Professional Documents
Culture Documents
17, 2022.
Digital Object Identifier 10.1109/ACCESS.2022.3157738
ABSTRACT Traditionally, network and security operation center teams have worked in silos despite
commonalities. The network operating center (NOC) team is to provide operationality and availability of
information technology (IT) assets, while the security operation center (SOC) team is to ensure IT assets
security and protect them from cyber-security attacks. The convergence in IT assets and exponential growth
in cyber-security threats in the present digital-online scenario have created many challenges in maintaining
network and IT assets effectively and protecting them. It is vital to break these silos and bring them under one
integrated unit to effectively counter cyber-security attacks, threats, and vandalism at a reduced operational
cost. Despite its necessity, the relevant literature lacks an opinion. It focuses mainly on conceptual segments
instead of a holistic view of an integrated NOC and SOC architecture, limiting further innovations in the
field. A systematic literature review and analysis is conducted to collate and understand current research
ideas in this paper. The mapped relevant literature and our expertise have been then used to propose the
implementable state-of-the-art architecture of an integrated NOC and SOC, its definition, the main building
blocks and its usefulness for the organizations. Only explicit knowledge of people is considered while
neglecting the tacit knowledge in automating and integrating the processes of NOC and SOC, which is
the major limitation of the relevant literature. Taping people tacit knowledge is necessary for utilizing the
entire caliber of the NOC and SOC integration in the future.
INDEX TERMS Collaboration of network and security operation, integrated network and security operation,
integrated NOC and SOC, netsecops, network security operation center.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 10, 2022 27881
D. Shahjee, N. Ware: Integrated Network and Security Operation Center: Systematic Analysis
Conversely, integrated NOCs and SOCs are more efficient open challenges. Finally, the author concludes with a com-
and better coordinated to ensure IT infrastructure integrity, plete systematic review of the analysis.
availability with enhanced SLA and real-time threat detection
capabilities [7], [9], [10]. However, some routine and com- II. RELATED WORK
mon factors such as staff reduction, skill deprecation, less The availability of relevant literature related to state-of-the-
knowledge sharing, privacy compromises, and some intel- art integrated NOC and SOC is rare because of its niche con-
lectual property leakages put the company or organization cept, especially its holistic view of integration. An essential
IT infrastructure at risk. Routinely, NOCs and SOCs are issue within a significant part of this literature is that it is
tasked to perform better and extraordinarily, with limited very segmented, lacks an agreed opinion, and focuses mainly
resources struggles to pace organizational growth. Lever- on conceptual elements instead of a holistic view. Only a
aging common NOC and SOC characteristics to build few researchers have attempted to define the architectural
an integrated team responsible for NOC and SOC func- framework of integrated NOC and SOC in the discovered
tionalities is cost-effective and yield better operational literature [6], [7], [11], [13], [16]. Though most researchers
efficiencies [11]–[15]. agree on its necessities, capabilities, efficiencies, and useful-
A few research gaps and challenges are revealed while ness, there is no explicit agreement of what constitutes an
performing systematic literature reviews and analysis of inte- integrated NOC and SOC. Similarly, much literature focuses
grated NOC and SOC. The most prominent issues are the lack on distinct attributes of an integrated network and security
of an accurate definition of an integrated network and security operation center without paying much attention to the holistic
operation center, its main components or building blocks, view [2], [10], [13], [51], [52], [55].
and state-of-the-art integrated architecture. Researchers have Authors have acknowledged a few publications somewhat
only covered the idea of integration at the conceptual level, relevant to our integrated NOC and SOC concepts, which
which is at the evolving stage. For some researchers, integra- is useful in understanding the integration concept. A few
tion may be carried out at initial tiers, keeping the status quo researchers use semi-structured interviews [19], surveys and
on others [2], [6], [8]–[10], [12]. For others, the integration on-site visits [20], [67], [68] and case studies [7], [9]. Further,
team can have a shared pool where they can post all queries, interviews, surveys and case studies are used to verify and
which can be resolved by both team members keeping higher elaborate on the integration processes of NOC and SOC and
tiers intact [7], [11], [16]–[18]. A few challenges include their methodologies, and how SOC best practices can be
non-availability of standards, integrated toolsets, insufficient integrated with the NOC for improving in time to detect the
automation, an unwillingness to share data thinking it might incident and its mitigation [7], [9], [19], [20]. The SANS log
be mishandled or misinterpreted, and a lack of cross-team management survey [67] and cyber threat intelligence [68]
skills. These differences in views and challenges thwart orga- survey reports emphasize the inability to differentiate normal
nizations from integrating NOC and SOC and researchers from abnormal patterns. Moreover, it is advantageous to use
from further innovation in this field [18]. Therefore, the main platforms that can build benchmarks by integrating network
contribution of this analysis is to close this gap by establishing elements, endpoint security activity and other IT systems
the veracity for a state-of-the-art architecture for integrated compared to non-benchmarked systems [67]. Furthermore,
NOC and SOC. Hence, the authors conducted a systematic lit- the security monitoring system incorporates threat intelli-
erature review and analysis to identify and include the current gence according to the observe, orient, decide, act (OODA)
state of the art architecture. Subsequently, we introduce the loop. This OODA loop helps detect patterns while ana-
state-of-the-art architecture of an integrated NOC and SOC lyzing network elements, security endpoints, and other log
resulting from the present scenario. events [68]. Most researchers adopted a bottom-up technique
The structure of the rest of the paper is as follows. while defining the definition of integrated NOC and SOC
In Section I, this paper identifies relevant work. In Section II, methodology [7], [9], which is difficult to understand the inte-
the Preferred Reporting Items for Systematic reviews grated concept definition and lacks a holistic view. However,
and Meta-Analyses (PRISMA) methodology proposed by surveys and interviews have provided some understanding
Moher et al. [21] was adopted to carry out this systematic lit- into a small segment of particular building blocks of an
erature review and analysis. Section III is the first part of the integrated NOC and SOC but do not allow decisions upon
main contribution of this analysis. We carried out a systematic a general state-of-the-art and highlighted its advantages and
analysis of relevant literature to understand the requirement efficiencies.
and importance of integration in defining the definition of Authors notice a paucity of holistic views and identify the
integrated NOC and SOC and its main components or build- status quo in integrating NOC and SOC. There is a need for
ing blocks. Section IV highlight the usefulness of integrated standardization of terminologies and state-of-the-art architec-
NOC and SOC vis-à-vis siloed NOC and SOC. Section V is ture further to advance the field of NOC and SOC integration.
the second part of the main contribution. This part focused Therefore, by this systematic analysis of integrated NOC and
on bringing the state-of-the-art of an integrated NOC and SOC, the authors initiate the first step in this approach.
