An Overview of Fortinet’s Integrated NOC-SOC Solution

Fortinet's industry-first purpose-built NOC-SOC solution is designed to bridge workflows, analysis, and automated response between operational and security processes. The management and analytics solution integrates Network Operations Center (NOC) and Security Operations Center (SOC) tools to address the growing challenge of resource constraints by bridging the gap between traditional IT silos.

NOC vs. SOC: What’s the Difference? 

Before we take a closer look at Fortinet’s integrated solution, it’s important to understand the differences between network operations centers (NOCs) and security operations centers (SOCs). In a traditional IT environment, NOCs optimize for overall operational efficiency, while SOCs aim for optimizing intelligence efficacy and maintaining a defensible security posture.  

Due to the separate areas of focus, it is possible (and common) for critical information sharing to be a challenge between NOC and SOC teams.

The Challenges Presented by a Siloed NOC and SOC Approach

Network engineers traditionally focused on managing a core network have been spread thin in developing elastic and adaptable virtual environments, architecting multi-cloud infrastructures, managing a growing number of endpoint and IoT devices, and keeping an eye on the rapid emergence of Shadow IT. The complexity of these additional tasks adds significant pressure on IT teams, who find they now have more to do with little to no increase in resources.

In one survey, 60% of respondents say that budgets are not keeping pace with the emerging technologies or the rise in the level of threats. This challenge is compounded by the growing cybersecurity skills gap. According to a recent Global Information Security Workforce Study, the cybersecurity workforce gap is expected to reach 1.8 million by 2022. Even now, 66% of respondents report not having enough workers to address current threats. As a result, many IT professionals now say they often feel overwhelmed, and that they have less of a handle on what happens inside the network than ever before.

This sense of being overwhelmed is the direct result of our rush to make the world more elastic and flexible. More systems and services and environments mean more complexity. Because of this, security leaders have no idea how to answer the questions, “how secure are we?” or “are we more secure today (especially after a recent security investment) than we were before?”

In the face of overwhelming complexity and a growing list of tasks, security leaders tend to fall back on the basics – either finding ways to make tasks more efficient (business optimization) or looking for ways to detect attacks quicker (security efficacy). NOC and SOC teams are really just extensions of these two schools of thought – operations and security.

Traditional NOC thinking strives to break operational challenges into bite-sized tasks, finding ways to make each discrete task more efficient and hoping to improve the overall process, thereby conserving resources. With traditional SOC thinking, on the other hand, organizations presume that improved security tools that are better at detecting attacks and threats (efficacy) will reduce incident response and remediation, thus saving resources. Unfortunately, neither of these siloed approaches scale to make a meaningful dent in resource constraints. The reason is found in the growing complexity of our modern IT systems and services. Merely increasing expertise in operations or security does little to reduce this complexity. In fact, it may actually increase the gap between NOC and SOC as they continue to specialize in different directions.

Bridging the Gap with Automated and Integrated Network and Security Operations

While specialization helps us perform discrete tasks more efficiently, it also creates issues when problem resolution requires handoffs between silos. Coordinating resources takes time, and time is the enemy of protecting assets and data. Bringing NOC and SOC functionalities together into a unified NOC-SOC solution knocks down those barriers by automating correlation and coordinating across silos. This is the proverbial low hanging fruit. Automating data exchanges between security (SOC) workflows and operational (NOC) workflows – creating a single, automated, complete workflow – not only saves time, but also provides the capacity to complete additional incident response activities. It is a new approach that simplifies how organizations deliver security.

This integration across disciplines – not merely products – enables a greater level of visibility, control, and operational management.

Fortinet’s new NOC-SOC solution combines the latest capabilities of FortiManager, FortiAnalyzer, and FortiSIEM solutions, coalescing the operational context of the NOC – such as appliance status, network performance, and application availability – with the security insights of the SOC - which identifies and remediates such things as breaches, data exfiltration, and compromised hosts.

In this new model, for example, once a threat is identified the SOC teams have a real-time view of all connected assets, their current state, and who owns them, allowing them to immediately understand the scope of the threat and more effectively automate an orchestrated action to stop an attack, quarantine affected devices, isolate network segments, assess impact, and remediate the damage.

This intersection between operations and security activities is essential for establishing and maintaining a scalable defensive posture for today’s dynamic business environments.

NOC-SOC Benefits of the Fortinet Security Fabric

Comprehensive Security and Operations Visibility: Combining current assets and status (NOC) with security threats (SOC) is essential in protecting today’s networks. For example, security teams benefit greatly from a comprehensive Fabric Topology view within FortiManager and FortiAnalyzer, graphically displaying a map of current assets and their status, along with security threats. As another example, FortiSIEM brings together the operational context of a full configuration management database (CMDB), including accurate, up-to-the-minute status on all assets, while proactively searching and adding new assets as they come online. Linking both of these perspectives shortens the time necessary to understand and scope the problem and prioritize the right response.

Measurable Security Posture Assessments: How secure are you? The new Security Rating feature is an operational technique (NOC) applied to security intelligence (SOC), helping organizations answer that question. This NOC-SOC approach continuously evaluates Security Fabric elements, quantifying and scoring their implementation of security best practices. The system even suggests ways to improve security posture, mapping a path to improvement. Leveraging FortiAnalyzer to track these Security Ratings over time enables the addition of additional operational techniques to the equation. The result is that resource constraints are mitigated by simplifying the complex job of assessing security readiness and pointing out where areas of improvement lie.

Cross-Silo Automation with ServiceNow: As a Fabric-Ready partner, ServiceNow integrates into NOC-SOC-based workflows, spanning traditional IT silos. Security incidents created in FortiAnalyzer or FortiSIEM, with appropriate evidence and forensics added to the ticket, are automatically passed to ServiceNow. Analysts working in ServiceNow then determine the best resolution from a catalog of responses. Those responses are then automatically implemented through FortiManager, thereby closing the loop between silos and seamlessly bridging the gap between security and operations teams. By connecting a SOC workflow (incident identification) with a NOC workflow (response management) these two traditionally separate functions are automated into a single process. Resource constraints are attacked through the time-savings and accuracy of an automated response.

Bringing the insights of the NOC and SOC together into a single framework enables organizations to scalably address the challenges of resource constraints. IT teams not only see events more clearly, but also maintain a management approach that adapts to network changes and automatically responds to events at digital speeds. This integrated approach closes the gaps created by isolated tactics by establishing security-operationalized visibility, enabling quantifiable security assessments, and automating cross-system controls. NOC-SOC is the new, integrated approach organizations need to solve much of the security complexity they face today.