit individuals and organizations. In 2021, the average total cost of a data breach increased by 10 percent, costing the world an estimated total of $6 trillion.

Costs are even higher for organizations that lag in security. By 2025, the losses caused by cybercrooks might reach $10.5 trillion. Today, rising cybercrime has elevated the need to increase security to both an imperative—and an opportunity.

NDIT has not been immune to the imprecations of growing global cybercrime. In 2021, NDIT detected and prevented 4.5 billion different threats—double the 2019 number. As an example, supply chain attacks have become a major threat vector for the state. During an average month, NDIT now experiences over five million cyberattacks originating from all over the world.

A comprehensive, unified defense strategy became necessary for NDIT to integrate new technologies, tools, and security services to meet the increasing security needs of the state and modernize security operations. The answer was planning, designing, and building its own Next-Generation Autonomous Security Operations Center (SOC), a centralized unit that manages security issues on both organizational and technical levels to fortify the state’s security posture.

In addition to funding, the primary challenges to launching a SOC require understanding and working through complex and interrelated issues pertaining to people, processes, and technology: strengthening each one of them and making all three work together as a single, streamlined, and modernized whole.

“Our great people are our most important resource,” said Michael Gregg, Chief Information Security Officer with North Dakota Information Technology. “But I would make the argument that people alone will never get you there. Adding more people isn’t the answer to achieving exceptional results. You’ve also got to have good processes and the right technology.”


Building a SOC from the ground up to strengthen security

NDIT’s carefully considered requirements list for its SOC illustrates determination to address the extraordinary difficulties of protecting and defending a massive network and its users at a time when, if cybercrime were a country, it would have the third-largest economy in the world.

The NDIT SOC needed to protect users against theft, damage, or destruction of data; lost productivity; disruption of the network; reputational harm; and many other related insults and injuries.

NDIT established key priorities for the SOC to build resilient security capabilities and detect and defend against cyberthreats, today and in the future: security awareness, endpoint protection, risk management, vulnerability analysis and management, and training for continuous improvements.

Leadership identified the need for enhanced cyber awareness, data sharing, and cyber skills development, also responding to stakeholders’ requests for dashboards for insights on their respective vulnerabilities and environments.

In addition, the SOC had to:

  • Provide the means to automate, with AI and ML, tasks and processes for added protection and efficiency to free up NDIT engineers and analysts to focus on the most urgent threats with a risk-based response.
  • Provide the means to automate, with AI and ML, tasks and processes for added protection and efficiency to free up NDIT engineers and analysts to focus on the most urgent threats with a risk-based response.
  • Resolve a backlog of thousands of items in security operations and introduce tools for keeping abreast of emerging threats.
  • Meet KPIs to provide measurable results, both before and after the SOC was operational.


A partnership and the tools to make the plan work

NDIT leadership and its teams engaged with Palo Alto Networks Professional Services on a three-year journey defined by the "Elements of Security Operations” framework, consisting of six phases and 84 elements.

The Palo Alto Networks SOC Transformation Services program identifies and puts into action the pieces needed to build a security organization for 24x7x365 visibility and response to meet the goals of any business.

Its phases are:

  1. Assess and Organize
  2. Roles, Responsibilities, and Interfaces
  3. Operational Enablement
  4. Proactive Visibility
  5. Autonomous Security Operations
  6. Continuous Improvement


Security is a marathon, not a sprint. Working closely with Palo Alto Networks Professional Services on our SOC, we’ve made gains that allow us to breathe easier and do more.

— Christopher Gergen, Cyber Analysis and Response Lead, North Dakota Information Technology

“From the beginning, we did a ‘Build-a-SOC’ workshop with Palo Alto Networks Professional Services,” recalls Lucas Pippenger, Active Defense Team Lead with NDIT. “We had many discussions, and that process established the baseline for what our team structure would look like. And through collaboration with the consultants, we developed our vision for the SOC—what we were aiming for and all we wanted to achieve.”

Beginning in the second phase, Palo Alto Networks consultants and automation specialists helped the NDIT team deploy Cortex® XSOAR, and Cortex XDR®. The Cortex XSOAR (Security Orchestration Automation and Response) solution integrates with other Palo Alto Networks tools already in use by NDIT—Cortex XDR Pro and Prevent, Cortex XDR Forensics, Cortex® XpanseTM, AutoFocusTM, and Managed Threat Hunting service—as well as with hundreds of the most effective security applications on the market today.

Offering a comprehensive endpoint security strategy, Cortex XDR was among the first solutions of its kind and is widely regarded as the most complete Endpoint Security Software as a Service for threat prevention, detection, and access controls spanning endpoint, IoT, network, and cloud apps.

A reorganization of the NDIT team established specialized teams—for example, a cyber infrastructure group, an automation engineering team, a threat intelligence team, and Red and Blue teams. The Red team plays offense and systematically looks for vulnerabilities that breach the SOC’s security defense through real-world attack techniques. The Blue team is on defense, working as incident response consultants and providing guidance on where to make improvements to stop sophisticated cyberattacks and threats.