SOC from relevant literature. Section VI has proposed future Further, systematic literature analysis of this paper is dif-
development and research roadmap while identifying other ferent as authors put a heavier weight on quality than quantity
TABLE 1. Search protocol strategy. tailor this systematic literature analysis for the engineering
and computer science domain. This PRISMA flow is primar-
ily adapted for this analysis since it is evidence-based with
a minimum set of items for reporting in systematic reviews
and meta-analyses. It establishes the quality of the reviews,
allows readers to assess strengths and weaknesses, permits
replication of review methods, and structures. It formats the
review using PRISMA headings, identification and screen-
ing, and eligibility and include phases. The PRISMA flow
process adopted for relevant literature collection is illustrated
in Fig. 1.
network and services [26], [27], [32]. Thus, one can say that manage, and resolve incidents or faults effectively and to
NOC is the basis of an organization nervous system [2]. counter the rough attackers. It creates situational aware-
ness, mitigates the exposed risks, and helps fulfil regulatory
2) SECURITY OPERATION CENTER requirements. When an incident occurs regarding a NOC
The SOC consists of analysts, operators, and subject matter and SOC specific issue, there is shared accountability and
experts who monitor security endpoints, sensors, IT infras- authority among the integrated team of defenders on triag-
tructure, applications, and services. They use various tech- ing, remediating, handling, and making recommendations to
nologies and processes as per invoked organization policies stakeholders and system-owners of the respective impacted
to deter IT infrastructure misuse and policy violation from system.’’
preventing and detecting cyber threats and attacks, secu-
rity breaches, and online abuse and respond to cyber inci- B. ARCHITECTURE OF INTEGRATED NOC & SOC
dents [34]. Holistically, it represents overall organizational While the previous section defines the integrated NOC and
security vision and strategy. It uses either PPT or People, pro- SOC, in this section, the authors analyze the available lit-
cesses, technologies, governance and compliance (PPTGC) erature on the architecture of NOC, SOC, and integrated
frameworks to manage the entire security campaign of an NOC and SOC. From the relevant literature, the architecture
organization [4], [34]–[42], [48]. This operational method- of an integrated NOC and SOC primarily consists of three
ology is accomplished by a system of systems architecture elements: personnel, processes, and technology. Networks
rather than a single system. It also creates security awareness and cybersecurity technologies are constantly evolving; it
in mitigating the exposed risks and helps to fulfill the organi- is essential to understand their infrastructures, current pro-
zation security posture. cesses, procedures, policies, and other controls in the orga-
nizations/industries and how these elements are controlled
3) SECURITY INTELLIGENCE CENTER and monitored. The comparative research aims to develop
The security intelligence center (SIC) term was first used in a state-of-the-art holistic architecture of an integrated NOC
2017 as the successor of SOCs’’. The SIC aims to provide a and SOC. The comparative research aims to develop a state-
more holistic, integrated view than a SOC, which can fully of-the-art architecture that can be implementable in organiza-
visualize and manage security intelligence in one place. [43]. tions. Towards this, validation of state-of-the-art architecture
Therefore, numerous technologies such as knowledge man- has been carried out using the ‘‘Delphi Technique’’ at the
agement, big data analytics, and information security have elemental level by seeking a consensus from the experts in
been combined [44] from various other terms and terminolo- the field of network and security operation centers of an
gies of NOC and SOC. organization through a series of questionnaires [71]. Though,
it is highlighted that the integration of network and security
4) INTEGRATED NOC AND SOC operation centers is a continuous process due to fast-evolving
While mapping the literature, the authors saw the lack of technologies in the present digital and cyber- security era.
commonly agreed-upon terminology and definition for an Therefore, architecture or framework are rarely mature; it
integrated NOC and SOC due to existing tools and agencies is just a version, as one will see new things over time that
between siloed NOC and SOC. Definitions vary widely, mak- may not be reflected in it. Part one covers three different
ing it difficult to understand the integrated NOC and SOC general architectural approaches applied to NOC, SOC, and
and how it is efficient and advantageous from silos operation integrated NOC and SOC designs throughout the literature.
methodologies. To have a clear definition of an integrated At the same time, part two of this section aims to develop a
NOC and SOC, the authors define its know-how and know- state-of-the-art architecture of an integrated NOC and SOC
why of an integrated NOC and SOC and put it in a nutshell from the relevant literature. The distribution of related liter-
as driven by the relevant literature below: ature on NOC, SOC, and integrated NOC and SOC is listed
‘‘The merging of NOC and SOC is a continuous integration in Table 4.
and continuous development campaign at strategic, opera-
tional, and tactical working culture vis-à-vis its technologies, TABLE 4. Literature on NOC, SOC, integrated NOC & SOC and reports.
wherein different network/data resources are placed at var- FIGURE 4. NOC architecture: end-to-end CSP network.
ious locations and managed from one central location.
A distributed architecture resembles one single system framework for the real-time security operations and man-
operating across several subsidiaries. It appears for users as agement [4], [34]–[42], [48]. To analyze cyber and security
if they are dealing with one entity. The distributed system incidents, it follows a tiered approach of triage, analyses, and
enables all entities to retrieve, process, combine, and pro- neutralizing it, or else escalating the issue to higher tiers for
vide information and services to other entities [46]. It allows subject matter experts for detailed analysis. Fig. 5 depicts the
for evenly sharing workload and data among all distributed architecture model of SOC, which shows four components:
networks. data collection, data processing, correlation analysis, and
In a decentralized architecture, the concept of centralized visualization [37]. One of the SOC models proposed by
and distributed architecture collaboration takes place [44]. Bidou et al. [48] defines SOC, which consists of five parts:
A decentralized network comprises a few networks with pos- event generators, event collectors, message databases, analy-
sibly limited capabilities reporting to one or more centralized sis engines, and reaction management software. The SOC box
networks. While mapping the previous literature with current, architecture has certain limitations in the present scenario,
a remarkable shift is observed from centralized to decen- as it is almost a decade old. The SOC box architecture is a
tralized networks. The main reason for this shift in design centralized system with numerous single points of failure.
architecture is probably to build more redundancy and to With the complexity of current information technologies,
avoid a single point of failure [4], [26], [46], [47]. landscapes, and technological developments, distribution-
based architectures are more appropriate. Subsequently, the
2) NOC ARCHITECTURE SOC box architecture has undergone many changes to com-
NOC is the nerve center of an organization with different roles pete with the present evolving technologies. Its immedi-
and responsibilities that ensure the availability of a network ate successor is the distributed security operation center
with the required speed and performance for its stakehold- (DSOC), as proposed by the same authors Bidou et al. The
ers [2], [14]. As per Chavan [26], the earliest NOCs began DSOC architecture lays the foundation for the distributed
in the 1960s. A network control center opened in 1962 by
American Telephone and Telegraph Company (AT&T) in
New York uses status boards to display switch and routing
information in real-time from AT&T most important toll
switches. Later, AT&T enhanced the network control center
with a modernized network operation center in 1977. A NOC
model with an end-to-end communication service provider
(CSP) architecture is shown in Fig. 4. This model defines
a NOC, which consists of five layers: the display of alerts
and messages layer, business support system (BSS) layer,
operation support system (OSS) layer, network management
system (NMS), FCAPS layer, and an element management
system (EMS) layer [26], [32].
