Efficiency Through NOC/SOC Convergence

Network Operation Centers (NOCs) and Security Operation Centers (SOCs) are the critical IT nerve centers of public and private enterprises throughout the world. Historically, NOCs and SOCs functioned as separate entities serving different missions.

The NOC’s purpose has always been to ensure “power, ping, and pipe” to computing resources and is critically measured on uptime Service Level Agreements (SLAs). Conversely, the SOC’s purpose has been to “protect, detect, react, and recover” and is critically measured on response time SLAs. Combined, these Operations serve as both central nervous and immune systems to ensure the availability and integrity of IT assets. A variety of all too common factors routinely put these IT assets at risk. Such factors run the gamut from staff attrition, skill deprecation, and rising salaries to regulatory mandates, privacy compromises, and intellectual property leakage. Every day, NOCs and SOCs are challenged to do more with less as cost center funding struggles to pace business growth. Leveraging common NOC and SOC characteristics to build a single group responsible for both functions can make limited budget dollars go farther and yield operational efficiencies.

NOCs and SOCs tend to share a similar operational structure, with both staffed using tiered call centers, monitoring and event or incident and response teams. Junior analysts form the backbone of Tier 1 and are responsible for work orders, real time monitoring, call handling, and initial identification and triage of detected and reported events. Events not capable of being triaged are escalated to senior, Tier 2 staff for more detailed review and resolution.  Tier 3 subject matter experts serve as the final escalation point for the most complex of issues. Core knowledge is also shared by the staff, such as complying with SLAs, event escalation, Internetworking fundamentals, organizational goals, and troubleshooting. 

Likewise, there are commonalities in NOC and SOC infrastructures and operations. NOCs and SOCs both require analyst workstations, call routing & management systems, facilities, service level agreements, standard operating procedures, workflow and trouble ticketing.  Some shared monitoring technologies may also be used, such as network-based anomaly detection, to warn of unusual network behavior, or recurring health checks to ensure that critical devices are available.  Rounding out the list are dual-use technologies that both NOCs and SOCs feel they should exclusively own – such as firewall, DNS, proxy, remote access, and VPN servers.

Differences exist between NOCs and SOCs despite the similarities. Required staff skills diverge beyond Tier 1.  Senior NOC staff requires proficiency in network engineering, while senior SOC staff requires security engineering. The tools and techniques used for monitoring and event analysis also differ, as does the interpretation of tool output. For example, a NOC analyst may interpret an event indicating a device outage as an indicator of hardware failure. A SOC analyst may interpret that same event as an indicator of a compromised device. In other cases, high bandwidth utilization due to legitimate traffic may cause the NOC to immediately take steps to ensure availability, whereas the SOC may first question the validity of the traffic spike, and then close the ticket as a non-event. The convergence of NOC and SOC enables two previously disparate organizations to now collaborate more effectively, cutting time and costs and improving efficiency in making these every day operational decisions

The combination of NOC and SOC can yield real benefit beyond the obvious annualized savings through elimination of redundant operational infrastructure and Tier 1 staff. Efficiency gains can be realized through the introduction of a single, integrated point-of-contact for all network and IT security events. Users will no longer question who they are going to call when there’s something strange in the neighborhood. Analysts will no longer need to cross reporting structures or navigate the political quagmire to investigate events that traverse network and/or security devices. Service levels can also benefit from a unified NOC/SOC through improved communication and increased situational awareness. Incident response time is reduced as a single group owns both the capability and responsibility for enacting mitigating measures. Additionally, staff attrition rates may also be reduced by supplying greater career paths across networking and security, thereby enabling your organization to retain critical tribal knowledge and maintain operational stability.

Convergence of NOC and SOC can be both practical and beneficial, combining the awareness and control of an enterprise’s nervous system with the defense and response of its immune system. Though not a panacea, integrated network and security monitoring, management, and response capabilities bring both self-aware and self-defending networks closer to reality.

Yong-Gon Chon and Bill Jaeger are executives at SecureInfo, a provider of information assurance solutions.