Home » Data Protection » Network Security

Industry View

Operation Combination

Looking for cost savings and better security? Merging your network operations center (NOC) and security operation center (SOC) could deliver.

By Yong-Gon Chon and Bill Jaeger, SecureInfo

March 03, 2008 — CSO —

Network operation centers (NOCs) and security operation centers (SOCs) are the critical IT nerve centers of public and private enterprises throughout the world. Historically, NOCs and SOCs functioned as separate entities serving different missions. The NOC’s purpose has always been to ensure “power, ping and pipe” to computing resources and is critically measured on uptime service-level agreements (SLAs). Conversely, the SOC’s purpose has been to “protect, detect, react and recover” and is critically measured on response time SLAs. Combined, these operations serve as both central nervous and immune systems to ensure the availability and integrity of IT assets. A variety of factors routinely put these IT assets at risk, from staff attrition, skill deprecation and rising salaries to regulatory mandates, privacy compromises and intellectual property leakage. NOCs and SOCs are challenged to do more with less as cost-center funding struggles to pace business growth. Leveraging common NOC and SOC characteristics to build a single group responsible for both functions can make limited budget dollars go farther and yield operational efficiencies.

NOCs and SOCs tend to have a similar operational structure, with both staffed using tiered call centers, monitoring and response teams. Junior analysts form the backbone of tier 1 and are responsible for work orders, real-time monitoring, call handling and initial identification and triage of detected and reported events. Events that can’t be triaged are escalated to senior, tier 2 staff for more detailed review and resolution. Tier 3 subject-matter experts serve as the final escalation point for the most complex of issues. Core knowledge is also shared by the staff, such as complying with SLAs, event escalation, internetworking fundamentals and troubleshooting.

NOC and SOC infrastructures and operations also share some common features. Both require analyst workstations, call routing and management systems, facilities, service-level agreements, standard operating procedures, workflow and trouble ticketing. Some shared monitoring technologies may also be used, such as network-based anomaly detection, to warn of unusual network behavior, or recurring health checks to ensure that critical devices are available. Rounding out the list are dual-use technologies that both NOCs and SOCs feel they should exclusively own—such as firewall, DNS, proxy, remote access and VPN (virtual private network) servers.

There are differences too. Required staff skills diverge beyond tier 1. Senior NOC staff require proficiency in network engineering, while senior SOC staff require security engineering. The tools and techniques used for monitoring and event analysis differ. For example, a NOC analyst may interpret an event indicating a device outage as an indicator of hardware failure. A SOC analyst may interpret that same event as an indicator of a compromised device. In other cases, high bandwidth utilization due to legitimate traffic may cause the NOC to immediately take steps to ensure availability, whereas the SOC may first question the validity of the traffic spike, then close the ticket as a nonevent. The convergence of NOC and SOC enables two previously disparate organizations to collaborate more effectively in making these everyday operational decisions.