3) SOC ARCHITECTURE
SOC is the immune center of an organization with different
roles and responsibilities. It follows either PPT or PPTGC FIGURE 5. The architecture of SOC.
grid SOC (GSOC) architecture for critical infrastructures. For some researchers, integration at all tiers is beneficial
These architectures show a shift from a centralized to a for streamlining incident management processes [11], [16].
distributed SOC architecture over time to avoid single-point However, for other researchers, complete integration only at
failure. tier one and a few shared workflows with shared ticketing at
higher tiers are recommended [5], [7], [13], [14]. It further
4) INTEGRATED NOC & SOC ARCHITECTURE defines that the integration introduces powerful synergies
The general architecture of integrated NOC and SOC is either between SOCs and NOCs via people, collaboration, toolkits,
centralized, decentralized, or distributed [47] according to and techniques. Full integration is the complete solution at
the strategic choice of the organization. As the architecture all tiers, although work is in progress and needs continuous
of NOC and SOC has adopted the framework of people, refinement as per the latest emergent technologies and cyber
processes and technology or people, process technology, gov- threats [11]. Researchers agree to integrate NOC and SOC as
ernance, and compliance [20], [26], [27], [34], [35], [37], per the relevant literature because it is operationally viable,
[39], [41], it is advantageous to integrate NOC and SOC under efficient, effective, and cost-attractive. Conversely, they differ
one umbrella for enhanced efficiencies, cost-effectiveness, in the extent to which integration is required between NOC
and improved SLA [7], [11], [13]–[15], [18], [19]. The rel- and SOC [6]–[8], [11], [12], [15], [16], [30].
evant literature reveals that integrating NOC and SOC is Furthermore, the integration of NOC and SOC is viable
advantageous in improving the SLA of network and security because the operational methodologies are mostly identical
by integrating either at all tiers or a few tiers [7]. Regarding at their initial tiers, as both use similar tiered structures
the integration of NOC and SOC, the identified literature of monitoring and response teams. In addition, they share
mainly suggests the integration concept because it has com- the same toolkits, analyst workstations, dashboards, SLA,
monalities in NOC and SOC infrastructures and operations, ticketing systems, helpdesks, investigation teams, and triage
personnel knowledge, processes, and detection technologies. of reported and detected incidents. However, some differ-
The classification of relevant literature to show the state-of- ences exist at higher tiers, primarily in subject matter experts
the-art methodologies is shown in Table 5. Therefore, a well- (SME). Their union would be better sensemaking with situ-
accepted literature classification scheme of N. Hernandez [7] ational awareness from a long-term perspective, as the NOC
and Hae et al. [16] is used. primary concern is providing infrastructure availability with
Integrating NOC and SOC teams at various tiers will result for an integrated NOC and SOC, viz., analysts, subject
in better synergy in utilizing both team expertise and improv- matter experts, and a manager from relevant literature,
ing operational efficiency by multitasking, cross-training, and which are listed in Table 6.
knowledge sharing between team members [7], [16]. For Various roles and responsibilities, for example, at tier
example, the NOC team has expertise in network support and one or two, the operator or analyst tasks of both NOC
in-depth knowledge of network protocols such as transmis- and SOC are fairly easy and similar [7], [26], [41]. At tier
sion control protocol (TCP), internet protocol (IP), and open three, subject matter experts handle escalated matters requir-
systems interconnection (OSI) layers [26]. At the same time, ing specialized triage methods as it contains both network
the SOC team prerequisite is to have in-depth knowledge and security incidences [7], [35]. However, as per some
of organization network configurations and protocols, secu- researchers, with cross-training, on-the-job training (OJT),
rity/cyber threats know-how, and network protection method- this limitation of different skillsets can be overcome, which
ologies [34], [58]. Therefore, having two siloed teams for paves the way for the integration of NOC and SOC at all
identical tasks at various tiers can lead to many issues such tiers [6], [14], [16], [18], [55]. Further, with the convergence
as loss of productivity, communication ambiguity, delay in of IT infrastructure and security, the thin demarcation line
trouble resolution, and data breaches. Roles and responsibil- between them becomes more complicated and ambiguous as
ities, training, and collaboration are sub-stepping blocks of more advanced cyber-attacks tend to cover their footprints
people elaborated in the following paragraphs. by multiple hops between numerous IT infrastructures. For
• Role and responsibilities: The role and responsibilities example, the famous ‘‘stuxnet pen-drive-based advance per-
of an integrated team can be formalized by tweaking the sistence attack’’ was successful because of silos working
existing roles and responsibilities of the NOC and SOC between NOC and SOC. Having integrated NOC and SOC
teams. As per work, size, scope, and 24 / 7, 365 days teams could have detected the potentially common patterns
per year continuous operation, different analysts, sub- of attack by the correlation between alerts and events on their
ject matter experts, and a manager are required per tier respective integrated tools by subject experts instead of the
hierarchy. Having numerous parallels between NOC and siloed operation of monitoring network faults and security
SOC, the authors derived three roles and responsibilities events alone [16].’’
among the integrated team members compared to siloed team task to the respective recovery teams without involving
operations. [2], [7], [8], [11], [14]–[16], [19], [30], [50]. The any operator.
integration of siloed NOC and SOC processes for ease of • Integrated Case Handler: All incidents are tracked and
information sharing and collaboration, as seen in the relevant handled via an integrated case handler and stored at a
literature, is as follows: data center or warehouse for knowledge management.
