Time For NOC/SOC Convergence

No one would dispute that Network Operation Centers (NOCs) and Security Operation Centers (SOCs) are the critical IT nerve centers of public and private enterprises throughout the world. Nor would anyone challenge the fact that historically, NOCs and SOCs functioned as separate entities serving different purposes. After all, “power, pipe and ping” are not related to “protect, detect, react and recover”…or are they?

Just like most technology, change and evolution occurs, and more often than not, it is for the better. We evaluate, improve, adapt, and adopt. The convergence of the NOC/SOC is no exception. As our dependency on networks becomes operationally mission-critical, the probability of experiencing a cybersecurity incident also exponentially increases. For networks to be agile and secure at the same time, the security piece can no longer be layered over like an unwieldy suit of armor. Security needs to be woven into all layers of the network.

The ideal NOC and SOC tech stack

I get asked about the ideal NOC and SOC tech stack quite a bit and my view is that if the SOC does not have the information to trigger direct host isolation at any time of their choosing because they don't know the end users, the computer systems, the client business, and what should and should not be happening on those endpoints, then you are going to have delays – and delays cause not only cause operational disruption, they can significantly increase the depth and breadth of a cyber-attack.

Additionally, from an AI perspective, if you are looking at AI-curated events and telemetry data, but you don't have intimate knowledge of the technical controls that are in place, then data will be missed and misinterpreted leading to operational inefficiencies and exploitation of security gaps.

Post incident response

Let’s also look at a post incident response scenario. What if you need 365 days of data for forensic incident response and compliance, when your SOAR or XDR only has access to the last 30 days? Where does that leave you and your organization? How can you evaluate, improve, and evolve if you don’t have access to the data that drives those changes?

It is for these reasons that NOC/SOC integration must happen and the people who implement and maintain technical controls must have full real-time visibility into the entire set of converged telemetry. You must be able to look at the events that are happening and say "Hey, that should not be happening. I know that user, their apps, that client. That is not normal for them." And, even more critical, that same person must have full authority to do host isolation trigger and then follow up.

For another take on this topic, take a listen to Jonathan Nguyen-Duy, Vice President, Global Field CISO at Fortinet, during his recent interview where he covers some very salient points related to the convergence of NOC/SOC. We also spent some time discussing this in more detail on our Breakfast Bytes podcast "Why converged NOC and SOC are so critical to security efficacy." For more information on our network security services, contact us today at 262-553-6510 or by visiting qpcsecurity.com.