Redefining Security Intelligence with NOC and SOC

Friday, March 09, 2012

Rafal Los


Redefining Security Intelligence by Integrating the NOC and SOC (Part 1)

Over the past decade, an ever-growing divide has been forming between the network operations and security operations teams. 

In many organization these two separate teams sit on different floors, have different lines of reporting, and work with completely different tool sets.  But this separation into silos perpetuates what can be referred to as blind spots on the radar. 

When IT operates in silos, no one ever gets the full picture - so to that end I'm opening up a short series on how holistic enterprise service management can provide the critical visibility security teams need to better defend the enterprise.

Let's start by thinking about the way the Network Operations Center (NOC) functions.  The role network operations plays is to keep the network running smoothly; which is to say that they ensure the network pipes are flowing smoothly so information and traffic can get to and from the on-network devices as needed between servers, services and consumers. 

They generally operate under the Chief Technology Officer (CTO) whose job it is to make sure the IT organization is performing to agreed-upon service levels and that the systems, applications and network are available and functional.  Their tools include network probes, logging from routers, switches and sensors and other network-related devices which generally feed some type of console to provide that "big picture" dashboard of network performance. 

If there is a MPLS failure between sites, or a fiber cut, or a router generating more errors than usual causing latency and service degradation they know about it and can typically pinpoint the issue relatively quickly.  The lingo typically heard around network operations teams are things like "packet loss," "latency," and "link saturation" among others and their dashboards are likely tri-colored - red, yellow, green.

The Security Operations Center (SOC) on the other hand, is an entirely different side of the coin.  This team generally looks at output from security devices to determined the threat posture in as near-real-time as possible.  Analysis of port scans, detected pieces of malware, and malicious signatures on the IPS and WAF along with a million other things combine to determine whether the enterprise is actively under attack or has already been compromised. 

Unfortunately, while the goal is visibility, the result is often either an over-saturation of incident data which causes the SOC to lose focus on what is truly dangerous, or a serious lag in the near-real-time expectation allowing attackers to slip in and do their dirty work before they're detected several minutes, hours or days later. 

Security dashboards are archaic. And often security operations teams have a half-dozen or more dashboards to provide them visual confirmation on current happenings.  In well-run SOC organizations, a SEIM or new-school SIRM can provide context and close the real-time analysis gap a little further... but this isn't enough.

Both teams are working against downtime, which is a business disrupter, from different angles and with seemingly different objectives.  What doesn't often become apparent until a really big incident is either missed, or becomes painful to diagnose, is that both of these organizations can and should be cooperating and collaborating to fight downtime and business disruption. 

With the goal of helping the business perform better, network and security operations teams should be collaborating across their silos to enable better visibility and more accurate detection of incidents.  This is, as you may have guessed, a lot easier said than done.

Imagine if you could link a spike in the CPU of one of your data center routers to a spike in the CPU utilization of an edge switch to an application that just became unavailable to your users... all while getting information from your IPS that tells you that you're under a very specific DoS attack that exploits a vulnerability in an Apache server which creates dummy responses from the app server and effectively causes it to become unavailable.  Of course, this type of incident may never present itself so obviously... 

A seemingly innocuous port-scan across your external IP addresses, combined with a rare spike in CPU utilization on one of your older routers may indicate you've just had your outdated Cisco IOS compromised... but if the attack is previously unidentified your IPS may never even see it. 

This last example is a security incident that would otherwise never touch the SOC's radar screen!  Combining the collective intelligence of the NOC and the SOC leads to an increased ability to detect malicious activity and perform smarter, faster root-cause analysis.  So how do you make this happen in your Operations Center right now?

Stay tuned... I'll be introducing you to some very cool technology shortly.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Log Management SIEM Attacks Event Logging Analytics IDS/IPS Network Security Monitoring MPLS SIRM
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.