OK, so you've been named security manager for your entire organization. Nice title, huh? Wouldn't it also be nice if you had the information and the clout you need to actually do your job?
Think of all the places a typical business application can be attacked. Hackers can try the network level, flooding routers with packets in denial-of-service attacks. They can try the client level, sending malicious viruses or worms disguised as e-mail attachments to individual users. They can attack at the server level, probing for common vulnerabilities such as ports and services left open by inexperienced administrators. The list goes on and on.
But who owns much of the information that would alert you, the security manager, to such attacks? All too often it's not your security staff, but the network operations center (NOC).
The NOC is mission control for the corporate data network. In a Fortune 500 company, the NOC might monitor the real-time performance of thousands of routers, hubs, servers, and local- and wide-area links. As IT has moved out of the backroom and become a critical part of the business, the NOC -- with its floor-to-ceiling displays and rows of blinking consoles -- has become a status symbol for many large companies. As such, it's often better funded and has more clout with senior management than your hastily-formed security group.
What's more, the NOC is paid to keep the network and your business applications up
On a more basic level, network and systems monitoring tools just look at information in different ways. According to one security manager, a network management tool focuses on functional data, such as "Is a machine up and running; is it out of disk space, is the network throughput good? Those aren't the pieces security people care about." The security manager, by contrast, might need an alert when someone tries to log in ten times using a different, and wrong, password each time.
The big systems management suites such as Hewlett-Packard Co.'s OpenView or Computer Associates International's UniCenter might already be gathering such data and even sending it to a NOC management console. But what's in it for the NOC staff to write the filters to pull that data out and present it in the way the security manager needs?
That's why it's so important for security managers to start building bridges to their NOC staffs. In the last month, I've talked to two security managers for major corporations who are doing just that. One of them is responsible for security at a fast-growing global content provider. Rather than convince the hard-pressed network operations staff to create security-specific data views for him, "it became easier to just negotiate with the NOC directly to get a view, or screen (of data) we would build for them." Rather than fight a big political battle, he's taken the pragmatic approach.
The other is in the process of creating his own full-time, round-the-clock security operations center (SOC). Until it's done, "We've been working hand-in- hand" with the existing network operations center, he says, forwarding reports of suspicious activity to the NOC at times when the security staff is absent.
Some argue that every NOC and the SOC should and will merge. That only makes sense, since they need so much of the same information and serve the same customers. If a denial-of-service attack takes down your Web server, is that a security problem or a systems availability problem? It doesn't matter: The business is being hurt, and it's up to the combined security and operational staffs to fix it.
In other companies, though, corporate politics and human nature will divide the operations and security staffs into two rival, feuding, counterproductive tribes. If you're in such a company, I pity you - and wish you good luck job hunting. Like it or not, the network operations and security staff are partners. The sooner they start acting like it, the better.
Veteran computer journalist Robert L. Scheier can be reached at firstname.lastname@example.org.
This was first published in October 2000