Efficiency Through NOC/SOC Convergence
Under pressure to cut costs while raising service levels? Two SecureInfo executives say the pot of gold might lie in consolidating your network and security operations centers.
By Yong-Gon Chon and Bill Jaeger, SecureInfo
December 13, 2007 — CSO —
Network Operation Centers (NOCs) and Security Operation Centers (SOCs) are the critical IT nerve centers of public and private enterprises throughout the world. Historically, NOCs and SOCs functioned as separate entities serving different missions.
The NOC’s purpose has always been to ensure "power, ping, and pipe" to computing resources and is critically measured on uptime Service Level Agreements (SLAs). Conversely, the SOC’s purpose has been to "protect, detect, react, and recover" and is critically measured on response time SLAs. Combined, these Operations serve as both central nervous and immune systems to ensure the availability and integrity of IT assets. A variety of all too common factors routinely put these IT assets at risk. Such factors run the gamut from staff attrition, skill deprecation, and rising salaries to regulatory mandates, privacy compromises, and intellectual property leakage. Every day, NOCs and SOCs are challenged to do more with less as cost center funding struggles to pace business growth. Leveraging common NOC and SOC characteristics to build a single group responsible for both functions can make limited budget dollars go farther and yield operational efficiencies.
NOCs and SOCs tend to share a similar operational structure, with both staffed using tiered call centers, monitoring and event or incident and response teams. Junior analysts form the backbone of Tier 1 and are responsible for work orders, real time monitoring, call handling, and initial identification and triage of detected and reported events. Events not capable of being triaged are escalated to senior, Tier 2 staff for more detailed review and resolution. Tier 3 subject matter experts serve as the final escalation point for the most complex of issues. Core knowledge is also shared by the staff, such as complying with SLAs, event escalation, Internetworking fundamentals, organizational goals, and troubleshooting.
Likewise, there are commonalities in NOC and SOC infrastructures and operations. NOCs and SOCs both require analyst workstations, call routing & management systems, facilities, service level agreements, standard operating procedures, workflow and trouble ticketing. Some shared monitoring technologies may also be used, such as network-based anomaly detection, to warn of unusual network behavior, or recurring health checks to ensure that critical devices are available. Rounding out the list are dual-use technologies that both NOCs and SOCs feel they should exclusively own – such as firewall, DNS, proxy, remote access, and VPN servers.
Differences exist between NOCs and SOCs despite the similarities. Required staff skills diverge beyond Tier 1. Senior NOC staff requires proficiency in network engineering, while senior SOC staff requires security engineering. The tools and techniques used for monitoring and event analysis also differ, as does the interpretation of tool output. For example, a NOC analyst may interpret an event indicating a device outage as an indicator of hardware failure. A SOC analyst may interpret that same event as an indicator of a compromised device. In other cases, high bandwidth utilization due to legitimate traffic may cause the NOC to immediately take steps to ensure availability, whereas the SOC may first question the validity of the traffic spike, and then close the ticket as a non-event. The convergence of NOC and SOC enables two previously disparate organizations to now collaborate more effectively, cutting time and costs and improving efficiency in making these every day operational decisions