The Dawn Of Your NSC
Technology is constantly changing and organizations adapt their internal people and processes accordingly to it to try maximize the benefits it brings, yet sometimes changes that seemed positive might need to be revisited moving forward.
20 years ago we, as an industry, organizations were beginning to define its organizational monitoring models and establishing what would be called Network Operation Centres (NOCs) which would foresee the organization’s telecommunication’s health and were in charge of, among others, maintaining network uptime. Information Security came along and became a fundamental part of an organization, the reason why the Security Operations Centres (SOCs) were created. Therefore having a Network and Security Centre (NSC) was the right choice to make.
These two entities would work side-by-side to make sure the monitoring of infrastructure and systems were used according to the internal acceptable use policy, the NOC would be focused on performance and enablement of telecommunications whilst the SOC would focus on identifying network threats and endpoint activities mainly related to viruses and worms.
As technology evolved, we started seeing more disparities between these two teams and, in the majority of cases, these teams started working in isolation from one another. The NOC focused more on maintaining the network backbone and making sure the access control lists, DMZs and ports were opened to enable the communication of systems; on the other side, the SOC focused on enabling SIEM, endpoint, anti-malware and DLP solutions among others and along these lines, the separation of the teams became evident.
Isolation is one of those common problems that exist within an organization and might lead to duplication of efforts or slower delivery of services because of the lack of communication and coordination.
In this timeframe, Information Security became Cybersecurity and this evolution changed the perception of how we secure the assets within an organization: defense perimeters no longer existed, attack vectors multiplied, applications are no longer necessarily running on servers, just to name a few. We saw the adoption of containers, infrastructure-as-code, cloud technologies, IoT, OT… we changed the concept of trust completely, we are no longer trusting any identity or device.
The separation of the NOC and SOC is not viable anymore; the continuous technology changes require a seamless coordination, communication and direction for these two teams. The Wide Area Network (WAN) connectivity is no longer seen as connecting remote sites to a central location via MPLS rather than connected seamlessly leveraging software defined WAN or SD-WAN technologies that eases the management while maximizing the resource utilization and in some cases lowering the costs of expenditure (CapEx) and operation (OpEx).
Because the networking devices have more security capabilities nowadays, the configuration of these features must be done in conjunction with the SOC team, to align the business requirements to the business direction set for security. We no longer will have two teams but a fusion of the two, the Next Generation Network and Security Center (Next-Gen NSC) or Cyberfusion, still maintaining the fundamental concept of separation of duties at core.
Additionally, adopting an Agile working methodology would positively affect the delivery of services, reducing duplication of efforts and increasing the visibility of changes made to the managed products while significantly increasing the communication between these two teams and eliminating the silos (standalone working).
A Next-Gen NSC will be ready to adapt seamlessly to new technology trends like Zero Trust that relies heavily on endpoint activity, network configuration, identity management, application flow visibility and control, while stitching all together in a data lake (or alike) and maintaining continuous monitoring in a SIEM solution for continuous validation of access to the desired asset; the team would be able to operate, respond and configure the technology from a central location (virtually speaking).
Further along, as more organizations move to the cloud, maintaining and monitoring a multi-cloud strategy, having control of the applications, infrastructure and maintaining a good secure posture would be achieved in a faster and consistent manner.
As any other transition, fusioning these two teams will require, besides a technology and processes effort, a good investment on the people. Individuals belonging to these teams will be exposed to new technologies, new concepts that would not only increase their scope of work, but also extend their knowledge on multiple technologies. Networking could be used as a knowledge steppingstone for cyber security analysts and vice versa.
Here are some indicators to assess if a cyber-fusion is necessary within your organization:
- Is the organization going through a refresh cycle of network solutions which greatly increase the security capabilities on them?
- Do changes in networking infrastructure affect negatively or positively your security operations team?
- Is there a perception that communication does not flow as expected between the networking and security teams?
- Are security or network solutions being chosen or implemented by a team without assessing the impact on the other parties involved?
- Does your security roadmap requires regular changes to network infrastructure or configuration settings?
Technology, as previously stated, will continue to evolve. How we, as organizations align and adapt our processes and keep our people engaged in this ubiquitous change is our responsibility, and eventually leveraging more automation would enable the organization to adapt to changes easily and faster. This fusion may be the first step toward other fusions within IT, like the SOC and the vulnerability management teams, for example.
How can we achieve that? Management and Senior Management would need to be closer to the enablers of the business, a continuous industry scan would be preferable on a regular basis aligning the business risk appetite for adoption, it would help defining the strategy for mid-long term and identifying the outliers for changes in people and processes.
Are you foreseeing a scenario like the one described above? If you want to share your experience or hear more about how we do, you are always very welcome to reach out.
Oscar Monge CISSP CCSP,
Cyber Transformation Architect EMEA, Palo Alto Networks.