Bridging the Gap Between Network and Security Operations

istock 939395848

Managing today’s increasingly distributed and complex networks is taxing even the best-funded IT teams. The ongoing requirement to adapt the network to the demands of the new digital marketplace has engineers traditionally focused on managing the core network now developing virtualized environments, architecting cloud infrastructures, and managing growing volumes of endpoint and IoT connecting to the network. And as the network becomes more distributed and fragmented, the ability to provide consistent security is also becoming increasingly difficult.

One of the key challenges is the growing cyber skills gap. Both security and IT teams are being challenged by resource constraints even as workloads and the rate of cyber threats continue to rise in scope and complexity. According to a recent Global Information Security Workforce Study, the cybersecurity workforce gap is expected to reach 1.8 million by 2022, with 66% of the respondents reporting not having enough workers to address current threats.

With resources being constrained right in the middle of one of the most dramatic transformations of the network, the traditional approach of throwing more technology at the problem isn’t viable. But that is exactly what is happening. That’s because network projects are increasingly being siloed. In many organizations, distributed data centers, cloud architectures, IT/OT convergence, rapid consumer and employee application development, and massive IoT implementations are being run as separate projects, and often with their own set of network and security technologies being deployed as part of the solution. In such an environment, visibility and control are far too often traded for expediency.

NOCs and SOCs

Because organizations understand that they are unlikely get more of the kind of resources they need to expand their team or scale to meet shifting needs, most organizations start to think about process improvement, doubling down on skills and expertise where possible while hoping to make up for areas of deficiency with solutions like a centralized NOC and/or SOC.

NOCs tend to focus on operational efficiency, allowing IT teams to better coordinate and automate operations and manage things such as assets and versioning, users and privileges, connectivity and access, and auditing and compliance. SOCs, on the other hand, are used to discover, identify, correlate, and defend against threats more quickly. They focus on attacks and vulnerabilities, compromised users and servers, incident response and remediation, and risk management and mitigation.

The challenge with this siloed approach is that the teams running these solutions tend to only be focused on half of the equation. The gaps between these approaches, and specifically, the data they don’t share, can leaves gaps in the knowledge needed to do either job as effectively as needed. Far too often they either cripple network performance due to security bottlenecks that don’t take into account operational efficiencies or requirements, or result in network designs that leave critical resources vulnerable and exposed.

As IT increasingly needs to support and secure complex applications and workflows spread across a variety of systems, often in multiple locations, from endpoint devices to distributed data centers to the multi-cloud, these increasingly complex and distributed environments demand a new approach that brings visibility and control into the NOC, and workflow and response automation into the SOC.

Such a NOC-SOC approach would combine the management and configuration of appliances with the aggregation of cyber events into a single, integrated solution with a unified dashboard and workflows. This would allow organizations to focus on the bigger picture of “secure throughput,” allowing operations to be streamlined while critical security insights are simultaneously uncovered.

Bridging the Gap Between Silos

By coalescing the operational context of the NOC with the security insights of the SOC, organizations will be able to achieve a greater level of visibility, control, and operational management. This integrated management and automation approach also needs to cross traditionally siloed functions, allowing each IT team to operate with the benefit of the other’s perspective.

This intersection and overlap in operations and security is essential for establishing the sort of defensive posture and risk management solution required by today’s dynamic business environments. The features and capabilities required by integrated NOC-SOC functionality should include:

  • Centralized NOC-SOC Management: Organizations need to be able to incorporate all data, analysis, control, and orchestration from both operational and security perspectives into as close to a single pane-of-glass view of NOC-SOC operations as possible.
  • Comprehensive Security and Operations Visibility: Technologies such as SIEM solutions need to be leveraged to bring together the operational context of a full configuration management database (CMDB) – including accurate, up-to-the-minute status on all connected assets – while proactively searching for and adding new assets as they come online. Maintaining a consolidated view of operations and security enables meaningful detection and intervention, helps refine automation, and enables security teams to act more quickly and efficiently.
  • Measurable Security Posture Assessments: An integrated view of both network and security assets needs to include a continuous evaluation of the network’s security posture. This allows administrators to quickly quantify the implementation of security best practices, and assess ways to improve operational efficiency without compromising security. Tracking posture assessments over time also help to indicate trends, demonstrate a return on investment, and provide a baseline for comparison between your security posture and those of your industry peers.
  • Cross-silo Automation: The most critical goal of a NOC-SOC solution is to span technical or institutional operational silos. Detected security incidents combined with detailed evidence and forensics not only allow security and network engineers to determine how to resolve an incident, but events can also trigger automatic changes to both network and security device configurations, thereby closing the loop on attack mitigation by simultaneously bridging the efforts of the security and operations teams.

It’s time to rethink how the NOC and SOC work together. With an integrated security and operations management and policy orchestration approach, organizations can better close the gaps between these traditionally isolated strategies to automatically address today’s sophisticated threats, regardless of where in the network they occur.

Learn more about Fortinet’s latest NOC-SOC solution.


Copyright © 2018 IDG Communications, Inc.