RESOLVE ’22: The SOC and the NOC

In our RESOLVE ’22 event The SOC and the NOC, moderator and 3 Tree Tech VP of Cybersecurity Kris Taylor welcomed two esteemed guests to the stage:

• Roger Barranco, VP of global customer operations at Akamai
• Craig Bowman, senior director of federal sales for VMware

As Kris noted at the top of the event, we brought our panelists together to talk about “the culture of the network operating center (NOC) and security operations center (SOC).” Along the way, they discussed different philosophical and practical takes on the high-level topics of networking and security.

SOCs and NOCs are different beasts

It didn’t take long for our presenters to offer a mutual opinion on the culture shared between SOCs and NOCs in the enterprise. While the two operational arms are philosophically similar, both panelists spoke to the difficulties of conjoining the two functionally.

“It’s very difficult to monitor environments that aren’t working together,” Craig said. “The SOC and NOC don’t have interest in being part of the same organization often, I’ve found. Many of them were trained in switches and routers, and others were trained in different tools to identify threats. And those two cultures are sometimes difficult to put together.”

Craig went on to say that smaller businesses, as well as those “going through transformation,” may have an easier time functionally linking the two because they’re still molding the culture and practice. But even then, he cautioned, “many times you end up having a portal that’s isolated for the NOC and a portal that’s isolated for the SOC, and yet, we call it a NOSC (network operations security center).”

For his part, Roger agreed with Craig’s opening comments.

“In a smaller organization, it may work because an SOC or NOC may be more of a triage-only type group,” he said. “But if you’re expecting that group to go beyond triage… a combined team greatly dilutes capabilities and effectiveness.”

Continuing Roger’s thought, it’s clear that security operations and network operations are—by their definitions—different philosophies. That’s true on paper and it’s true in the practical, day-to-day workplace. What’s more, as the Akamai VP himself said, many organizations make the change to a dual model not out of worry over service quality but sheer budget concerns.

“I think businesses that [combine SOCs and NOCs on these grounds] are going to have to accept a lower level of quality output from that combined team,” Roger said.

How can NOCs and SOCs viabley perform together?

Roger’s comments drew a new question from our moderator, Kris: “How do you see these teams working together” if they are so functionally different?

“I think there’s a new element being introduced to this whole conversation, which is SecDevOps,” Craig replied. “We’re taking a lot of the telemetry from our switches, routers and inputs and feeding it into whatever our SEM/SIEM tool is. We’re managing tier-one and -two and -three tickets, and in comes SecDevOps.”

Craig continued that “it’s a whole different beast because now you’ve got applications running in probably a Kubernetes environment in different toolsets.” And that, he said, culminates in a situation where alerts, “even if they’re being captured by the SOC,” end up being sent to the SOC operator—“who has no idea how to manage them,” he continued.

“What’s needed is a way to bring these different lenses for the different environments together in a more cohesive way,” he said. “Not a single portal with individual tabs.”

A little later in the event, Kris tied Craig’s insightful comments back to Roger, asking him how his company, Akamai, was able to send alerts to both the SOC and NOC. Roger replied that, “on a very busy day,” the [content delivery network] CDN processes 250 terabits per second. That’s roughly two trillion transactions per busy day, for those keeping count.

“And from a security perspective… we ran a quick report, and as of up to the beginning of the month, there were eight billion security locks put in place,” Roger said.

“That’s unmanageable,” Kris said—undoubtedly mirroring the thoughts of every audience member!

“So we approach from a perspective of leaning heavily on platform resiliency to automatically respond to different types of problems that happen,” Roger continued. “The thought of a human going: ‘Oh, I got alert A; now let me look in these different databases to try and make correlations,’ it makes me kind of nauseous. You have to perform all these things in your workflow automations, and your tooling and alerting system should help with that drastically.”

Why leaders like Akamai and VMware rely on BigPanda

These three leaders’ companies rely on BigPanda to handle several critical tasks, such as NOC automation. The conversation flowed to this very topic near the end of the panel.

Craig noted that BigPanda helps VMWare manage alerts and analysis behind some of its most complex and highly used product offerings.

“You can virtualize entire data centers,” Craig said. “So you’re not limited to one on-prem. Behind the scenes, it’s going out and breaching all kinds of different environments to make it easy to manage very complex environments. And BigPanda takes our telemetry to make sense,” he added, of all the feeds that comprise the virtualization infrastructure.

Roger said Akamai also expressed they appreciated our partnership in part because of “the machine learning (ML) but also the [artificial intelligence] AI component.”

For example, Roger noted his company had some concerns about the handling of events once they’d been registered. “We know that we need to respond to this, and we get that we need to log it… but you don’t know what you don’t know, right?”

That resulted in situations where “the SOC or NOC environment might choose to ignore low-priority alerts,” he said, even though numerous such alerts coming from an endpoint “probably does warrant an escalation.”

“BigPanda lets us take advantage of the AI-type environment to make us aware of what we might’ve missed in the past,” he said, instead of dismissing valid concerns as low-priority issues.

Kris said: “Adding to that, the Open Box Machine Learning allows your teams to share that tribal knowledge, I like that.” He further noted that while other tools in the space “historically say they can solve this problem”, what he has seen as an “unbiased consultant” is that “historically, they’re not really saving people from those bridge calls.”

Exploring Craig’s five pillars of “what we’ve got today”

The discussion kicked off a lengthy talk on the challenges that modernizing companies face as the alerts pile up and the need to delineate certain tasks and roles grows more dire.

“I think there are five bullets, or pillars, when we’re looking at the complexity of what we’ve got today,” Craig said. The are:

• “Businesses are going beyond perimeters,” with implementations at the perimeter “expanding dramatically.”
• “The attack surface has grown,” pushing businesses to invest more human and financial capital into staying secure.
• “Companies have too many tools,” and “the more tools we get, the bigger the chance of misalignment, misconfiguration and missed behavioral context.”
• “They also have too many silos,” creating an environment where businesses don’t communicate the institutional and tribal knowledge they need to make the right connections.
• “There’s not enough context, so with our apps, infrastructure and threat intelligence being fed in, they throw out all kinds of noise. And we don’t have enough context in the noise to know what’s important and what’s not.”

Where to find the whole event

This recap only covers a small portion of the insight and thought leadership our three guests shared at RESOLVE ‘22’s The SOC and the NOC. We invite readers to view the entire panel as well as expanded content from our remaining 10-plus events, at the following link.