NVTC is inviting members and industry leaders to serve as guest bloggers, sharing insights and information on trends or business issues relevant to other members. This week, Sean Applegate, Director, Technology Strategy & Advanced Solutions at Riverbed explains how companies can foster collaboration between the Network Operations Center (NOC) and Security Operations Center (SOC).
One of the largest untapped resources for gaining understanding and insight into an organization’s cyber operations is the network infrastructure and network operations team. They have the broadest span of control across an organization’s IT infrastructure. However, this strategic asset isn’t leveraged efficiently when network teams and security teams fail to share critical resources, collaborate with one another and streamline joint operational processes.
Bridging the chasm between the Network Operations Center (NOC) and Security Operations Center (SOC) isn’t a technology challenge – it’s an organizational challenge. Below are three tips to help foster this collaboration.
The first step in overcoming this organizational hurdle is to acknowledge the value of the network team in cyber operations. They have visibility and access to forensic data that simply doesn’t exist in other parts of an organization. Once leadership acknowledges this, it’s about putting the tools and processes in place to integrate the network resources into security processes. It sounds simple, but having a thorough understanding of normal is a critical factor in preventing potentially harmful activity on your agencies network.
Security teams should work to leverage the network team’s investments in packet capture agents, packet analyzers, netflow sources and deep packet inspection performance monitoring. Often these can be tightly integrated into a Security Incident Event Management (SIEM) system for high fidelity visibility, and quick pivots into useful forensic data.
Change the Culture
In terms of fostering collaboration, there should be clear roles and responsibilities across NOC and SOC teams, supported by well-defined “hand-offs.” Documenting them isn’t enough. You have to use them, analyze key weaknesses and continuously improve them. Joint emergency response teams enable broader insight, increased tribal knowledge, faster artifact gathering, well-rounded analysis and ultimately a stronger cyber posture.
Transferring people across teams can also serve as a great way to foster teamwork among these two groups. A crucial aspect to all of this is also obtaining a strong leader who can rally the troops, and mold them into a cohesive team passionate about continuous improvement – not just compliance.
With a strong base to build upon, an organization should turn their focus to accelerating their velocity and improving capabilities. To optimize your overall operations, leverage techniques from traditional continuous improvement strategies, such as Theory of Constraints, Lean, or lessons learned from the Devops movement. For instance:
- Invest in training and skill development so your people are effective and empowered
- Break work down into smaller chunks so it flows smoother
- Automate as much as possible so you gain operational efficiencies
- Measure not just risk, but performance and quality of operations
- Never be satisfied with the status quo, continuously experiment and learn
The reality is that threats are getting increasingly harder to discover, and attackers are more brazen than ever. By maximizing your insight and investments, improving your processes and culture, and accelerating your capabilities once you have a strong foundation, you can prioritize your resources and work toward minimizing overall risk.