Case monitoring is performed automatically via its sta-
• NOC and SOC process integration:Two different tus and escalated if the case is critical or unrecoverable
NOC and SOC processes can be integrated, reconfig- as per predefined fixed SLA. Further, after each case
ured, and automated based on commonalities under the resolution, the subject case resolution methodology is
integration approach [16], [52]. For example, instead of stored at the knowledge management data center for
manning two separate incident response helpdesks for operator reference for similar case resolution, if any,
NOC and SOC (handling basic calls and ticket gen- in the future. This methodology further improves triage
eration), a single integrated helpdesk manages NOC accuracy and reduces service recovery lead time, and
and SOC calls, incidents, and ticket generations can be improves SLA [14], [18], [42].
formed, as shown in Fig. 8. The integrated helpdesk team • Integrated Process and Case Handler as Design
can perform tier-one analysis using the integrated tools Enabler: The integration of NOC and SOC processes
and techniques to identify a performance bottleneck or and case handler as enabled by the collaboration of
cyber incident and route the incident accordingly to NOC and SOC makes it more modular for operators to
tier-one response teams. If the incident is critical or perform their tasks smoothly. This integration enables
severe, it can be escalated to either the second or third the operator to work efficiently and focuses on core
tier for in-depth investigation and timely resolution. strategically defined incident management and service
Subsequently, an automated fault or incident identifica- recovery tasks. In addition, this will require less OJT
tion and switching process can be created to route the with minimum maintenance to perform better tasks.
elements, and security endpoints are correlated, cor- C. OVERALL SITUATIONAL MANAGEMENT LAYER
rected, fused, and then presented to analysts on their It is a top layer that works similarly to a human brain as
dashboard for real-time monitoring and responses. it receives inputs from logs, events, and the nervous and
immune systems, which are physical data and FCAPS/system
V. STATE-OF-THE-ART ARCHITECTURE OF AN layers. It generates a holistic overall situational picture and
INTEGRATED NOC AND SOC provides decision-making capabilities for the manager and
The authors examined the definition, architecture, and build- operators to judge the operational impact of the incidents
ing blocks of an integrated NOC and SOC in the previous and assist in the recovery process. Furthermore, the logs
section. This section introduces the second part of our main and events from both lower layers are collected, correlated,
contribution, and the authors answer the first research ques- mapped, and indexed under a centralized data center and
tion as shown in the research. This section mapped all the used by integrated tools for performing various data-related
relevant academic literature and formulated a state-of-the-art tasks [16], [26]. Tasks such as incident management, auditing,
architecture for an integrated NOC and SOC. However, some detection, forecasting, and impact analysis are performed by
researchers have suggested a layered approach for the inte- this layer. The layer methodology of integrated NOC and
grated NOC and SOC approach [16], while a few suggested SOC is shown in Fig. 11.
a zone infrastructure concept [31].
The integration of NOC and SOC is not a one-time
1) INCIDENT MODULE
measure, rather a continuous development and integra-
tion process. New and more advanced threats continue to A case management system is incorporated in this overall sit-
emerge [3], which necessitates new tools and better collabora- uational management layer, as defined in the previous section.
tion between NOC and SOC teams to handle them. Therefore, It aids integrated management and operators in informed
the authors have proposed a layered and scalable state-of-the- decision making and reduces human errors. It identifies reg-
art architecture in which twin processes, technologies, and ular reoccurring incidents and alarms analysts for their nec-
operators of NOC and SOC are combined under an integrated essary actions. However, unresolved or critical incidents are
concept to remove duplicities. However, different processes, escalated at higher tiers for detailed analysis by SME for
technologies, and operators are not merged and are brought quick resolution within defined SLA.
directly under the integrated concept [16]. The state-of-the-
art architecture of an integrated NOC and SOC consists of 2) AUDITING MODULE
three layers, viz., physical data source, FCAPS/system man- This module assists the integrated network and security team
agement, and overall situational/service management layers. in auditing IT infrastructure as per policies invoked and
detecting information security issues and bugs by scanning
A. PHYSICAL DATA SOURCE LAYER the entire network elements. This IT infrastructure assess-
This layer comprises all the integrated network elements and ment further exposes known vulnerabilities, if any, and alerts
security endpoints that work similarly to the nervous system. operators to quick responses.
Further, measurable data such as built-in tests, hardware,
software serviceability maps, performance parameters, and
3) DETECTING AND FORECASTING MODULE
various other logs are collaborated and used by the respective
This module assists in detecting and forecasting threats by
NMS in the higher system management layer for monitoring
using statistical analytics on previous performance trends
and management purposes. These critical integrated data are
based on the data warehouse, as discussed in an earlier
plugged in and connected to the service management layer via
section. The overall situational management layer flags out
the logs and events integrator/aggregator for detailed analysis
abnormal behavior based on benchmarking for necessary
and processing. Fig. 10 shows the layered methodology of
investigation. This information is statistically extrapolated,
NOC, SOC and achieved integrated NOC and SOC.
analyzed, and armed with the integrated manager for neces-
sary actions to avoid organizational data breaches.
B. FCAPS MANAGEMENT LAYER
In this layer, NMS performs real-time monitoring of the
integrated network elements and security endpoints based on 4) IMPACT ANALYSIS MODULE
fault, configuration, administration, performance, and secu- This module correlates previous and current events from all
rity management based on the FCAPS model [26] and works IT infrastructure equipment and data centers to identify and
similar to an immune system. Network and security-related assist the integrated teams on the probable root causes of
alerts, events, and performance statistics are generated from an incident, the IT infrastructure involved, and the chain of
this layer and fed into the overall situational/service man- events of the incident. It also analyzes the impact on the
agement layer through the logs and events integrator and organization network and data breaches, if any. It provides
consolidator for further real-time processing. recommendations and other corrections for service recovery.
VI. USEFULNESS OF INTEGRATED NOC AND SOC B. IMPROVED SERVICE LEVEL ASSURANCE AND
In the previous sections, the authors show how the relevant RESPONSE TIME
literature has assisted in exploring the state-of-the-art archi- As seen above, in an integrated network and security pos-
tecture. This section discusses the usefulness of integrated ture, the collaboration between NOC and SOC team mem-
NOC and SOC campaigns for organizations and businesses. bers resolves the problem quickly in real-time. Furthermore,
this quick response in resolving the issues has reduced the
A. IMPROVED NETWORK AND SECURITY POSTURE impact of the attack on the company or organization rep-
NOC teams usually receive various alerts related to perfor- utation [7], [18]. Therefore, the faster response time of an
mance issues on their dashboard, but most turn out to be integrated approach indirectly leads to a better service-level
security-related problems on detailed investigation [7], [18]. agreement.
For example, denial of service attacks (DoS). Conversely,
security issues may be the root cause of company or organiza-
tional network performance-related problems. For example, C. BETTER COST AND IMPROVED OPERATIONAL
a recently configured firewall rule by the SOC personnel may EFFICIENCY
inadvertently block the company or organization legitimate Common toolkit duplicities are not available in the integrated
network traffic. Therefore, working together in an integrated NOC and SOC campaigns as they exist in siloed NOC and
approach can quickly resolve such issues of DoS and network SOC operation, which cuts the overall cost to an organiza-
performance with the collaboration of both teams in real- tion [7], [10], [14], [18], [19], [30], [55], [56]. Furthermore,
time. However, it would have taken extra time in the siloed saving person-hours while resolving the issues in less time
approach and led to more security damage. can lead to operational efficiency in an integrated scenario.
