"Align technology with businesses" is an old phrase in IT. However, what's interesting is that the information security industry is part of this change now, making strides to align with business growth as a business enabler. The new jargon is converged technology operations center, a conjunction of the security operations center and network operations center, for secure and threat-free business enterprises.
CenTOC, the new kid on the block, is considered the ideal replacement of the legacy silos of SOCs and NOCs and a nerve center for managing technology, infrastructure, security, identity governance, risk and compliance.
With great computing power comes great expectation of service and response.
We've moved from monolithic machines that "supported" business to carrying machines in our pockets or bags. Business dependency on IT is huge and growing. It's important to ensure the computing systems are available when needed for business operations.
NOCs were established to monitor the uptime, capacity utilization and availability of IT Infrastructure. Internal or outsourced, the service they provided was termed Remote Infrastructure Management. However, growing threats in technology necessitated security monitoring. So, organizations set up in-house SOCs or outsourced them.
But increasing complexity of systems and sophisticated attacks compelled a fresh look. Besides, enterprises want to leverage cross skills being adopted by IT professionals and mentor and guide talent among their teams.
With business and technology alignment, NOC and SOC converging into CenTOC becomes essential for threat-free business continuity. But with great computing power comes great expectation of service and response. And there's the tsunami of connected devices such as Internet of Things, which has created a huge gap between expectation and capacity/capability.
This is where convergence will play a role to boost speed. Here's an example use case in the CenTOC - a NOC operator who gets an alert when a device goes down will raise the ticket, assign priority, assign the task to a system admin team member, who'll do a physical check and view the logs for any untoward event captured. Simultaneously, a SOC analyst will raise a red flag, forward the ticket to the NOC operator, who'll alert the L2 or L3 analysts to pull out the logs in the time period before the disruption to be able to view the event(s) that may have caused the outage.
So, we have a member of the system team and one from the security team looking at the same log at approximately the same time, extracting their own conclusions. What's funny? That  if the systems team member finds the device went down due to an attack, he/she will close the ticket, assign the priority to the security team and ask for go-ahead instructions to bring up the device;  if the security guy finds the disruption's not due to any attack, he/she will close the ticket, sending it to the systems team for action.
So, if we merged the SOC and NOC and had an L-3 resource, he'd be the only person looking at the issue.
Hire a security professional, hands-on at networks, applications, devices, etc., with knowledge about vulnerabilities, threats and risks, and not confined to checking log management alone.
Benefits of CenToC
A converged Technology Operations Center can ideally replace the legacy silos of SOCs and NOCs. I'd recommend having a Central TOC, the nerve center for management of technology, infrastructure, security, governance, risk and compliance. A quick cost benefit analysis will help.
For instance, compare a model of services provided by a RIM provider and a MSSP, which shows obvious redundancies and duplication of work. We can't allow ineffective processes bleed the organization.
The helpdesk, usually, is a common service function. But in the NOC, the person staring at the monitor is called a 'Support Engineer.' In the SOC, a 'Security Analyst.'
An incident may be classified as a security or network incident at a common call center, and then the workflow diverges, whereas the convergence should have been retained.
Waste of Resources
However, if one looks at the resources from a "security" standpoint, one may wonder what the network team is doing on security turf. Let's see how the resource is wasted.
- Unwanted services are risks and threats identified with malware activity for the security analyst; it's about capacity and efficiency for the network guy.
- Third-party applications can be backdoors and key loggers or malware, which security analysts will search and recommend removal. The network team will carry this out, but may classify its presence as a policy violation.
- OS hardening - the network team will do this to comply with group policy; then the security team will add their "intelligence" by checking a few more checkboxes in the same interfaces
- Asset monitoring is done using SIEM capability by the security team to read and analyze logs. The NOC team also reads and analyzes logs to identify events that may have caused system disruption.
Enabling the CenToC
The CenToC framework encompasses all aspects of security features and network essentials. A combination of security and system experts will be hands-on with continuous monitoring, firewall management and firewall services, backup/DR, possessing the bandwidth to provide infrastructure monitoring and security monitoring all over.
So, find resources qualified to man the NOC with insights into SOC operations. If getting cross-skilled resources is not easy, you can train and build such teams.
Some SOCs do vulnerability assessment, threat intelligence and malware re-engineering/analysis, but by specialists, not regular SOC personnel. Similarly, specialist activity (setup of Firewalls, IDS/IPS or server hardening) is not NOC domain, but that of subject matter expert(s). So, there's much favoring convergence.
Security practitioners must be alert to technological changes allowing new threats and risks, making it difficult to "keep the lights on." CenTOC will have a big role in ensuring smooth operations, defining organizational strategy through a proactive approach for aligning capacity and capability with business growth.
Dinesh O Bareja is the principal adviser-IS practice at Pyramid Cyber Security and Forensics Pvt. Ltd. As the enterprise security strategy and risk expert, Bareja holds advisory position as Principal GRC lead at Pyramid Consulting, UAE. He is also the principal adviser to India InfoSec Consortium and member of Investor Grievance Redressal Committee at BSE Ltd.