Posts

Is Your NOC Bullying Your SOC?

Is Your NOC Bullying Your SOC?Without question there are marked similarities between the Network Operation Center (NOC) and the Security Operation Center (SOC). Unfortunately, these similarities often lead to the misconception that the duties of each role are interchangeable. Couple this with the widespread opinion that having a NOC in place negates the need for a formal SOC and you’ve got a scenario wrought with tension, resentment and, often times, downright bullying. In reality, the NOC and SOC both provide unique value to the organization, but only if they are able to cohesively work together.

Key Differences

The first step in marrying the NOC and SOC in a harmonious relationship involves recognizing and understanding the key, fundamental differences between both roles. Yes, both teams may be responsible to some degree for identifying, evaluating, resolving and/or escalating issues, however it is the type of issues and their subsequent impact that ultimately separate these two groups. For example, the NOC is typically tasked with handling incidents that affect availability and/or performance while the SOC focuses mainly on incidents that could potentially impact the security of assets. Both are working toward a shared goal of managing risk, however, how they approach and achieve that goal varies greatly.

Measuring Performance

NOCs and SOCs are also measured differently in terms of performance. The job of the Network Operations Center is to manage, maintain and meet service level agreements (SLAs) as well as handle incidents in such a way that limits any potential downtime as much as possible. In other words, NOC technicians are measured on how well they optimize system availability and performance. The Security Operations Center, on the other hand, is measured primarily on how well they protect sensitive data, hence the “security” title.

Both of these tasks are of critical importance to the success and ongoing profitability of an organization and should therefore be handled as separate but equal functions. Unfortunately, many organizations fall into the trap of believing that both can be combined into one universal operation. This can spell disaster, not necessarily because either is incapable of handling the other’s duties, but rather because of the stark contrast with which each approaches their role.

Separate But Together

Another key reason the NOC and SOC should be operated individually but in conjunction with one another is because of the specific skillsets technicians of each specialty possess. For example, a NOC analyst must possess proficiency in network, systems and application engineering. This extensive experience and educational requirement has occasionally led to the mistaken opinion that NOC team members are somehow smarter or more skilled.

In reality, SOC analysts must exhibit a similarly complex skillsets specific to security engineering, thereby debunking the notion that NOC representatives are somehow superior. Driving home these distinct yet equally important differences can help mend fences and create a more cohesive interdepartmental relationship based on mutual respect and understanding.

Further complicating the situation is the very nature of the adversaries each group must deal with on a daily basis. The NOC focuses on naturally occurring system events while the SOC faces vastly different “intelligent adversaries,” such as hackers and other cyber-criminals. As such, the solutions and strategies each group must develop, implement and maintain will also vary significantly. Expecting one group to adapt to the other’s policies, processes and priorities is a recipe for disaster.

Greater Demands = Higher Turnover

Lastly, there is the reality of the many demands and pressures placed on each of these groups and the subsequent way they respond. Security Operation Centers tend to have a much higher turnover rate than that of NOCs, with the average length of employment of a level 1 SOC topping out around 2 years or less. This is due in large part to the volatile and ever-changing nature of security operations. The tenure of NOC representatives tends to be significantly longer. It would therefore only stand to reason that expecting a NOC analyst to also take on the duties of a SOC would result in greater attrition and subsequently higher turnover rates across the board. It’s a costly price to pay for most businesses.

A Match Made in Heaven

Ultimately, the ideal solution to avoiding issues between the NOC and SOC is to recognize, understand and respect the subtle yet fundamental differences and find a way to foster collaboration and cooperation between the two. One way to accomplish this goal is to employ technological tools, such as automation, to connect both teams, promote the sharing of data and systems and facilitate a close working relationship through which each department complements the other. The SOC can focus on identifying and analyzing security incidents and use the data they gather to propose fixes to the NOC, which can then evaluate and implement those fixes accordingly, improving operations as a whole.

Get started with automation for your NOC, SOC or both by downloading your free trial of eyeShare today.





How to Get Critical Systems Back Online in Minutes




Why Your SOC and NOC Should Run Together but Separately

Man-in-control-roomThe similarities between the role of the Network Operation Center (NOC) and Security Operation Center (SOC) often lead to the mistaken idea that one can easily handle the other’s duties. Furthermore, once a company’s security information and event management system is in place, it can seem pointless to spend money on a SOC. So why can’t the NOC just handle both functions? Why should each work separately but in conjunction with one another? Let’s take a look a few reasons below.