Hence, this reduces the NOC and SOC analysts time on A. LIMITED INTEGRATED TOOLS FOR INTEGRATED NOC
common processes and functions and frees them up for net- AND SOC
work and security strategic planning and other activities of an As seen in the NOC and SOC scenarios, the problem is further
organization. aggregated by configuring and using individual NOC and
SOC tools, such as Syslog/SNMP-based, HP Open View,
NetXMS, Zabbix, Monolith, Netcool SIEM based, Snort IDS,
VII. CHALLENGES RSA Splunk, and others. Deploying separate NOC and SOC
In the previous section, the authors discussed the useful- tools does not solve the overall integration approach vis-à-
ness of the integrated NOC and SOC. In this section, the vis its advantages and efficiency [7], [16]. The configura-
authors answer the second research question as shown in tion and maintenance process of tools is laborious and time
the research. As seen in the relevant literature, each sys- consuming [34], [42], [45], [63], [64]. Wrongly configured
tem faces different challenges depending on its working tools aggregate the number of false positives, which further
models, levels of integration, architecture, and organization increases analyst tasks. Integrated and correctly configured
size [7]. The integrated NOC and SOC also have a few tools are imperative in resolving a specific problem for the
challenges presented in the succeeding paragraphs according integrated scenario, which enhances the capabilities of inte-
to the PPT framework adopted in this systematic analysis grated analysts. The integration of tools eases the analyst
paper. operation but poses a greater challenge [5], [15], [54].
For example, toolkits are available as per IT technologies The non-availability of standards is also a concern in
and standards instead of integrated operational technologies, security operation centers [58]. Integrated NOC and SOC
which leads to unreliability issues [69]. This scenario further best practices and standards are imperative for the in-depth
aggregates complexities in performing routine tasks by ana- implementation of an integrated campaign with full benefits.
lysts rather than inculcating a negative effect on the fault, However, a few such best practices on integrated NOC and
threat identification, performance, and SLA for detection, SOC concepts have been suggested by the SANS institute and
protection, and resolution. Therefore, IT and operationally others [7], [11], [16]. However, they are not implemented due
suited, correctly configured, and tested toolkits require time to the non-availability of recognized standards from indus-
for an integrated campaign [7], [9], [11], [16] [17]. tries as they are biased to a certain extent. Therefore, impartial
and genuine industry policies need immediate attention and
B. INSUFFICIENT LEVEL OF AUTOMATION
international standardization to overcome such biases.
There is hardly any automation of the integrated NOC and
VIII. CONCLUSION
SOC processes and their functionalities [52], [56], [70].
This systematic analysis aims to map the relevant literature
However, most work is performed manually in the current
in identifying, analyzing, and defining the state-of-the-art
scenario, where trained personnel are hardly available. For
architecture of an integrated NOC and SOC from a purely
example, network monitoring, threat scanning, events/alert
academic perspective. The objective is to analyze the relevant
monitoring, and incident tasks were monitored and per-
literature and collaborate with a holistic, workable, state-of-
formed manually. Automation has a solution to overcome
the-art architecture. The authors planned the analysis review
the non-availability of trained workforce issues and is free
by collecting and mapping numerous studies from electronic
from human errors while performing monotonous jobs such
databases and the world wide web. Electronic databases were
as alerts and event monitoring [5]. According to the relevant
searched rigorously by including various keywords and terms
literature, the operational implementation of machine learn-
relevant to NOC, SOC, and integrated NOC and SOC. The
ing, artificial intelligence, and data science techniques to for-
integrated NOC and SOC architecture components follow
mulate and automate fault tracing, performance monitoring
the people, process, and technology framework. The authors
and alerting, and detection of attacks and other monotonous
elaborated these integrated NOC and SOC architecture com-
processes is possible. However, there are a few difficulties
ponents as defined in the relevant academia. As revealed in
in the automation process of capturing tacit knowledge of
the relevant literature, the researchers have not clarified the
analysts and SME. However, these techniques have been
clear-cut definition, state-of-the-art architecture, and building
proven for siloed NOC and SOC operations but not for the
blocks of an integrated NOC and SOC. However, only con-
integrated operation scenario.
cept definition and a few integration methods are considered
Automation techniques in an integrated scenario and their
at the organization or industry level. The authors defined
effectiveness based on FCAPS monitoring, alerts and event
the state-of-the-art architecture of an integrated network and
generation and monitoring, incident management, and detect-
security operation center and identified the challenges that
ing attack processes need to be formulated, developed, com-
may hinder its future development and innovation. These
pared, and tested. In addition, the automation process may
challenges can serve as a yardstick for future research and
yield more false positives vis-à-vis manual processing. Fil-
development, as the proposed integration concept is the basis
tering such false-positive alters requires specific knowledge
of continuous integration and continuous development cam-
and experience based on expert tacit knowledge. Hence, cap-
paigns.
turing tacit knowledge in automation processes is a topic
One of the well-known challenges is the non-availability
of future research. Therefore, in-depth research studies and
of integrated toolkits for integrated team members, which
development are to be carried out by academia and industry
significantly impacts defined SLA. Cross-training and OJT
to evaluate their usability in an integrated scenario.
with technical awareness enhance the resolution of the knowl-
edge gap for better network and security posture. While
C. NON-DEFINED STANDARDS looking at various processes in an integrated scenario, it is
Standards and industry best practices are yet to be formu- imperative to integrate and automate them to achieve better
lated, developed, and implemented for an integrated NOC operational efficiencies. Further, the authors can see that the
and SOC owing to its evolving technology compared to siloed relevant literature lacks a concise definition of the specific
NOC and SOC operations. Therefore, the practical viability processes incorporated and their correlation and interaction
of an integrated NOC and SOC is lacking because of the in an integrated scenario. Therefore, the non-availability of
non-availability of defined standards. The lack of best prac- integrated process definitions may be difficult in developing
tices also means no actual strategies or decision support for state-of-the-art architectures.
an organization. Therefore, decision-makers find it difficult To utilize the full potential of an integrated approach, the
to choose the best network and security operation model with PPT framework needs to be synchronized with and collab-
the correct scope and capabilities to support an organization orated amongst them and other IT infrastructures. In addi-
vision, network, and security strategies. tion, there are limited and immature automation techniques
in the PPT framework of integrated network and security [13] J. Lackey. (May 1, 2021). NetOps and SecOps: Breaking Down the Silos.
