Why it makes sense to converge the NOC and SOC
It’s been 17 years and counting since Nemertes first wrote about the logic of integrating event response in the enterprise: bringing together the security operations center (SOC) and network operations center (NOC) at the organizational, operational, and technological levels. Needless to say, this has not happened at most organizations, although there has been a promising trend toward convergence in the monitoring and data management side of things. It’s worth revisiting the issue.
Why converge?
The arguments for convergence remain pretty compelling:
- Both the NOC and SOC are focused on keeping an eye on the systems and services comprising the IT environment; spotting and understanding anomalies; and spotting and responding to events and incidents that could affect or are affecting services to the business.
- Both are focused on minimizing the effects of events and incidents on the business.
- The streams of data they watch overlap hugely.
- They often use the same systems (e.g. Splunk) in managing and exploring that data.
- Both are focused on root-cause analysis based on those data streams.
- Both adopt a tiered response approach, with first-line responders for “business as usual” operations and occurrences, and anywhere from one to three tiers of escalation to more senior engineers, architects, and analysts.
- Most crucially: When something unusual happens in or to the environment (that router is acting funny), it can be very hard to know up front whether it is fundamentally a network issue (that router is acting funny – it has been misconfigured) or a security issue (that router is acting funny – it has been compromised) or both (that router is acting funny – it has been misconfigured and is now a serious vulnerability). Having fully separate NOC and SOC can mean duplicative work as both teams pick something up and examine it. It can mean ping-ponging incidents that bounce from one to the other, or incidents that neither picks up, thinking the other has or will.
At the very least, the lower tiers of separate NOC and SOC operations should be converged, so that there is neither duplication nor a game of hot potato as staff try to figure out what a problem actually is, and whether the response will be network focused, security focused, or both. Maintaining separate or semi-separate escalation paths is supportable given that lower-level convergence.
Why we don’t converge
The obstacles to fuller convergence are pretty persistent:
- The network team and the security team are rarely the same team in any large organization, and usually do not report to the same person. There may be two or three hops up an org chart to get to a point of convergence. So, leadership differences come into play, as do differing agendas, strategies, goals, and budget pools.
- Organizations have often, and for years, outsourced the NOC and insourced the SOC, or vice versa, or outsourced both – but to different providers, and on different lifecycles. This makes it harder to come together on responsibilities, harder to integrate teams, harder to integrate platforms and data streams and views of the data.
- SOC staff are used to operating in an environment focused on retaining evidence of a crime, establishing chain of custody of that evidence, and so on; network teams, far less so.
Why are we talking about this right now?
The time is right to revisit this topic because network and security operational concerns are getting ever more intertwined, in part because network and security infrastructures are converging. In the 17 years (and two months) since I first wrote about this, we have seen among other things the rise of software-defined networking – especially SD-WAN – and of zero trust network architecture (ZTNA), and the advent of SASE and of security devices being the network. We’ve also come to live in an age of adaptive persistent threats, multi-threaded attacks, botnets as a service, spear phishing, and rapidly propagating ransomware.
In an environment where any part of the network might be a key component of the security infrastructure, and any anomalous event could require a comprehensive network AND security response, the convergence of the NOC and the SOC makes more sense than ever.
Next read this: