Without question there are marked similarities between the Network Operation Center (NOC) and the Security Operation Center (SOC). Unfortunately, these similarities often lead to the misconception that the duties of each role are interchangeable. Couple this with the widespread opinion that having a NOC in place negates the need for a formal SOC and you’ve got a scenario wrought with tension, resentment and, often times, downright bullying. In reality, the NOC and SOC both provide unique value to the organization, but only if they are able to cohesively work together.
The first step in marrying the NOC and SOC in a harmonious relationship involves recognizing and understanding the key, fundamental differences between both roles. Yes, both teams may be responsible to some degree for identifying, evaluating, resolving and/or escalating issues, however it is the type of issues and their subsequent impact that ultimately separate these two groups. For example, the NOC is typically tasked with handling incidents that affect availability and/or performance while the SOC focuses mainly on incidents that could potentially impact the security of assets. Both are working toward a shared goal of managing risk, however, how they approach and achieve that goal varies greatly.
NOCs and SOCs are also measured differently in terms of performance. The job of the Network Operations Center is to manage, maintain and meet service level agreements (SLAs) as well as handle incidents in such a way that limits any potential downtime as much as possible. In other words, NOC technicians are measured on how well they optimize system availability and performance. The Security Operations Center, on the other hand, is measured primarily on how well they protect sensitive data, hence the “security” title.
Both of these tasks are of critical importance to the success and ongoing profitability of an organization and should therefore be handled as separate but equal functions. Unfortunately, many organizations fall into the trap of believing that both can be combined into one universal operation. This can spell disaster, not necessarily because either is incapable of handling the other’s duties, but rather because of the stark contrast with which each approaches their role.
Separate But Together
Another key reason the NOC and SOC should be operated individually but in conjunction with one another is because of the specific skillsets technicians of each specialty possess. For example, a NOC analyst must possess proficiency in network, systems and application engineering. This extensive experience and educational requirement has occasionally led to the mistaken opinion that NOC team members are somehow smarter or more skilled.
In reality, SOC analysts must exhibit a similarly complex skillsets specific to security engineering, thereby debunking the notion that NOC representatives are somehow superior. Driving home these distinct yet equally important differences can help mend fences and create a more cohesive interdepartmental relationship based on mutual respect and understanding.
Further complicating the situation is the very nature of the adversaries each group must deal with on a daily basis. The NOC focuses on naturally occurring system events while the SOC faces vastly different “intelligent adversaries,” such as hackers and other cyber-criminals. As such, the solutions and strategies each group must develop, implement and maintain will also vary significantly. Expecting one group to adapt to the other’s policies, processes and priorities is a recipe for disaster.
Greater Demands = Higher Turnover
Lastly, there is the reality of the many demands and pressures placed on each of these groups and the subsequent way they respond. Security Operation Centers tend to have a much higher turnover rate than that of NOCs, with the average length of employment of a level 1 SOC topping out around 2 years or less. This is due in large part to the volatile and ever-changing nature of security operations. The tenure of NOC representatives tends to be significantly longer. It would therefore only stand to reason that expecting a NOC analyst to also take on the duties of a SOC would result in greater attrition and subsequently higher turnover rates across the board. It’s a costly price to pay for most businesses.
A Match Made in Heaven
Ultimately, the ideal solution to avoiding issues between the NOC and SOC is to recognize, understand and respect the subtle yet fundamental differences and find a way to foster collaboration and cooperation between the two. One way to accomplish this goal is to employ technological tools, such as automation, to connect both teams, promote the sharing of data and systems and facilitate a close working relationship through which each department complements the other. The SOC can focus on identifying and analyzing security incidents and use the data they gather to propose fixes to the NOC, which can then evaluate and implement those fixes accordingly, improving operations as a whole.