operation methodologies. Compared to the PPT components Accessed: Sep. 2021. [Online]. Available: https://blogs.keysight.com/
blogs/tech/nwvs.entry.html/2020/05/01/netops_and_secopsb-pSxA.html
of an integrated NOC and SOC, international standards and [14] M. Mann. (Apr. 15, 2021). Whats Driving SOC-NoC Convergence.
standard operating procedures are lacking. This immaturity Accessed: Sep. 2021. [Online]. Available: https://www.open-systems.com/
puts roadblocks to security audits and overall integrated NOC blog/whats-driving-soc-NoC-convergence/
[15] Rebasoft. (Mar. 24, 2021). Integrating NetOps/SecOps. Accessed:
and SOC assessments. Further, the non-availability of stan- Sep. 2021. [Online]. Available: https://www.rebasoft.net/netops-
dards prevents organizations from accepting and implement- secops.php
[16] T. S. Hae, L. K. Thong, S. N. Matthew, and T. C. How, Smart Network
ing integrated architecture concepts and future developments. and Security Operations Centre. Pretoria, South Africa: DSTA Horizons,
In summary, the integrated NOC and SOC campaign paves pp. 24–31, 2016.
the way for organizations to prepare themselves in a more [17] N. Miloslavskaya, ‘‘Developing a network security intelligence center,’’
Proc. Comput. Sci., vol. 145, pp. 359–364, Jan. 2018.
efficient and resilient way to counter any network or security [18] N. Weinberg. (May 14, 2020). 4 Key Benefits of NoC and SOC Inte-
threats or cyber-attacks in real-time. However, it needs to gration and Tips for Making it Work. Accessed: Sep. 2021. [Online].
be planned thoroughly, integrated, and implemented after a Available: https://www.csoonline.com/article/3541582/4-key-benefits-of-
nocsoc-integration-and-tips-for-making-it-work.html
successful proof of concept, assessed and validated regularly, [19] M. Roberson, ‘‘WhatWorks in SOC/NoC integration: Improving time
and improved incrementally to unveil the full potential of to detect, respond and contain with ExtraHop reveal(x),’’ SANS Inst.,
North Bethesda, MD, USA, Tech. Rep., Jun. 2019. [Online]. Available:
integrated NOC and SOC. If followed correctly, they improve https://www.netdescribe.com/wp-content/uploads/2020/05/SANS-
the organization ability to manage network, performance, WhatWorks-Revealx-case-study.pdf
threat detection, and security aspects seamlessly and prevent [20] C. Crowley and J. Pescatore, ‘‘Common and best practices for security
operations centers: Results of the 2019 SOC survey,’’ SANS Inst.,
any performance bottlenecks, security compromises, data North Bethesda, MD, USA, Tech. Rep., 2019. [Online]. Available:
breaches, and overall organizational reputation. https://www.sans.org/media/analyst-program/common-practices-security-
operations-centers-results-2019-soc-survey-39060.pdf
[21] D. Moher, A. Liberati, J. Tetzlaff, and D. G. Altman, ‘‘PRISMA state-
REFERENCES ment,’’ PLOS Med., vol. 6, no. 7, 2009, Art. no. e1000097.
[1] (2020). The History of NoC Monitoring Network. Accessed: Sep. 2021. [22] S. Kraus, M. Breier, and S. Dasí-Rodríguez, ‘‘The art of crafting a system-
[Online]. Available: https://www.chrsolutions.com/assets/files/NoC- atic literature review in entrepreneurship research,’’ Int. Entrepreneurship
HistoryTimeline.pdf Manage. J., vol. 16, no. 3, pp. 1023–1042, Sep. 2020.
[2] Y. G. Chon and B. Jaeger. (Dec. 13, 2007). Efficiency Through NoC/SOC [23] K. S. Khan, R. Kunz, J. Kleijnen, and G. Antes, ‘‘Five steps to conducting
Convergence Under. Accessed: Sep. 2021. [Online]. Available: https:// a systematic review,’’ J. Roy. Soc. Med., vol. 96, no. 3, pp. 118–121,
www.csoonline.com/article/2121964/efficiency-through-NoC-soc- Mar. 2003.
[24] C. Okoli, ‘‘A guide to conducting a standalone systematic literature
convergence.html
review,’’ Commun. Assoc. Inf. Syst., vol. 37, no. 1, pp. 880–910, 2015.
[3] K. Bissell and L. Ponemon. (Apr. 28, 2019). The Cost of [25] D. Tranfield, D. Denyer, and P. Smart, ‘‘Towards a methodology for devel-
Cybercrime. Ponemon. Accessed: Sep. 2021. [Online]. Available: oping evidence-informed management knowledge by means of systematic
https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of- review,’’ Brit. J. Manage., vol. 14, no. 3, pp. 207–222, Sep. 2003.
Cybercrime-Study-Final.pdf#zoom=50 [26] S. Chavan. (Dec. 24, 2016). Best Practices for Building Network
[4] M. Vielberth, F. Bohm, I. Fichtinger, and G. Pernul, ‘‘Security operations Operations Center. Accessed: Sep. 2021. [Online]. Available:
center: A systematic study and open challenges,’’ IEEE Access, vol. 8, https://www.slideshare.net/SatishChavan4/best-practices-for-building-
pp. 1–25, 2020. network-operations-center
[5] S. McGillicuddy. (May 22, 2018). NetOps & SecOps Collaboration: [27] J. Mathenge. (Feb. 23, 2021). The Network Operations Center
Shared Tools are Essential. Accessed: Sep. 2021. [Online]. Available: (NoC): How NOCs Work? Accessed: Sep. 2021. [Online]. Available:
https://www.kentik.com/blog/netops-secops-collaboration-shared-tools- https://www.bmc.com/blogs/NoC-network-operations-center/#
are-essential/ [28] A. Gorod, R. Gove, B. Sauser, and J. Boardman, ‘‘System of systems
[6] S. McGillicuddy, ‘‘Bridging the gap between NetOps and SecOps: management: A network management approach,’’ in Proc. IEEE Int. Conf.
NetSecOps,’’ Enterprise Manage. Associates, Boulder, CO, USA, Syst. Syst. Eng., Apr. 2007, pp. 1–5.
Tech. Rep., Jul. 2019, pp. 1–4. [Online]. Available: http://assets.extrahop. [29] S. Mcgillicuddy, ‘‘A guide to NetOps and SecOps collaboration,’’ Enter-
com/whitepapers/EMA-NetSecOps-White-Paper.pdf prise Manage. Associates, Boulder, CO, USA, Tech. Rep., 2019, pp. 1–5.
