Integrated NOC and SOC Operations– Is it the Way Forward?
Every organization has seen a marked proliferation of connected devices – from traditional personal computer and mobile devices to the more recent connected devices driven by the adoption of Internet of Things (IoT) and related technologies. While the rate of this growth was relatively slower in the first half of the decade, the 2020 “State of the Connected World” report from the World Economic Forum predicts over 41 billion devices by 2025. Because of this trend, enterprise network topologies are becoming increasingly complex, a phenomenon that is exacerbated by a rapidly mobile and remote workforce. At such an inflexion point, it is natural for IT leaders to rethink the organization of their traditional Network Operations Center (NOC) and Security Operations Center (SOC).
The NOC has a history of evolution from an era when organizations predominantly maintained on-premises hardware. The primary responsibilities of the NOC started off with monitoring the enterprise network for outages that originated from internal as well as external sources. In addition, the NOC looked after server, network, and device management, including installing software, updating patches, and ensuring distribution to all enterprise devices. As networks evolved over time and became more sophisticated, the NOC’s remit broadened to security monitoring and threat analysis using various tools while working closely with the Security Operations Center (SOC).
“The lines between them (SOC-NOC) are becoming increasingly unclear as more advanced cyberattacks tend to freely jump between attack surfaces of different IT equipment.”
The perpetual push to make the world more elastic and flexible has resulted in dramatically increasing the complexity of the enterprise IT landscape. From developing adaptable virtual environments, architecting multi-cloud infrastructure to managing a growing number of endpoints – the operational pressure on the NOC has never been greater.
It’s not just the NOC that has been overwhelmed with increasing complexity. The Security Operations Center (SOC) – the nerve center responsible for securing the enterprise digital estate, has also experienced a similar rise in workloads with a proliferation of digital endpoints and infrastructure complexity. Performing comprehensive, real-time monitoring of endpoints, network, and multi-cloud infrastructure to identify and deter threats before they can impact business-as-usual, is a demanding ask. It does not stop there. Instead, goes on to include monitoring in real-time, analyzing threats, investigating sources, and reporting on vulnerabilities with forward looking risk mitigation plans. To summarize, SOCs are dealing with problems in real-time, while constantly devising plans to improve the enterprise digital estate at a scale unimagined of in recent times.
Organizations have historically demarcated the line between the NOC and SOC, often to their detriment. While both groups are responsible for identifying, thwarting, and investigating issues, the types of problems and their potential impacts they each deal with, are considerably different. Specifically, the NOC is responsible for handling incidents that affect the performance and availability, while the SOC works on those incidents that affect the security of information assets. The goal of each is to manage risk, however, the way they accomplish this goal is markedly different.
Case for convergence to an Integrated NOC/SOC
While these two groups ultimately serve different functions for an enterprise, significant overlaps do exist and SOCs and NOCs will typically need to collaborate in the event of an incident or emergency. Both NOCs and SOCs have incident response teams, call centers and monitoring. Both centers work hard to assure the integrity and availability of enterprise IT assets. Yet, despite the somewhat symbiotic relationship, only a small percentage of enterprises truly integrate these functions. Recent trends in responsibilities handled by these seemingly disparate entities indicates to a convergence of the two groups. Let us examine a few.
Unified Cross-Domain Visibility
Unified operations allow NOC and SOC administrators to have visibility of both domains simultaneously, often getting a composite view of issues that would not have been historically possible in a siloed arrangement. This could allow deep-dive into either security or network issues from one interface and explore cross-domain incidents that involve both. Response times are lower when the entire operation is orchestrated and act as a single entity.
AIOps and Automation
With increasing amount of data at disposal, automation and artificial intelligence can play an ever-increasing role in managing security and network efficiency. With efficiently captured cleansed data, training threat detection and predictive network outage models can become easier, and this would give additional reinforcement to NOC and SOC teams that are continually pressed for resources.
Reduced Costs, Increased Resources, and Faster Response
Bad actors and networks have one thing in common; they operate around the clock. This means businesses need to have separate network and security facilities, tools, infrastructures, and people available 24/7 to ensure their networks and business remain safe and functional. By unifying security and network functions, duplicate costs are eliminated, and overlapped expenses are consolidated. A unified operation center also eliminates redundant tasks, coordinating disparate functions, along with independent reporting, budgeting, and compliance.
Realization
Theoretically, a convergence of NOC and SOC is quite a compelling argument. However, how do organizations carry out the actual implementation and ensure they accrue promised benefits? To do this, organizations should look at such an integration on three different levels.
Organizationally, a combined setup would prioritize cross-correlation of data that would help organizations identify threat and disruption patterns from shared NOC/SOC monitoring tools. Such contextually rich data would enable triage and collaboration among the entire NOC/SOC operations and increased the combined efficacy of the merged operation.
Secondly, an integration must work at the systems level. This means that the previously drafted standard operating procedures (SOP) and service level agreements (SLA) must now reflect the joint responsibility of the NOC/SOC operations. A crucial part of this integration would be process reengineering that streamlines legacy processes to reduce redundancies rather than eliminating them and design an audit schedule for these processes.
“Integration of both (security and network) groups at the frontlines of defense in many organizations could potentially be the best way to lower costs, increase efficiency and optimize resources.”
Distributing it through integrated tools and dashboards. The unified team should carry no baggage of the legacy demarcation between NOC/SOC and the best way to ensure that is by assigning accountability per key performance indicator for each area respectively.
The most significant efficiency gains via the creation of an integrated NOC/SOC are typically felt in Tier 1 operations. And this is amplified when automation is strategically applied to highly repetitive processes. IT leaders could use this to prioritize the convergence process.
A word of caution
Organizations and IT leaders must recognize that the reorganization of NOC and SOC into a single entity is not the silver bullet to running a secure and reliable IT operation nor is it a trivial exercise. Security and network boundaries must be established to avoid creating new overlaps or to introduce new blind spots that go unattended by either team.
Specifically crucial are cross-domain procedures that need to be created or updated to drive workflows that align with the new operational architecture. Visibility and the ability to react depend on best-in-class tools, which need to be evaluated and adopted with accepted KPIs and lines of accountability. Simultaneously, essential tools used for security and network operations should be integrated into the unified platform to simplify access, use, and maximize their adoption value. Cross-training and knowledge exchange between network and security experts should be institutionalized and monitored on a continuous basis. Finally, as with every decision – timing is crucial. Deciding exactly when to migrate to a unified operations center is a complex decision and all necessary considerations need to be taken while planning the strategic shift.