As agencies look to improve network performance and security, one approach that often gets overlooked involves converging the tools and data belonging to agency NOCs and SOCs — network operations centers and security operations centers.
Years of entrenched operating practices, budgeting and acquisition authorities, and cultural dispositions have tended to drive network and security operations teams down separate, albeit closely related, technology lanes. That has often led agency NOCs and SOCs to acquire similar data analytic tools and generate similar data but for different purposes. Agencies would be better served — by being able to improve both network performance and security — if they converged those resources, say two industry chief technology officers.
“If we think about folks in the NOC and folks in the SOC, they’re both buying a packet capture solution,” says Vincent Berk, CTO and Chief Security Architect at Riverbed. “One is going to need it to figure out performance related problems and root cause analysis on the wider network. Whereas, on the SOC side, folks are purchasing the same kinds of packet solutions to do your forensic analysis and detection of threats,” he says in a new FedScoop podcast underwritten by Riverbed.
“All these telemetry sources are collected in two different places. And they’re kept by two different teams. And they’re analyzed for two different reasons,” but all of it provides a broader visibility, he says.
Berk argues that beyond the fiscal benefits in buying fewer duplicative tools, “think about the efficiencies that it brings on a people-level when both are…using similar or the same tooling. They’re able to speak the same lexicon, and they’re able to swap notes very quickly, when for instance, a network slowdown is related to a large volume of traffic going from inside the network to outside the network.”
That is often the case during a data exfiltration incident, which can be a tip off right before a major ransomware attack, he says. That’s when a network operator, seeing a performance issue, would alert his network security counterparts to “figure out where’s this data going? Who’s gotten into the network? Is there ransomware? But if there is a disconnect in tooling and a disconnect between those two teams — if they’re siloed and stratified — that exchange of information at such a supercritical time is going to be hampered,” he says.
While the cultural boundaries between NOCs and SOCs may have hardened over the years, the pandemic appears to have prompted CIOs to reconsider their approach, Marlin McFate, Riverbed’s public sector CTO, says on the podcast.
“Prior to the pandemic, the deficiencies that we found in traditional visibility solutions were obvious, but their impact was below, say, a threshold for needing immediate change. All of a sudden, our environments in public sector and the private sector went through this 180-degree change — from being predominantly an environment that we have lots of control” into one with much less visibility and has a level of risk that exceeded what most IT teams were used to, McFate says.
McFate maintains that agencies, in many cases, are caught in a “circular cycle” where the tools their NOCs and SOCs are used to using cause an “unintentional siloing effect” that tends to be self-reinforcing.
He and Berk argue that given the increasing sophistication and novelty of cyberthreats, agencies would be better served by combining the performance and security telemetry data they gather in order to better prepare for new threats likely coming in their direction.
They also offer recommendations on ways agency might not only benefit from that strategy, but also from the greater opportunity it provides for hunting for threats proactively rather than reactively.
“If we look at the biggest threats out there,” says Berk, “the ones that did the most damage to organizations — they were effectively evidence-free. A proactive stance is collect telemetry and keep it forensically. And know your network.”
Listen to the podcast for the full conversation on IT modernization in Government and our other FedScoop and StateScoop podcasts on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by FedScoop and underwritten by Riverbed.
Marlin McFate serves as Federal CTO at Riverbed and specializes in networking, integration and virtualization. He has worked for more than a decade with government and DOD agencies, advising them on network modernization strategies.
Prior to joining Riverbed, Vincent Berk earned his PhD in machine learning applied to internet security, monitoring and forensics and was a founding member of FlowTraq, a network security software focused on catching advanced persistent threats. He has nearly two decades of network security experience which he now uses to advice government leaders.