[7] N. Hernandez, ‘‘NoC and SOC integration opportunities increased [Online]. Available: https://www.netscout.com/sites/default/files/2019-
efficiency incident response cyber security,’’ SANS Inst., Bethesda, 04/EMA-NETSCOUT-0219-WP2.pdf
MD, USA, Tech. Rep., 2018, pp. 1–26. [Online]. Available: https:// [30] S. Bea. (Dec. 7, 2020). 7 reasons why its time for NetSecOps. Accessed:
sansorg.egnyte.com/dl/cNkVP4S4Ux Sep. 2021. [Online]. Available: https://accedian.com/blog/7-reasons-why-
[8] J. David. (Dec. 10, 2008). Secure Your Operations Through NoC and SOC its-time-for-netsecops/
Integration. [Online]. Available: https://docplayer.net/2408670-Secure- [31] N. Miloslavskaya, ‘‘Security zone infrastructure for network security intel-
your-operations-through-NoC-soc-integration.html ligence centers,’’ Proc. Comput. Sci., vol. 169, no. 2019, pp. 51–56, 2020.
[32] G. Nizri. (Apr. 28, 2012). Network Operations Center Best
[9] J. Goodchild. (Nov. 15, 2009). Network and Security Operations Con-
Practices & Challenges. Accessed: Sep. 2021. [Online]. Available:
vergence: A Mini-Case Study. Accessed: Sep. 2021. [Online]. Available:
https://www.thousandeyes.com/learning/techtorials/network-operations
http://www.networkworld.com/article/2237963/compliance/network-and- [33] Ingram. (Jan. 13, 2021). Managed NoC & Help Desk Services.
security-operations-convergence.html Accessed: Sep. 2021. [Online]. Available: https://s3.amazonaws.com/
[10] ExtraHop. (Jun. 10, 2019). Five Quantifiable Reasons to Integrate Professional_Services/ds/IMPreferred-managedNOC-helpdesk-DS.pdf
Security and IT. Accessed: Sep. 2021. [Online]. Available: [34] C. Onwubiko, ‘‘Cyber security operations centre: Security monitoring for
https://www.forbes.com/sites/extrahop/2019/06/10/five-quantifiable- protecting business and supporting cyber defense strategy,’’ in Proc. Int.
reasons-to-integrate-security-and-it/?sh=3563ec295d39 Conf. Cyber Situational Awareness, Data Anal. Assessment (CyberSA),
[11] N. Miloslavskaya, ‘‘Network security intelligence center as a combination Jun. 2015, pp. 1–10.
of SIC and NoC,’’ Proc. Comput. Sci., vol. 145, pp. 354–358, Jan. 2018. [35] A. Torres, ‘‘Building a world-class security operations center: A roadmap,’’
[12] S. Bocetta. (Jul. 27, 2021). How to Bridge the Gap between Netops and SANS Inst., Bethesda, MD, USA, Tech. Rep., 2015, pp. 1–10. [Online].
Secops for Ultimate Network Management and Security. Accessed: Available: https://www.academia.edu/38868050/Building_a_World-
Sep. 2021. [Online]. Available: https://www.infoq.com/articles/ Class_Security_Operations_Center_A_Roadmap
netops-secops-closing-gap/?utm_campaign=infoq_content&utm_source= [36] P. Jacobs, A. Arnab, and B. Irwin, ‘‘Classification of security operation
infoq&utm_medium=feed&utm_term=DevOps centers,’’ in Proc. Inf. Secur. South Afr., Aug. 2013, pp. 1–7.
[37] Y. T. Duna, M. F. A. Razaka, M. F. Zolkiplib, T. F. Beea, and A. Firdaus, [60] S. C. Sundaramurthy, J. Case, T. Truong, L. Zomlot, and M. Hoffmann,
‘‘Grasp on next generation security operation centre (NGSOC): Compar- ‘‘A tale of three security operation centers,’’ in Proc. ACM Workshop Secur.
ative study,’’ Int. J. Nonlinear Anal. Appl., vol. 12, no. 2, pp. 869–895, Inf. Workers, New York, NY, USA, 2014, pp. 43–50.
Apr. 2021. [61] (Nov. 28, 2016). ISO/IEC 27035-1:2016 Information Technology—
[38] M. A. Majid and K. A. Z. Ariffi, ‘‘Success factors for cyber security Security Techniques—Information Security Incident Management—
operation center (SOC) establishment,’’ in Proc. INCITEST, Jul. 2019, Part 1: Principles of Incident Management. [Online]. Available:
pp. 1–11. https://www.iso.org/standard/60803.html
[39] I. P. E. D. Nugraha, ‘‘A review on the role of modern SOC in cybersecurity [62] A. Business. (Oct. 24, 2020). The AT&T Cybersecurity Incident
operations,’’ Int. J. Current Sci. Res. Rev., vol. 4, no. 5, pp. 408–414, Response Toolkit. Accessed: Sep. 2021. [Online]. Available:
May 2021. https://cybersecurity.att.com/resource-center/ebook/insider-guide-to-
[40] S. Schinagl, K. Schoon, and R. Paans, ‘‘A framework for designing a incident-response
security operations centre (SOC),’’ in Proc. 48th Hawaii Int. Conf. Syst. [63] J. Oksanen, ‘‘Organizing a network operation centre on campus best
Sci., Jan. 2015, vol. 3, no. 1, pp. 2253–2262. practice document,’’ CSC/Funet Led Working Group on AccessFunet,
[41] D. Nathans, Designing and Building Security Operations Center. Waltham, Helsinki, Finland, Tech. Rep. GN3-NA3-T4-NOC-BPD, Jan. 2013.
MA, USA: Elsevier, 2015. [64] Ashton and Metzler. (Jun. 20, 2008). The Next Generation Net-
[42] P. Danquah, ‘‘Security operations center: A framework for automated work Operations Center How the Focus on Application Delivery
triage, containment and escalation,’’ J. Inf. Secur., vol. 11, no. 4, is Redefining the NoC. [Online]. Available: http://www.ashtonmetzler.
pp. 225–240, 2020. com/Metzler_NOC_paper1.pdf
[43] N. Miloslavskaya, ‘‘Analysis of SIEM systems and their usage in secu- [65] P. Cichonski, T. Millar, T. Grance, and K. Scarfone, ‘‘Computer security
rity operations and security intelligence centers,’’ 1st Int. Early Res. incident handling guide,’’ NIST, Gaithersburg, MD, USA, Aug. 2012.
