Short for network operations center, the NOC (pronounced “knock”) refers to a centralized location where 24/7 monitoring and management of events affecting technology services and infrastructure takes place. This location can be managed by you—the direct service provider—or to an outsourced third party. NOCs were first originated in the late 1970s by telecommunication service providers (thus the ‘network’ name) for displaying the status of switches, routing, and circuits. Today’s NOC is not only restricted to monitoring networking equipment (e.g. routers, switches, servers), but also cloud, power, environmental, and service aspects such as: Transactions Traffic User Patterns Here, the term ‘operations’ refers to the delivery and support of: Live services about to be deployed.
How to Operate a NOC
10 Things you will need to consider building a secure NOC
These steps are really important.
Ingest
All data is security relevant. Data is the oxygen that gives life to a NOC. Analytics and algorithms breathe it. Just as important is the ability to ingest data from any source, structured or unstructured, at scale. You also need the ability to organize that data to make it actionable by machine or human.
Detect Once an event has entered the system, it’s imperative that the security operations suite has the ability to detect the event. In this case, detection is focused on events, which is different than traditional solutions that used to focus on files or network traffic. A security operations suite may leverage a combination of correlation rules, machine learning and analytics stories, to name a few.
Predict Imagine you get an alert 30 minutes before you discover a security event. Imagine what that could do for your NOC. The ability to predict a security event allows the NOC to proactively escalate the incident to a human or to streamline a response with a predefined process. There are emerging predictive technologies that hold a lot of promise to provide analysts with an early warning, precursors or indicators of larger attacks, as well as identifying unknowns before they become bigger risks.
Automate Automation is one of the newer technologies to help NOC analysts. Splunk’s recent acquisition of Phantom is a prime example. Automation tools take standard operating procedures and turns them into digital playbooks to accelerate investigation, enrichment, hunting, containment and remediation. A NOC with automation capabilities can handle more events because processes that used to take 30 minutes, for example, can now been done in as little as 40 seconds. In the evolution of a NOC, automation is no longer a choice and has become a mandatory tool.
Orchestrate So you bought dozens of products to power your NOC out of necessity — not just because you had the extra budget. The majority of these tools serve a purpose and add to your defense, but they’re unlikely to change. This is a problem because threats evolve, and the products that hunt threats need to keep pace in an API-driven world. This is where orchestration comes in. Orchestration lets you plug in and connect everything that is inside and outside of your NOC. You no longer have to open new browser tabs or separate point solution logins for every product, and you eliminate copying and pasting from different solutions. The ability to orchestrate all your products removes overhead, reduces frustration and helps analysts focus their energy on meaningful tasks.
Recommend At this point, events have passed through a machine. Wouldn’t it be great if the platform powering the NOC could tell the analysts what to do next? The modern NOC can do just this by making a recommendation. This can come in the form of individual actions or playbooks. This is helpful in two ways: 1) For a new analyst it’s educational to teach them what to do when a similar threat arises again, and 2) For experienced analysts it serves as a sanity check, or a reminder of an accelerant to aid in what they should already know.
Investigate We expect 90% of tier-1 analyst work to be automated in the near future. But what happens to all that other work? Inevitably, it requires detailed, precise human analysis to finish the last mile. Intuitive security tools aid an analyst’s human ability and helps them prioritize what needs to be investigated.
Collaborate Security is a team sport that requires coordination, communication and collaboration. In a NOC environment, nothing can be dropped, events must be processed comprehensively and teams need ChatOps capabilities, or the ability to collaborate and connect the tools, people, process and automation into a transparent workplace. Collaborate Security is a team sport that requires coordination, communication and collaboration. In a NOC environment, nothing can be dropped, events must be processed comprehensively and teams need ChatOps capabilities, or the ability to collaborate and connect the tools, people, process and automation into a transparent workplace.
Manage Cases Incidents happen even when we do our best to prevent them. What’s important is that when they do happen, security teams are armed with everything necessary to manage the response process. Teams need to make sure they have response plans, workflows, evidence collection, communication, documentation and timelines. This is why case management has emerged as a core capability for the modern NOC.
Report You can’t manage what you can’t measure. We live in a data-driven world and security is no different — that’s why you can now measure all aspects of the security process. Having the right reporting tools helps inform on what’s performing, so security teams can accurately measure where they are and where they need to go. Today, the challenge NOCs face is their reliance on too many platforms, which makes it impossible to get accurate reporting.
