To cut costs, optimize resources and improve the speed and effectiveness of incident response and related security functions, enterprises are taking steps to unify their network operations centers (NOCs) and security operations centers (SOCs).
SOC/NOC integration is easy to understand conceptually, but it can be difficult to implement. Brett Wahlin, CISO at Amazon Prime Video, and who has held similar positions at HPE, McAfee, Sony and Staples, says he investigated SOC/NOC integration more than once over the course of his career but was stymied by the lack of common datasets and toolsets, a considerable skills gap, and a fundamental difference in mindsets between the two groups.
Network teams are focused on connectivity and uptime. They respond to trouble tickets, outages and performance degradation. SOC teams are driven by alerts, incident response, and analysis of cyberattacks. Network teams look at packet flows. SOC teams try to get into the mind of an attacker. As Wahlin puts it, “They use two different lenses on what looks like the same problem.”
“There are a lot of challenges to making this work,” adds Shamus McGillicuddy, senior analyst at Enterprise Management Associates (EMA). “The biggest one is that the two groups have fundamentally different goals. The network group is all about connecting people and creating a high-performance infrastructure. The security group is all about locking down assets and preventing people from connecting without the proper authorization. That’s the biggest stumbling block out of the gate.” Other challenges include lack of cross-team skills, lack of common toolsets, and even a reluctance to share data out of concern that it might be mishandled or misinterpreted, he says.
Despite these challenges, the advantages of breaking down siloes between security and network teams are too enticing for companies to resist. “Integration of a NOC/SOC is starting to gain traction,” says SANS Institute researcher Nelson Hernandez in a recent report on the topic. “Integration of both groups at the frontlines of defense in many organizations could potentially be the best way to lower costs, increase efficiency and optimize resources,” he adds.