“Security is a marathon, not a sprint,” acknowledges Christopher Gergen, Cyber Analysis and Response Lead with NDIT. “Before we were often in a firefighting mode. Working closely with Palo Alto Networks Professional Services on our SOC, we’ve made gains that allow us to breathe easier and do more. We’ll never have zero security incidents in our queue. What I preach to my team is that our goal should be to have only unique security incidents. Every time we have an incident of a certain type, we should be asking ourselves, How do we prevent this from occurring again? How can we detect it earlier or automate the process to respond to it?”

Across the engagement, Palo Alto Networks Professional Services, including Extended Experts (EEs), worked closely onsite with NDIT teams, advising on best practices and ways to implement the technology for comprehensive security, across detection, analysis, and response. The consultants also helped to develop a library of new playbooks with associated scripts.

Along the way, Palo Alto Networks identified numerous opportunities to introduce automations, significantly reducing manual tasks and the Mean Time to Respond (MTTR) to a wide range of threats. Most enterprises see more than 10,000 alerts per day and one-third of enterprise security teams see more than one million alerts per day. Automations allowed NDIT to streamline operations while increasing security.

With weekly table-top exercises run by Palo Alto Networks EEs, NDIT’s SecOps team was upskilled to respond to various threat scenarios and developed hands-on expertise in the new technologies and processes. By the time NDIT took over operations of the SOC, its teams had thorough training and could rely on clear and easy-to-follow documentation provided by Palo Alto Networks, including recommendations for continuous improvements.


We’re operating with about half the resources as a similarly sized Fortune 30 company, which allows the SOC team to focus on high-priority tasks that add value to the business.

— Michael Gregg, Chief Information Security Officer, North Dakota Information Technology


Automations and measurable improvements

The North Dakota SOC is now operating with a unified framework for cybersecurity to reinforce NDIT’s security operations and enable the state’s digital workforce. It has seen a significant and measurable improvement in the strength of its security posture and threat-hunting capability.

Many of the automations currently in place, including models in XSOAR, leverage AI and ML; this is the first SOC in the US to apply these advanced technologies, freeing up the SecOps team so they can be proactive rather than reactive.

NDIT now has a more transparent organizational structure, mapping to National Institute of Standards and Technology (NIST) frameworks and activities, which enable NDIT to apply the principles and best practices of risk management to improving the security and resilience of North Dakota’s critical cyber infrastructure.

Continuous improvements to serve and regional expansion

Using the entire Palo Alto Networks platform, NDIT is continuing to grow and adapt, with all the necessary resources of people, processes, and technology in proper alignment and balance to protect and defend against an ever-changing cyberthreat landscape.

“Palo Alto Networks’s Extended Experts and consultants helped us establish what a traditional SOC looks like,” says Travis Rossow, Security Analyst with NDIT. “We benefited from the recommendations and needed to let it run for a while. Then we talked to Palo Alto Networks about our unique situation and shifted some things, evolving the SOC to what it is today.”

Palo Alto Networks Professional Services continues to provide ongoing operational guidance, empowering NDIT teams to pursue a program of continuous improvement. NDIT is writing new automations and maturing its processes, including developing an onboarding plan for new analysts. It will be advancing to a new Purple Team organization, with members of the Red and Blue teams working together to share information and insights to improve the organization’s overall security.

NDIT continues to expand and improve its network and security services to greater numbers of North Dakota citizens and more underserved communities. The Mandan, Hidatsa, and Arikara (MHA) Nation, located on the Fort Berthold Indian Reservation in central North Dakota, was recently onboarded and is now receiving services.

In the future, NDIT plans to expand its SOC to provide services to a handful of other states in its US region. This initiative kicked off in June 2022 with a multi-state table-top exercise.

“My goal is always to deliver the most efficient services that we can to the state,” says Gregg. “We’ve gotten to operating with about half the resources as a similarly sized Fortune 30 company, which allows the SOC team to focus on high-priority tasks that add value to the business. That’s come through automation and revising code with machine learning. We’ve also benefited by applying the principle of the ‘Gemba Walk,’ a process used in lean management to empower everyone on the team, analysts and engineers alike, to make suggestions on how we can make continuous improvements and reduce the amount of time it takes to resolve an incident.”

Already a model IT organization, recognized and emulated by other states, NDIT underwent a massive transformation, adding a state-of-the-art SOC to its capabilities and functions. Palo Alto Networks Professional Services provided the design for the SOC, a road map for how to implement and operate it, and training for the NDIT team to become self-sufficient. Now, in continuing partnership with Palo Alto Networks, North Dakota Information Technology is able to do even more for the citizens of its state.

Find out more about how Palo Alto Networks’s best-in-class security solutions and Professional Services can help accelerate opportunities for your organization. Additional information is here .