Why network and security operations should not be separate

Network operations and security operations share a single goal: maintaining business availability and protecting business information. Often, however, network operations centers (NOC) and security operations centers (SOC) do not share the same tools or organizational structure. With IT complexity rising, converging operations across the network and security domains is becoming essential.

Very often operators are uncertain about the nature of a problem – is it a security event or just a network failure? To determine what type of problem they are facing, they must first collect more information. Monitoring systems pick up on the symptoms of a problem, but cannot tell if the underlying cause is security- or network-related (or something else altogether). In essence, the initial event is neither security- nor network-related – operators must perform some basic triage to make that determination.

If security operations and network operations are in discreet “silos,” then it becomes difficult to jointly resolve a problem, which may have mixed causes (a security event triggers a network failure) or mixed effects (a network event causes a security exposure). If the monitoring, alerting and ticketing systems are also in separate silos, this hinders collaboration and makes it harder to re-classify events after the initial scrutiny. For example, if operators in the NOC discover a problem and later realize it is the result of a security breach, they may have no tool to seamlessly transfer the information collected to their colleagues in the SOC.

Organizationally, most companies have a tiered response to events – basic analysis and resolution at Level 1; escalation to senior engineers for more serious problems at Level 2; and the most experienced team at Level 3 for global or very serious incidents. If the NOC and SOC organizations are separate, this creates two primary tiers (NOC Level 1 and SOC Level 1) and four escalation tiers. This can lead to parallel responses on the same event (in which alerts are triggered in both NOC and SOC) and confusion at Level 1 about the nature of the problem.

Consider a real-world parallel: Imagine if 911 emergency response was segmented by specialty – for electrical fires call 911, for chemical fires call 912, for residential fires 913, etc. This would create an impossible situation in which the initial fire department response could be completely inappropriate for the fire. If you smell smoke, you have to first figure out what type of fire it is before you trigger a response, just to make sure you get the right response. In the real world, fortunately, there is a single point of contact, and the first responders are able to deal with many different types of fires. If the fire requires a more specialized response (HAZMAT or chemical units), the first responders can request backup.

A similar approach should be used in company operations centers. We recommend that Level 1 operations be consolidated, merging Level 1 NOC and SOC resources into a Level 1 group that combines skills from both disciplines. Converged Level 1 operations staff would be responsible for “triage”: determining whether an event is network- or security-related.

By converging Level 1 operational resources, companies can ensure there is an immediate response regardless of the underlying cause. At the end of the day, the underlying cause of an event should not be the basis of organizational structures – instead the focus should be on the common goal of getting the business back on track by addressing the problems quickly and effectively.