Security operations center (SOC) and network operations center (NOC) teams take on different roles in the effort to keep an organization functioning securely and reliably. The NOC is focused on system availability and connecting people, while the SOC monitors cybersecurity and defends against attackers. To do its job, the SOC must lock down assets and scrutinize connections and identities, which sometimes slows down well-intentioned NOC projects.
Despite having interests that can bump up against each other, there are major advantages to SOC-NOC integration. That’s because both teams need to intervene quickly in the event of an incident, and work together on vulnerability patching and other activities. A lack of visibility, communication, and action hurts both groups, so security leaders are trying to break down data siloes and bridge workflow gaps—with SOAR integrations and playbooks often playing an important role.
Gartner’s research report, When Should a SOC Include NOC Functions and Responsibilities?[i], does a good job of exploring SOC/NOC integration, and mentions SOAR as a helpful solution. You can access the report here, courtesy of D3 Security.
There have always been links between SOC and NOC activities, as the authors acknowledge in their report. If you work in an SMB, you’re probably thinking that having separate SOC and NOC teams would be quite a luxury. Even in an enterprise with completely segregated teams, there are many areas of overlap.
Both teams process alerts from log sources, utilize a ticketing system for inter- and intrateam collaboration, set and enforce policies in their respective domains, and use incident response plans to investigate alerts and resolve threats. Security events can result in network performance and availability issues, putting some events under the jurisdiction of both teams. SOC teams also rely on the NOC for certain security tasks, such as patching vulnerabilities or updating firewall rules.
With these areas of overlap, it makes perfect sense that Gartner identifies Tier 1 event monitoring as a likely first use case for SOC/NOC convergence, because the function is similar for both teams.
The authors of the report say that SOAR, along with SIEM, should be evaluated not only for its security capabilities, but also to expand beyond security, whether right away or in the future. This expansion could include “supporting the objectives of the IT operations team or the NOC.”
Gartner is already seeing some organizations using SOAR as their single platform for configuration, ticketing, workflow, and security operations. Because SOAR can handle IT operations use cases, such as “infrastructure monitoring, application performance monitoring and troubleshooting,” it is uniquely suited to bridging the gap between the SOC and the NOC.
For organizations that want to increase the integration between their SOC and NOC, the authors of Gartner’s report recommend starting by identifying common use cases and tools that can bridge the gap in incident workflows and then developing common processes from there. NOC events such as downtime or lagging performance can be indicators of security incidents, making them potential common use cases.
Increased SOC/NOC convergence might also require both teams to rethink the way they do things. Working separately, the SOC and NOC have different focuses and priorities, so they’ll need to make sure that they are aligned on definitions and processes when working together. Automated workflows will also naturally cross between the SOC and NOC, so organizations should involve both teams when establishing how tools like SOAR are used.
The benefits of SOC/NOC integration cited by Gartner’s authors include:
However, they also acknowledge that many companies choose not to integrate their SOC and NOC. They list some possible reasons for this, including:
There are a few different models for SOC/NOC integration. D3 SOAR is designed to go beyond security use cases to support your entire incident management operations from end to end, no matter which model of integration you choose.
If you have a fully combined SOC and NOC team, D3 can help by integrating with your security and IT tools to become a centralized hub for alerts, analysis, and response. D3’s playbooks provide end-to-end support, even when incidents blur the lines between security and IT. D3’s native data visualization and support for third-party dashboards enable the visibility needed to coordinate a fully converged team.
If your SOC and NOC are coordinated, but not fully combined, D3 can be safely used by both teams for incident management, with access controls that appropriately limit access to parts of the system and data that the NOC team should not be able to reach. Integrations and playbooks can codify processes that both teams can follow, with support for ITOps incidents. D3 can integrate with ITSM to send tickets to the NOC if both teams are not using D3.
For many organizations, it makes the most sense to outsource some or all of their SOC and NOC responsibilities to a managed service provider. In these cases, D3 can help MSSPs to deliver Tier 1, 2, and 3 security and IT services, as well as managed IT services. This is because of D3’s combination of security and IT integrations, plus strong access controls, and multitenancy support, including individualized playbooks and reports for each client. MSSPs that use D3 provide value to their clients by detecting, validating, and remediating security incidents and performance issues quickly through automation-powered workflows.
Whether you have internal SOC and NOC teams, or utilize service providers for some activities, SOC/NOC integration is worth considering. To learn more, you can speak directly to a D3 product expert and also be sure to read Gartner’s complete report When Should a SOC Include NOC Functions and Responsibilities? for their expert analysis.
[i] When Should a SOC Include NOC Functions and Responsibilities?, Schneider, Corbett & Shoard, November 17, 2020.