Career Enhancement School Biologically Inspired Cogn. Archit., vol. 636, [66] S. McGillicuddy and J. Kies. (Sep. 22, 2018). NetSecOps: Every-
pp. 282–288, Aug. 2017. thing Network Managers Must Know About Collaborating With Secu-
[44] N. Miloslavskaya, ‘‘Security intelligence centers for big data process- rity. Accessed: Sep. 2021. [Online]. Available: https://assets.extrahop.
ing,’’ in Proc. 5th Int. Conf. Future Internet Things Cloud Workshops com/whitepapers/EMA_Micro_Focus_NetSecOpsWebina_Sept2018.pdf
(FiCloudW), Aug. 2017, pp. 7–13. [67] SANS Institute. (Oct. 24, 2014). SANS: 2014 Log Management Survey
[45] M. Vielberth and G. Pernul, ‘‘A security information and event manage- Report. Accessed: Sep. 2021. [Online]. Available: https://titanwolf.org/
ment pattern,’’ in Proc. 12th Latin Amer. Conf. Pattern Lang. Programs, Network/Articles/Article?AID=5ae1ec26-7542-4680-b506-
Valparaiso, Chile, 2018, pp. 1–12. a31486f20815#gsc.tab=0
[46] N. B. Truong, U. Jayasinghe, T. W. Um, and G. M. Lee, ‘‘A survey on [68] R. M. Lee. (Jan. 19, 2021). 2021 SANS Cyber Threat Intelligence
trust computation in the Internet of Things,’’ Trust Inf. Infrastructure (TII), (CTI) Survey Results. Accessed: Sep. 2021. [Online]. Available:
vol. 33, pp. 1–20, Jan. 2016. https://www.sans.org/webcasts/2021-cyber-threat-intelligence-cti-survey-
[47] A. K. Ganame, J. Bourgeois, R. Bidou, and F. Spies, A Global Security results-116475/
Architecture for Intrusion Detection on Computer Networks. Amsterdam, [69] F. B. Kokulu, A. Soneji, T. Bao, Y. Shoshitaishvili, Z. Zhao, A. Doupé,
The Netherlands: Elsevier, pp. 30–47, 10, Mar. 2008. and G.-J. Ahn, ‘‘Matched and mismatched SOCs: A qualitative study on
[48] R. Bidou, J. Bourgeois, and F. Spies, ‘‘Towards a global security archi- security operations center issues,’’ in Proc. ACM SIGSAC Conf. Comput.
tecture for intrusion detection and reaction management,’’ in Information Commun. Secur., London, U.K., Nov. 2019, pp. 1955–1970.
Security Applications. Berlin, Germany: Springer, 2003. [70] N. Smith. (Apr. 16, 2018). An Overview of Fortinet Integrated
[49] Extrahop. (Aug. 28, 2018). An Executive Guide to Integrating NoC-SOC Solution. Accessed: Sep. 2021. [Online]. Available:
SecOps and NetOps. Accessed: Sep. 2021. [Online]. Available: https://www.fortinet.com/blog/business-and-technology/fortinet-delivers-
https://assets.extrahop.com/whitepapers/Integrating NetOps and SecOps the-industry-s-first-integrated-NoC-soc-soluti
ebook.pdf [71] B. Gallotta, J. A. Garza-Reyes, and A. Anosike, ‘‘Using the Delphi method
[50] S. McGillicuddy. (May 26, 2020). NetOps-SecOps Collaboration has to verify a framework to implement sustainability initiatives,’’ in Proc. Int.
its Benefits and Challenges. Accessed: Sep. 2021. [Online]. Available: Conf. Ind. Eng. Oper. Manage., Bandung, Indonesia, 2018, pp. 1–12.
https://www.techtarget.com/searchnetworking/feature/NetOps-SecOps-
collaboration-has-its-benefits-and-challenges
[51] F. Amy and S. Karnam. (2012). Top 10 Tips for Achieving Effective
Security + Operations Collaboration. Accessed: Sep. 2021. [Online]. DEEPESH SHAHJEE is currently pursuing the
Available: https://www.slideshare.net/sri747/top-10-tips-for-effective- M.Tech. degree in technology management with
socnoc-collaboration-or-integration the Defence Institute of Advanced Technology
[52] Fortinet. (Aug. 23, 2018). NoC-SOC Divide Bridging the Architectural (Deemed to be University), Pune, under the
Requirements Understanding the Key for Integration. Accessed: Ministry of Defence, India. His current research
Sep. 2021. [Online]. Available: https://www.fortinet.com/content/ interests include cybersecurity, defence network,
dam/fortinet/assets/ebook/bridging-the-NoC-soc-divide.pdf security operating centers, and artificial intelli-
[53] S. McGillicuddy. (May 21, 2019). A Guide to NetOps and gence on the role of automation and cybersecurity
SecOps Collaboration. Accessed: Sep. 2021. [Online]. Available: within a defence organization.
https://www.netscout.com/sites/default/files/2019-04/EMA-NETSCOUT-
0219-WP2.pdf
[54] N. Miloslavskaya, ‘‘Network protection tools for network security intelli-
gence centers,’’ Proc. Comput. Sci., vol. 190, pp. 597–603, Jan. 2021.
[55] J. Morrison. (Sep. 19, 2018). NetOps and SecOps Collaboration Solves NILESH WARE received the Ph.D. degree from
the Data Silo Problem. Accessed: Sep. 2021. [Online]. Available: the Indian Institute of Technology Delhi in the area
https://www.plixer.com/blog/netops-and-secops-collaboration-solves-the- of operations and supply chain management. He is
data-silo-problem/ currently an Assistant Professor with the Defence
[56] C. Udeshi. (Nov. 20, 2018). Why SOC and NoC Teams Can Benefit by Institute of Advanced Technology (Deemed to be
Working Closely Together. Accessed: Sep. 2021. [Online]. Available: University), Pune, under the Ministry of Defence,
https://blogs.infoblox.com/community/why-soc-and-NoC-teams-can- India. His area of research mainly pertains to qual-
benefit-by-working-closely-together/ ity management, operations management, sup-
[57] D. McClelland. (Feb. 2, 2021). NoC VS. SOC: What is the Differ- ply chain management, project management, and
ence? Accessed: Sep. 2021. [Online]. Available: https://www.soscanhelp.
defence oriented problems. His research articles
com/blog/NoC-vs.-soc-whats-the-difference
[58] C. Zimmerman, Ten Strategies of a World-Class Cybersecurity Operations have been published in Management Science Letters, Global Journal of
Center. Bedford, U.K.: MITRE Corp., 2014, pp. 1–346. Flexible Systems Management, Expert Systems with Applications, Indus-
[59] ISO/IEC 10040. (1992). ISO/IEC 10040:1998(EN) Information trial Engineering Journal, and journals of national and international repute.
Technology—Open Systems Interconnection—Systems Management He has guided around 30 M.Tech. students and four Ph.D. Scholars in various
Overview. Accessed: Sep. 2021. [Online]. Available: https://www.iso. research areas.
org/obp/ui/#iso: std: iso-iec:10040: ed-2: v1: en