The Case for SNOC: Blending SecOps and NetOps for Enhanced Cybersecurity and Network Efficiency

The separation of Network Operations (NetOps) and Security Operations (SecOps) teams has traditionally been a cornerstone of IT operations. However, this division is increasingly impractical as the demands of modern cybersecurity and network performance rise. 

While both NetOps and SecOps teams have distinct roles in maintaining a secure and resilient infrastructure, they and the tools they use often operate in silos, which can lead to inefficiencies and gaps in security. The Security & Network Operations Centre (SNOC) concept seeks to bridge this gap by blending these functions into a cohesive unit, enabling a secure, high-performance network that meets needs without compromise.

The Logical Evolution Toward SNOC

The SNOC model is the logical evolution of enterprise IT operations. Inspired by DevOps, which united development and operations teams to streamline software delivery, SNOC brings together NetOps and SecOps for unified operations. This collaborative approach ensures that no security or network issue slips through the cracks, addressing problems proactively rather than reactively. Additionally, it eliminates redundancy in monitoring tools, encouraging efficient resource use as teams work together to meet their shared goals.

NetOps and SecOps Collaboration

So why isn’t there greater collaboration between security and network teams? 

SOCs are trying to prevent and mitigate attacks. For this, they gather all kinds of information (app logs, user access logs, firewall logs, vulnerability scans,  threat feeds, etc etc.) in a SIEM to correlate them and hunt for threats.

NOCs are trying to keep the network going, but are often blind to a performance issue caused by a security incident, as their typical NPM tools don't allow for security data and threat feeds to be integrated.

What do >99% of attackers have in common? Unless an attacker physically enters the building, the attacker uses the network at some point during their attack. Yet SOCs rarely have access to network flow logs and NOCs can rarely integrate their NPM tools with enough information about potential attacks.

What the reasons for lack of NetOps/DevOps collaboration:

• Tools for network flow data and logs are almost exclusively used by NOCs.

• These tools lack the capability to efficiently send data into the SIEM.

• Even if data can be sent to the SIEM, the flow data is not enriched enough so that non-network engineers can make sense of it.

• Netflow data can get quite large, especially since unsampled flows are required for security use cases, so duplicating all this data can be unfeasible in some scenarios.

Almost all cyberattacks use the network at some point. Yet SOCs and NOCs rarely share network flow data, despite its value in detecting attacks. The lack of integration between NOC tools and SIEM platforms, combined with the technical complexities of managing flow data, often results in a lack of collaboration. What’s needed is a shared data approach that provides both teams with the data they require to effectively collaborate and work together to investigate and prevent security events. Enter the SNOC.

Benefits of a SNOC Approach

A key area for collaboration is the management and security of network traffic. Both teams must work together to monitor, analyze, and respond to traffic anomalies and security threats. For instance, NetOps focuses on ensuring network uptime, bandwidth, and performance optimization, while SecOps concentrates on threat detection, vulnerability management, and incident response. 

By sharing insights and data, such as the results of monitoring network flow records, both teams can gain a comprehensive view of network health and security, identifying potential issues before they escalate into major problems.

Additionally, as businesses increasingly adopt cloud services and integrate a wide array of IoT devices, the complexity of maintaining network security without compromising performance grows. SecOps and NetOps need to collaborate on developing and enforcing security policies that are both effective and efficient, ensuring seamless access and protection across all network touchpoints. 

This includes the configuration of firewalls, intrusion detection systems, and the coordinated response to cyber threats, ensuring that security measures do not hinder network performance. Together, these teams can create a synergy that not only enhances the detection and resolution of security threats but also optimizes network operations to support dynamic business requirements without compromise.

In summary, the benefits of a SNOC approach:

Proactive Monitoring and Management: In modern business environments, proactive monitoring is crucial. SNOC enables real-time analysis and decision-making, allowing organizations to respond swiftly to both performance bottlenecks and security threats. This approach not only supports operational continuity but also maintains high security standards, crucial for compliance and protection against cyber threats.

Cost Efficiency and Tool Optimization: Often, NetOps and SecOps invest in overlapping tools that perform similar functions, leading to unnecessary expenditures. A SNOC approach encourages the rationalization of these tools, optimizing spending and reducing training requirements. By sharing tools and processes, teams can leverage their combined expertise to enhance network performance and security simultaneously.

Handling Complex Network Environments: As networks become more complex with the migration to cloud services, increased encrypted traffic, and a surge in the number of endpoints, SNOC becomes indispensable. Tracking all traffic flows, including east-west (internal) and north-south (entering and exiting the network), is crucial. Unsampled NetFlow data plays a critical role here, providing the granular visibility needed to manage and secure these intricate network environments effectively.

Enhanced Response to Incidents:  The integration of AI and machine learning technologies with real-time data capture across the network allows SNOC teams to quickly identify and mitigate issues. This capability is critical not only for maintaining network health but also for ensuring that security breaches are handled before they escalate into more severe incidents.

The Role of Unsampled NetFlow Data in a SNOC

One of the key technologies underpinning the effectiveness of a SNOC is the use of unsampled Flow/NetFlow data. Traditional sampled NetFlow data often misses crucial details because it only captures a subset of traffic data. Sampled network flow data might not be able to identify, or may totally miss, subtle Indicators of Compromise (IoC), such as an IP address from an unusual region accessing your network. In contrast, unsampled NetFlow provides a comprehensive view of all network traffic, offering invaluable insights for both security and network management. Read “Why Sampling Sucks for Network Observability” for a more detailed discussion.

Identifying Nefarious Traffic: With unsampled NetFlow data, SNOC teams can detect anomalies and potential security threats in real-time. This complete data allows for the identification of subtle patterns that might indicate a security breach, such as unusual data flows or unauthorized access attempts, which sampled data might overlook.

Enhanced Threat Hunting: Unsampled data enhances the SNOC’s ability to conduct proactive threat hunting. Security professionals can analyze detailed traffic data to uncover hidden threats before they cause harm, based on a thorough understanding of normal and abnormal network behaviors. Sampled Flow data may not be adequate for regulatory reporting in the event of a breach.

The Future of IT Operations

The drive towards a SNOC-oriented approach is part of a broader trend towards integration and efficiency in IT operations. Just as DevOps revolutionized software development by integrating and automating key processes, SNOC promises to transform how enterprises manage and secure their networks. The use of unsampled NetFlow data is pivotal in this transformation, providing the depth of insight required to operate sophisticated, secure networks effectively.

In conclusion, the SNOC framework represents a strategic alignment of network and security operations, aimed at enhancing overall IT agility, security, and performance. It’s a shift that acknowledges the intertwined nature of network operations and security, promoting a more collaborative, informed, and strategic approach to enterprise IT management. This integration not only streamlines operations but also significantly elevates an organization’s ability to anticipate, respond to, and mitigate potential network and security issues.

Update June 2024: Since publishing this post, ElastiFlow has launched NetIntel, a product that enhances and enriches flow data with significantly more threat intelligence information.