Approaches to Enhanced NOC/SOC Collaboration
Park Place Hardware Maintenance
Security experts now recognize that network operations cannot stand apart from their own field of influence.
The lines between the network operations center (NOC) and security operations center (SOC) are blurring, even breaking down. We are seeing this from two directions.
- Most large enterprises with a dedicated SOC (80%) have a NOC as well.[1] They are discovering the shortcomings of running two separate facilities.
- On the other end of the spectrum are organizations lacking the resources to create a SOC. These companies are finding that current requirements, such as the General Data Protection Regulation (GDPR), make procuring equivalent security capabilities essential but challenging.
Fortunately, the emerging solutions for the SOC “haves” and “have nots” lie in a similar direction—a coordinated, often outsourced NOC/SOC combination, which delivers greater agility, efficiency, and security than the structures that went before.
The Problem with the Isolated SOC
SOCs have historically stood alone, because security is a unique specialty. Whereas the NOC attends to performance and downtime issues, generally of a non-human origin, the SOC concerns itself over data loss and operational interference, typically of the criminal variety. These are truly separate but equal functions.
Operating the NOC and SOC in isolation, however, means having two incident response teams. This can double staffing expense and add complexity, much like sending in two disconnected groups of firefighters to save a house. The teams may lose valuable time duplicating efforts and struggling to communicate. Different assessments can also lead to disjoint technical solutions.
For these reasons, SOC personnel are being encouraged to leave their isolated war rooms and mingle, if not merge with, their network operations counterparts.
Many Ways to Securely Skin a Cat
As the SOC emerges from behind closed doors, IT organizations are pursuing differing structures to reflect the increasing centrality of security considerations. Common choices include:
Multifunctional NOC/SOC
Some enterprises combine the NOC and SOC under a single umbrella, the integrated operations center (IOC). The logic is clear. Both NOC and SOC analyze anomalies, triage issues, and plan and execute a response, as well as recommend changes to reduce future risk. To combine them obeys much the same instinct driving SecOps and DevSecOps—addressing security concerns as a fundamental component of IT decision-making.
Organizations often prioritize Tier I integration, unifying alert monitoring and response functions. Tier 2 and Tier 3 may also be combined or proceed independently under the auspices of dedicated network or security specialists.
Coordinated but Not Combined
Some IT organizations stop short of full integration. They stress the differences, rather than similarities, between NOC and SOC, along with the dangers of subsuming network design, engineering, and administration under cybersecurity or vice versa.
To retain the NOC/SOC distinction, some companies are content to enhance communication. Roles and responsibilities for network and security events are defined, and the groups train to respond rapidly and in coordinated fashion. Investing in a security information and event management (SIEM) platform that integrates with NOC tools can facilitate the cross-functional transparency and cooperation companies are seeking.
Managed SOC
If full or partial NOC/SOC integration sounds overwhelming, the good news is that managed SOC—delivered by a managed security service provider (MSSP)—is a viable alternative or complement to in-house capabilities.
The fact is, managed service providers (MSPs) already help many organizations keep the digital lights on. Regardless of where the company facilities are situated, these partners deliver service levels, maintain data center assets, and ensure networks are running optimally and—here is the important point—securely. MSPs’ understanding of customers’ business needs, technology environment, network operations, and security challenges positions them well to take on SOC-centric responsibilities.
MSPs can help enterprises coordinate separate NOCs and SOCs, or they can provide comparable functions as-a-Service. IT organizations currently working with an MSP gain the opportunity to leverage existing investments. Remote monitoring and management (RMM) systems and ticketing workflows, for instance, will already be in place. Expanding the MSP’s purview more explicitly into security monitoring and response can minimize the investment in SOC-oriented personnel, facilities, and tooling while guaranteeing NOC/SOC integration from the outset. That such a solution will also link with backup and disaster recovery (BDR) and other services only adds value.
Tapping MSSPs also addresses the staffing issue. Today’s security experts are in short supply, command top salaries, and commit to shorter tenures than most other IT pros. Appropriately focused MSPs can attract and retain a level of talent typically available only to the largest enterprises, as well as deploy such personnel efficiently. This enables MSPs to deliver top-level security expertise at a cost most organizations can afford.
The Bottom Line
Security experts now recognize that network operations cannot stand apart from their own field of influence. Whether led from the C-suite or driving change from the ground up, security professionals are helping to adapt organizational structures and tools and involve new partners to deliver more integrated, efficient operations, in which security is, at last, a foundational element.