4 key benefits of NOC/SOC integration and tips for making it work

To cut costs, optimize resources and improve the speed and effectiveness of incident response and related security functions, enterprises are taking steps to unify their network operations centers (NOCs) and security operations centers (SOCs).

SOC/NOC integration is easy to understand conceptually, but it can be difficult to implement. Brett Wahlin, CISO at Amazon Prime Video, and who has held similar positions at HPE, McAfee, Sony and Staples, says he investigated SOC/NOC integration more than once over the course of his career but was stymied by the lack of common datasets and toolsets, a considerable skills gap, and a fundamental difference in mindsets between the two groups.

Network teams are focused on connectivity and uptime. They respond to trouble tickets, outages and performance degradation. SOC teams are driven by alerts, incident response, and analysis of cyberattacks. Network teams look at packet flows. SOC teams try to get into the mind of an attacker. As Wahlin puts it, “They use two different lenses on what looks like the same problem.”

“There are a lot of challenges to making this work,” adds Shamus McGillicuddy, senior analyst at Enterprise Management Associates (EMA). “The biggest one is that the two groups have fundamentally different goals. The network group is all about connecting people and creating a high-performance infrastructure. The security group is all about locking down assets and preventing people from connecting without the proper authorization. That’s the biggest stumbling block out of the gate.”  Other challenges include lack of cross-team skills, lack of common toolsets, and even a reluctance to share data out of concern that it might be mishandled or misinterpreted, he says.

Despite these challenges, the advantages of breaking down siloes between security and network teams are too enticing for companies to resist. “Integration of a NOC/SOC is starting to gain traction,” says SANS Institute researcher Nelson Hernandez in a recent report on the topic. “Integration of both groups at the frontlines of defense in many organizations could potentially be the best way to lower costs, increase efficiency and optimize resources,” he adds.

SOC/NOC integration benefits

The four key benefits of SOC/NOC integration are:

Better security: Networking teams often receive alerts relative to performance problems that on further investigation turn out to be a security-related issue, such as a denial of service attack. When the teams work together, it strengthens the organization’s security posture.

Improved network performance: The flip side of that equation is that security-related issues can sometimes be the root cause of performance problems on the network – for example a new firewall rule that inadvertently ends up blocking legitimate traffic. By working together, the teams can get to the bottom of a network performance problem and fix it quickly. 

Improved response time: In an integrated SOC/NOC scenario, the combined teams can reduce the time that it takes for security practitioners to respond to an incident or attack. When it comes to stopping the bleeding during an emergency, faster response time translates into reducing the financial impact of a breach. 

Improved operational and cost efficiency: SOC/NOC collaboration can eliminate redundancy in the use of toolsets, which cuts costs. Operational efficiency cuts the time spent on routine processes, freeing up security practitioners to engage in more strategic activities. 

According to an EMA survey of 350 IT professionals, enterprises have gotten the message. Nearly 90% of enterprises reported increased collaboration between security and operations teams over the past two years, and 63% percent of enterprises have formalized collaboration between networking and security teams, rather than having it occur in an ad hoc manner.

McGillicuddy defines formal collaboration as either sharing or integrating tools, establishing collaborative processes, and sharing best practices. EMA’s Network Management Megatrends 2020 Study also revealed that organizations that have established strong collaboration between the two groups are more successful in their overall security and networking efforts.

SOC/NOC integration is a journey 

SOC/NOC integration is a process that can start with something as simple as creating a Slack channel to share information, all the way up to full integration, which less than a third of enterprises in North America have achieved, according to McGillicuddy.

The results from the EMA survey are similar to a recent report from the SANS Institute, which found that 12% of respondents had an integrated SOC/NOC with integrated dashboards, APIs and workflows. Another 20% said the NOC team is an integral part of detection and response, but the collaboration is more ad hoc. On the other hand, 12% said the SOC and NOC have very little communication and another 21% said the teams only work together in an emergency.

At one end of the spectrum is Michael Cantor, CIO at Park Place Technologies, who says his networking team feeds event data to the security team’s SIEM system, but full integration is not on his agenda. “My goal is just getting the two groups to talk together more.”

At the other end is Neustar, an information services and technology company, that has successfully integrated its NOC and SOC into what Matt Wilson, senior director of product management, describes as a “fusion center.”

Wilson says that less than a year ago the company’s NOC and its security arm were completely separate, but under the strong leadership of the former CIO, the two teams came together. “Pretty much everything goes into one center that is responsible for managing everything we do from the network perspective, the corporate network, the services that are available, the corporate data centers, including security, they are all managed and run through one group with a ton of different toolsets.”

Wilson says the move was part of a larger, companywide push to create a new culture of collaboration, cutting down on red tape and collapsing different groups together to reduce redundancy and improve efficiency. For example, the teams discovered that they were both paying for a Splunk license.

By eliminating overlap in toolsets, Neustar was able to reduce licensing costs, but a more important benefit was getting both teams to change their ingrained thought processes and work together to make sure every security decision took into account the networking aspect and vice-versa.

The SOC/NOC integration effort was driven by “a desire to improve the overall security landscape,” as well as to avoid miscommunication and finger pointing between groups.

In terms of lessons learned during the process, Wilson says, “First and foremost you have to tackle the culture and get everybody bought into the concept. It can’t be siloed. This needs to be a collaborative effort with cross-functional teams working toward a common goal. Historically, that’s been somewhat challenging.”

Wilson equates the merger of security and networking teams with the trend toward integrating application developers and operations groups into DevOps. “If you want to work efficiently and react quickly to new threats and new issues that are going to pop up, you’re got to take a similar kind of collapsed approach.”

He adds that he has noticed a significant improvement in the speed and efficiency of the combined team when it comes to responding to trouble tickets, alerts or security-related incidents. The teams use a Slack channel to drive real-time communication, so that when the network team, for example, is faced with a tricky problem, they can refer it to a shared SOC/NOC room where the teams can share data and insights back and forth.

Wilson says the journey has no end. “It’s on ongoing process. I don’t see an end state on this where you say we’re done. New threats are going to come along that will drive the need for new and different toolsets and collaboration.”

When to integrate security and network operations 

In the case of Neustar, there was a top-down directive to increase collaboration and break down siloes between teams. At many companies, a change in IT strategy or a refresh cycle could trigger SOC/NOC integration.

For example, if the company has decided to build a private cloud and the network team now needs to reconfigure traffic flows to accommodate this new approach, that’s the perfect time to bring in the security team to figure out the best way to protect virtual machines. Maybe it’s time to deploy distributed firewalls or to adopt micro-segmentation. Maybe it’s time to start a conversation around the zero-trust model.

SOC/NOC integration doesn’t stop at the trouble ticket/incident response level. By bringing the teams together early in the process, they can collaborate on product procurement, on ways to purchase tools that both teams can use together. Then, when the tools are implemented, the teams can begin collaborating on managing and monitoring.

Hernandez sums it up this way: “CTO/CIO and chief information security officers will be well served in understanding what a potential collaborative, efficient effort integration brings versus having two separate siloed teams with very little crossing of paths except for at a lessons-learned/after-action meeting. The exploration of integrating a NOC/SOC is something every organization should consider.”