First, their roles are subtly but fundamentally different. While it’s certainly true that both groups are responsible for identifying, investigating, prioritizing and escalating/resolving issues, the types of issues and the impact they have are considerably different. Specifically, the NOC is responsible for handling incidents that affect performance or availability while the SOC handles those incidents that affect the security of information assets. The goal of each is to manage risk, however, the way they accomplish this goal is markedly different.

The NOC’s job is to meet service level agreements (SLAs) and manage incidents in a way that reduces downtime – in other words, a focus on availability and performance. The SOC is measured on their ability to protect intellectual property and sensitive customer data – a focus on security. While both of these things are critically important to the success of an organization, having one handle the other’s duties can spell disaster, mainly because their approaches are so different.

Another reason the NOC and SOC should not be combined is because the skillset required for members of each group is vastly different. A NOC analyst must be proficient in network, application and systems engineering, while SOC analysts require security engineering skills. Furthermore, the very nature of the adversaries that each group battles differs, with the SOC focusing on “intelligent adversaries” and the NOC dealing with naturally occurring system events. These completely different directions result in contrasting solutions which can be extremely difficult for each group to adapt to.

Lastly, the turnover rate in a SOC is much higher than that of a NOC. Perhaps it’s the very nature of the role, but the average employment time for a level 1 SOC analyst is around 2 years or less. Tenure of a NOC analyst is much longer. It only stands to reason, then, that asking a NOC analyst to handle their own duties and also take on those of SOC will likely result in a much higher attrition rate overall.

The best solution is to respect the subtle yet fundamental differences between these two groups and leverage a quality automation product to link the two, allowing them to collaborate for optimum results. The ideal system is one where the NOC has access to the SIEM, so they can work in close collaboration with the SOC and each can complement the other’s duties. The SOC identifies and analyzes issues, then recommends fixes to the NOC, who analyzes the impact those fixes will have on the organization and then modifies and implements accordingly.





eBook: 5 Reasons You Should Automate Cyber Security Incident Response




Ayehu Security Incident Response Automation Software Mentioned in Latest Gartner Research Report

Ayehu Security Incident Response Automation Software Mentioned in Latest Gartner Research Report

Ayehu Software Technologies Ltd., industry leader in developing and marketing enterprise-grade IT process automation software is pleased to announce its inclusion in another Gartner research report.

In this most recent publication, Ayehu was mentioned as a trusted provider of security incident response automation solutions.

The report, entitled The Five Characteristics of an Intelligence-Driven Security Operations Center, addresses security leaders and provides a comprehensive overview of how intelligence-driven security operation centers (SOCs) will need to use tools, processes and strategies to protect their organizations against modern threats. Among the topics covered, the report delves into key challenges SOCs face today and provides expert recommendations for successful evolution from traditional to intelligence-driven SOC (ISOC).

Throughout the report, a common theme emerges which demonstrates the need for security leaders to go beyond traditional threat-detection methodology and preventative technologies and adopt more advanced and sophisticated policies. The main component of these newer, intelligence-driven SOCs is automation. To that end, Security Incident Response Platforms (SIRPs) and Security Operations Automation Platforms (SOAPs) are mentioned, the latter of which includes Ayehu as an example.

“The driving force behind all the work we do at Ayehu is the desire to help businesses of every size and industry better protect themselves against the ever-increasing threat of cyber-attacks,” comments Co-Founder and CEO of Ayehu, Gabby Nizri. “Our passion, hard work and tireless determination to develop a superior IT Process Automation solution are beginning to pay off. We couldn’t be more pleased to be recognized by Gartner, such a respected authority in the IT realm.”

To learn more about how automation can fortify your cyber security incident response policy and help your SOC develop into a more intelligence-driven model, check out Ayehu’s extensive library of eBooks or download and try the eyeShare product free for 30 days.

About Gartner

Gartner, Inc. is the world’s leading information technology research and advisory company. They specialize in conducting, compiling and delivering technology-related insight to help IT professionals and business leaders make sound decisions. Gartner is headquartered in Stamford, CT and currently employs 6,600 associates, including more than 1,500 consultants, research analysts and clients in 85 countries. For more information, please visit www.gartner.com.

