Risk is risk – regardless if the incident that causes the network to crash is a router failing because of a power outage, a malicious hacker or somebody running off with physical assets. Ultimately, the impact will have some level of consequence on the business. The management of these consequences can be improved when NOCs and SOCs collaborate and this can be accomplished through both proactive management and incident response.
PROACTIVE MANAGEMENT:Most of us would rather fly on an airplane that had safety and security measures integrated at the onset as opposed to accepting the risk of flying on an airplane that was designed with the singular focus of speed. Similarly, most organizations would probably say that they would rather operate in environments designed with security in mind. Unfortunately, for many years this wasn’t the case. Security was an afterthought and would typically only be addressed when time (something that any network engineer will tell you is never in surplus) permitted or a security incident sparked notice.
REFOCUSING INCIDENT PREVENTION
By working together, planning the architecture, choosing vendors and configuring assets, the NOC’s and SOC’s mission can be addressed synergistically. This creates an environment where the NOC/SOC can establish best practices and have a greater sense of ownership. It will reduce costs associated with unnecessarily redundant capital investments and yield a more efficient use of employees by reducing overlap. Benefits also extend to cooperatively addressing regulatory compliance and managing the environment to a metrics that embodies both disciplines – i.e., the NOC is also measured on security and the SOC is also measured on network operations.
INCIDENT RESPONSE:Scientists look for things they’ve been trained to see; network and security executives are no different. At the onset of an incident it is hard to distinguish a network fault from a security incident. Regardless of the group that addresses it first, they will commonly retreat to their comfort zone to initially classify the issue. The NOC may lean towards a networking issue while the SOC thinks it’s a security problem. Operating in a silo can lead to a comedy of errors where time is wasted, and the wrong resources are overtaxed while the issue is allowed to persist.
EFFICIENT, EFFECTIVE ROOT-CAUSE ANALYSIS
By working together, investigating an incident, collaborating through a shared case management system and finally responding to the incident in tandem, the pitfalls outlined above can be mitigated. Because time and resources are spared, more time can be dedicated to incident prevention and detection as opposed to analysis and response.
SIDEBAR: Collaboration Has Top ROIWorking together is the best strategy. Network operation centers and security operation centers are, after all, made up of people first and foremost, according to article author Brian T. Contos, CISSP, CSO.
There is no substitution for quality engineers. But even great engineers without well defined processes to follow can yield sporadic results. To bring people and process together as transparently as possible, technology can be leveraged. The end goal of the technology is to enable IT to shift its focus from just security and operational bits to enhancing and enabling the business mission. Solutions that help with this goal are communally associated with: network configuration management, network response management, security event management and log management.
These are all pieces of the technology puzzle that have to come together for NOC/SOC collaboration to be effective in saving time, money and allowing logical and physical security resources to operate more strategically. NOC/SOC collaboration is already being realized in government and commercial organizations with increased security postures, reduced risk and operational efficiency gains.