What is a network operations center (NOC)?

NOC (pronounced “knock,”) stands for a network operations center, and if the term conjures up images of a NASA-like control room, you would not be too far off from reality – at least at some organizations.

While the role of a NOC can vary, the general idea is to create a room or centralized facility where information technology (IT) professionals can constantly monitor, maintain and troubleshoot all aspects of a network. The NOC must also be equipped with all of the technology required in order to support those operations, including monitors, computers, telecommunications equipment and a fast connection to network resources.

NOCs were created for two main reasons. The first was to give IT staffers a central location to work from, instead of having them run around trying to fix problems or perform preventative maintenance, like patching systems, from different locations.

The second, and probably more critical reason, was to allow the constant monitoring of a network. While not all NOCs are directly involved in security operations (those duties are sometimes offloaded to a SOC, or Security Operations Center), those working in a NOC are often the first to get an indication that something is wrong with the network, whether that is because of a security issue, a hardware failure or something else.

How Are NOCs Designed and Organized?

There is no single answer or standard blueprint about how a NOC should be configured, or how the people working there are organized. A smaller organization’s NOC might be a single office or small conference type room with a couple workstations for technicians to monitor the network and troubleshoot problems.

Larger groups, especially those that are using their NOC to monitor an entire data center, might instead build out huge control centers with large central monitors or even projection screens showing overall network health, and then have workstations scattered all around for technicians who are responsible for individual subsets of network operations. Those individual workstations normally also have multiple monitors themselves, so the entire facility does start to resemble something like you would see at NASA during a space launch.

And like the blueprint for the room, there is no single way to organize NOC workers. However, there is a little bit more consistency in terms of the organization of human IT staff. Jobs are almost always structured into a tight hierarchical group which are designated and ranked according to their “level.”

The higher the level, the more experience a NOC technician generally has. For example, Level 1 techs, the lowest rank, are almost always the ones on the front lines, answering phones and doing things like helping users recover their lost passwords, assuming the NOC provides help desk type functions. In any case, if a Level 1 tech can’t fix a problem because it involves something above their skill or permission level, like say, repartitioning a server or adding more resources to a container, then the job is passed off to a Level 2 technician.

Level 3 technicians are extremely skilled and knowledgeable, and there is typically a shortage of them at most companies. They normally only get called to action for something of critical importance. If the entire East Coast operations on a network goes down in the middle of the night, it’s the Level 3 techs who will be working to fix it.

What Does a NOC Do?

The simple answer to what a NOC does is that it is responsible for nearly everything involving the network that is being  protected. But while the primary responsibility is always to monitor the health of a network and troubleshoot any problems, there are a lot of individual tasks that almost all NOCs and their staffers regularly accomplish. Besides network monitoring, here are a few of the most common responsibilities entrusted to a NOC and its staff.

Patch Management: Computers are never static for long. It doesn’t matter if you are talking about desktops, laptops or servers, there are always patches that need to be applied. Some patches are critical, like those which eliminate security vulnerabilities, while others simply improve performance or their interface in some way. And it’s not just regular computers that need patched. Network hardware also needs to be regularly updated. These days, even sensors and tiny IoT devices require regular patching.

Patch management might even extend to user devices, making sure that endpoints are fully up to date with the latest patches before allowing them to fully connect with network resources. As such, a lot of effort in a NOC is often devoted to patching systems.

Policy Enforcement: A network is more than just the hardware and software that drives it. At its heart, it’s a collection of rules that both human users and the devices that operate on it must follow. Setting those rules, optimizing them for network performance and ensuring that everyone and everything is properly following along is a never ending job for NOCs.

Firewall Management: Even though the so-called security perimeter is disappearing as more network resources move to the cloud, keeping firewalls maintained is a big part of what most NOCs do. This includes both physical appliances and software-based firewalls. Managing firewalls can entail a lot of different things, from opening and closing ports to configuring them to allow for, or restrict, new applications from performing certain functions.

Security Software Management: This is very much like firewall management, but includes maintaining any of the security platforms or services installed on the network. While evidence of an actual attack is handed off to a SOC (if one exists within the organization), the day-to-day maintenance of security software normally falls to the NOC, especially if misconfigured security software can slow or even halt valid network operations.

Backing Up Data: Running backups is another key function that is often performed by NOCs. Making sure that critical data is regularly saved to long term or off-site storage is paramount in the event of a hardware or network failure, and is also required to comply with continuity of operations planning.

Antivirus: Although this is a protection that is increasingly being bypassed by advanced threats, a patched and up-to-date antivirus program can still stop the majority of internet threats that attack networks and users. And it can almost always stop critical but common threats like ransomware. But the antivirus protection needs to be kept up to date on all systems, and the NOC can help with that.

Network Reporting: Very few people probably enjoy writing reports as part of their job, but you can’t really escape it, even within a NOC. The IT professionals who work in a NOC need to not just monitor their network, but also take note of trends, trouble spots, and places where new hardware might be required to compensate for poor performance or to enable future network growth. NOC workers will often need to file those kind of reports with the CIO or other company officials, and may even be required to produce them on demand or in response to a network-related question.

NOC Versus SOC?

A SOC, or security operations center, is often designed and staffed very much like NOCs, but normally only concentrate on cybersecurity issues. Like a NOC, the IT staffers working at a SOC constantly monitor their network. But instead of troubleshooting typical computer problems, they look for threats. This might be something subtle like a hacker who has stolen credentials trying to elevate their access, or something more overt like a denial of service attack. Some of the most highly trained SOC workers even engage in threat hunting, where they go out into the network and look for threats or attacks that have not yet been discovered.

NOCs and SOCs can and often do work together. For example, sometimes it’s the NOC that detects unusual network activity, and asks the SOC to help determine if a threat might be the cause. There was a time when NOCs and SOCs were often grouped together into a single facility with overlapping responsibilities. But the complexity of most networks today coupled with the extremely dangerous threat landscape makes having separate facilities and staff a much more effective approach.

Internal NOC or a Managed Service?

NOCs were originally designed to try and tame the complexity of modern network operations. Larger organizations found that centralizing their IT resources in one place and monitoring their network from there helped to combat network sprawl so that they could continue operations. But as networks grew even larger, even their internal NOCs started to feel the strain.

Especially for non-IT companies, maintaining an internal NOC is an increasingly expensive and labor-intensive endeavor, and one that does not directly contribute to their bottom line. A company’s mission might ultimately be to sell bicycles, bananas or any number of other things. It’s mission is not to try and maintain a sprawling network at a multi-million dollar facility.

As such, the concept of a NOC-as-a-service was born, and has become increasingly popular. The idea is to outsource everything that a NOC does to a company that specializes in doing just that. The service provider monitors and troubleshoots all network operations through the cloud for their client in return for a monthly or yearly fee. And the company can get back to selling those bananas.