Integration of SOC and NOC
➡ Network Operations Center (NOC) and Security Operations Center (SOC) are two critical pillars of any organization. Both teams continuously monitor logs and events from different tools to ensure that the network stays up and running and remains protected against cybersecurity attacks. Typically, NOC team solves these issues about network performance and availability and SOC team receives issues about information security threats. You can refer the details about SOC and NOC in my previous article Differences of SOC and NOC.
In today’s article, I will continue writing how efficiently we can solve incident handling process by integration of SOC and NOC teams. My article is based on the paper of Integration of SOC and NOC published by SAN Institute.
➡ Challenges of Separated of NOC and SOC
Even though many network and security tools exist for SOC and NOC teams, each team typically generates its own incidents and doesn’t share information. This lack of interoperability and inability to share event data results in inefficiencies, lack of agility, limited visibility, and eventually a poor organizational security posture.
➡ Integration of SOC and NOC
This paper describes that integration of SOC/NOC involves convergence/integration at three levels:
🔹 Organizational Level – including triaging which means analyzing complex security alerts among security alerts queue and cross-correlation which means collaborating event logs to get effective security context and lessen false positives;
🔹 System Level- service level agreements, standard operating procedures, integrating processes and structures in place would allow operators to communicate and coordinate seamlessly;
🔹 Asset Level – utilizing a common information aggregator that collects all the data required and then distributes the data using integrated tools and dashboards.
➡ SOC teams are organized into tiers. Tier 1 SOC Analysts do alert analysis and continuously monitor the alert queue; triage security alerts; monitor the health of security sensors and endpoints; collect data and context necessary to initiate Tier 2 work. Similarly, Tier 1 NOC Analyst keep their eyes on the network infrastructure and do proactive alarm monitoring 24×7 as well as Tier 1 SOC Analyst. At the first tier, SOC and NOC engineers share similar responsibilities. As we move up the tiers, the differences in skillset are apparent with Tiers 2 and 3 analysts being expert in their respective fields. The NOC analyst may be using tools which are SNMP/Syslog based alerting system like Nagios, NetXMS, Netcool, HP Openview, Monolith, Zabbix for event correlation. SOC teams receive alerts which may use a more advanced SIEM based on security logs from tools such as Sourcefire/Snort IDS, RSA Security Analytics and Splunk enterprise security consoles and dashboards. Additionally, a NOC and a SOC analyst need to have visibility to see systems involved in Fault Management, Configuration Management, Accounting (Administration), Performance Management as well as Security Management. To get easier understanding about integration of SOC and NOC, please refer the Joint SLA to Business Figure.
➡ Concerns about Relationship of SOC and NOC
According to the Relationship of SOC and NOC survey, 12% work together and integrate technically and 21% work together when there are emergency cases. 43% describe about there is no relationship even though there are NOC and SOC, they don’t have NOC and little direct communication. The survey illustrates that there are still concerns or misunderstanding on how to fully utilize and capitalize on an integrated NOC/SOC. Please refer to Relationship of NOC and SOC Figure.
SAN paper recommends that CTO, CIO and CISO will be well served in understanding of Lesson Learned/After-action Done by separated NOC and SOC with efficient and effective results done by being integrated of NOC and SOC. And then should consider the exploration of integrating of NOC/SOC in organization.
As our NEX4 SI, we are providing a better solution in implementing SOC and NOC Operations with our skillful professionals.Moreover, NEX4 also provides User and Admin Awareness Trainings to get easier understanding in implementing this edge technology.
Don’t forget to share this post!