It’s been 17 years and counting since Nemertes first wrote about the logic of integrating event response in the enterprise: bringing together the security operations center (SOC) and network operations center (NOC) at the organizational, operational, and technological levels. Needless to say, this has not happened at most organizations, although there has been a promising trend toward convergence in the monitoring and data management side of things. It’s worth revisiting the issue.
The arguments for convergence remain pretty compelling:
- Both the NOC and SOC are focused on keeping an eye on the systems and services comprising the IT environment; spotting and understanding anomalies; and spotting and responding to events and incidents that could affect or are affecting services to the business.
- Both are focused on minimizing the effects of events and incidents on the business.
- The streams of data they watch overlap hugely.
- They often use the same systems (e.g. Splunk) in managing and exploring that data.
- Both are focused on root-cause analysis based on those data streams.
- Both adopt a tiered response approach, with first-line responders for “business as usual” operations and occurrences, and anywhere from one to three tiers of escalation to more senior engineers, architects, and analysts.
- Most crucially: When something unusual happens in or to the environment (that router is acting funny), it can be very hard to know up front whether it is fundamentally a network issue (that router is acting funny – it has been misconfigured) or a security issue (that router is acting funny – it has been compromised) or both (that router is acting funny – it has been misconfigured and is now a serious vulnerability). Having fully separate NOC and SOC can mean duplicative work as both teams pick something up and examine it. It can mean ping-ponging incidents that bounce from one to the other, or incidents that neither picks up, thinking the other has or will.
At the very least, the lower tiers of separate NOC and SOC operations should be converged, so that there is neither duplication nor a game of hot potato as staff try to figure out what a problem actually is, and whether the response will be network focused, security focused, or both. Maintaining separate or semi-separate escalation paths is supportable given that lower-level convergence.