About Ayehu

Ayehu provides Security Incident Response Automation solutions for IT & Security professionals to identify and resolve critical incidents, simplify complex workflows, and maintain greater control over IT infrastructure through automation. Ayehu solutions have been deployed by major enterprises worldwide, and currently support thousands of IT processes across the globe. The company has offices in New York and Tel Aviv, Israel. For more information please visit www.ayehu.com.

eBook: 5 Reasons You Should Automate Cyber Security Incident Response


3 Things Every security operations center (SOC) Should be Automating Now

3 Things Every security operations center (SOC) Should be Automating NowBy now most security operations centers (SOCs) are aware of the value of automation. Not only does this technology reduce errors and improve efficiency and effectiveness, but it also frees up IT personnel, allowing them to focus their talents on high level tasks and workflows that cannot be automated. For those just starting out with security operations center automation, it can be challenging to figure out where to begin. Let’s take a look at 3 key areas where SOCs can and should start automating today.

Identifying False Positives

SOCs spend far too much time sifting through incoming alerts to determine whether they are truly threats. This massive task is not only prone to costly error (when real threats slip through the cracks), but it’s a tremendous drain on resources. One of the most effective ways to handle this monumental yet time consuming necessity is to leverage Security operations center automation. All incoming alerts can be instantly assessed, verified, prioritized and assigned without the need for human input, thereby eliminating the false positive dilemma.

Help Desk Tickets

Believe it or not, many companies still have highly skilled IT professionals copying and pasting responses to incoming support tickets. Imagine paying a senior staff member to do such a simple task when his or her time could be much better spent elsewhere. Security operations center automation can help you maximize your staffing budget by allowing technology to handle this simple, repetitive task. As an added benefit, your top level personnel can then focus their energy on things like mitigating threats and training entry-level workers.

Generating Reports

Tracking and analyzing metrics is an important part of an SOC’s job, but the act of manually gathering all this information and converting it into reports can be daunting. The good news is, SOC automation can help take this time-consuming yet business-critical task off the plates of security operations center staff. CIOs and other powers-that-be will still be able to review, evaluate and confirm the department’s efficiency levels while IT personnel can shift their efforts to more important activities.

Of course, these are just three of the many different tasks and workflows that can be streamlined by security operations center automation, but they’re a great place to start for a company that’s just hopping on the automation band wagon.

Still need convincing? Here are 5 compelling reasons you should start automating your security operations center today.





eBook: 5 Reasons You Should Automate Cyber Security Incident Response




The Importance of Maturity in Security Incident Response Automation

With cyber-attacks on the rise and becoming more and more sophisticated, the need for quality security incident response automation products is also increasing. As with any other technology product, there are a wide variety of vendors offering this type of solution, with many new players emerging at a rapid pace. It’s important to note, however, that not all automation products are created equal. Let’s consider the importance of choosing a mature, established IT Process Automation (ITPA) product and the risks associated with electing a newer option.

The lure of newer products typically stems from budgetary needs. An emerging software provider may offer an ITPA solution at a discounted rate to attract more business. The problem with this is, as the old adage states, you get what you pay for. While not all newer products are necessarily bad, there is an inherent risk involved with choosing a product based on price and ending up with something that isn’t quite up to par. The result is often a solution that doesn’t quite meet the needs of the business or cannot perform at the level desired.

The fact is, security incident response is one of the most important tasks for businesses today. Regardless of size or industry, every company in the world is at risk of having their sensitive data compromised, and the implications can be nothing short of devastating. Whether it’s an incident that causes widespread outages or costly system down time or a serious security breech in which confidential information ends up in the wrong hands, businesses can end up on the brink of losing everything.

For something so critical, it’s equally important that the product chosen to prevent such a catastrophic event be of the highest quality. The most effective way to ensure this is by carefully selecting a security IT Process Automation provider that has years of experience in IT Process Automation and can back their product up with real numbers and proof of performance.

One area in which maturity becomes even more crucial is that of integration. Most companies already have security incident and event management (SIEM) tools in place to monitor incoming threats. To maximize security and create a more close-looped, end to end process, the right ITPA product can be easily integrated with the existing monitoring tools. Newer products often lack this ability, or they are not developed and honed enough to integrate seamlessly. This leaves the business at a greater risk, defeating the purpose of the investment in IT Process Automation.

Ayehu has nearly a decade of experience in IT Process Automation and we are continuously exploring ways to bring that knowledge and experience into the SOC world. We have made some excellent progress with clients who run their SIEM tools with our eyeShare solution for SIM-SOC to automate the alert response, incorporate data enrichment into the SIM tools, as well as managed automated containment and risk mitigation. The below image demonstrates the process more clearly.
The Importance of Maturity in Security Incident Response Automation

You care about the security of your business. Don’t settle for less than a robust product from an experienced, mature IT Process Automation partner.

eBook: 5 Reasons You Should Automate Cyber Security Incident Response