Operation Combination

Network operation centers (NOCs) and security operation centers (SOCs) are the critical IT nerve centers of public and private enterprises throughout the world. Historically, NOCs and SOCs functioned as separate entities serving different missions. The NOC’s purpose has always been to ensure “power, ping and pipe” to computing resources and is critically measured on uptime service-level agreements (SLAs). Conversely, the SOC’s purpose has been to “protect, detect, react and recover” and is critically measured on response time SLAs. Combined, these operations serve as both central nervous and immune systems to ensure the availability and integrity of IT assets. A variety of factors routinely put these IT assets at risk, from staff attrition, skill deprecation and rising salaries to regulatory mandates, privacy compromises and intellectual property leakage. NOCs and SOCs are challenged to do more with less as cost-center funding struggles to pace business growth. Leveraging common NOC and SOC characteristics to build a single group responsible for both functions can make limited budget dollars go farther and yield operational efficiencies.

NOCs and SOCs tend to have a similar operational structure, with both staffed using tiered call centers, monitoring and response teams. Junior analysts form the backbone of tier 1 and are responsible for work orders, real-time monitoring, call handling and initial identification and triage of detected and reported events. Events that can’t be triaged are escalated to senior, tier 2 staff for more detailed review and resolution. Tier 3 subject-matter experts serve as the final escalation point for the most complex of issues. Core knowledge is also shared by the staff, such as complying with SLAs, event escalation, internetworking fundamentals and troubleshooting.

NOC and SOC infrastructures and operations also share some common features. Both require analyst workstations, call routing and management systems, facilities, service-level agreements, standard operating procedures, workflow and trouble ticketing. Some shared monitoring technologies may also be used, such as network-based anomaly detection, to warn of unusual network behavior, or recurring health checks to ensure that critical devices are available. Rounding out the list are dual-use technologies that both NOCs and SOCs feel they should exclusively own—such as firewall, DNS, proxy, remote access and VPN (virtual private network) servers.

There are differences too. Required staff skills diverge beyond tier 1. Senior NOC staff require proficiency in network engineering, while senior SOC staff require security engineering. The tools and techniques used for monitoring and event analysis differ. For example, a NOC analyst may interpret an event indicating a device outage as an indicator of hardware failure. A SOC analyst may interpret that same event as an indicator of a compromised device. In other cases, high bandwidth utilization due to legitimate traffic may cause the NOC to immediately take steps to ensure availability, whereas the SOC may first question the validity of the traffic spike, then close the ticket as a nonevent. The convergence of NOC and SOC enables two previously disparate organizations to collaborate more effectively in making these everyday operational decisions.

Beyond the obvious annualized savings through elimination of redundant operational infrastructure and tier 1 staff, the introduction of a single, integrated point of contact for all network and IT security events can provide cost efficiencies. Users will no longer question whom to call when there’s something strange in the neighborhood. Analysts will no longer need to cross reporting structures or navigate the political quagmire to investigate events that traverse network and/or security devices. Service levels can also benefit from a unified NOC/SOC through improved communication and increased situational awareness. Incident response time is reduced as a single group owns both the capability and responsibility for enacting mitigating measures. Additionally, staff attrition rates may also be reduced by supplying greater career paths across networking and security, thereby enabling your organization to retain critical tribal knowledge and maintain operational stability.

Though not a panacea, integrated network and security monitoring, management and response capabilities bring both self-aware and self-defending networks closer to reality.

Yong-Gon Chon and Bill Jaeger are executives at information assurance company SecureInfo.