SBA

NOC, NOC, Who’s There?

I’m actually quite excited about this article, because the company concerned is doing something close to my heart. In previous articles I have commented that the Sony hack, the Mossack Fonseca hack, and many other significant data thefts could have easily been prevented with proper network monitoring. Sadly this requires expertise which seems to be beyond the skills of most IT departments, but now you can buy Network Monitoring As A Service - and at a modest price from a new Isle of Man business.

NOC396, based in Tromode, started building their proposition in mid 2014, and have been operating since the beginning of this year. They currently employ eight staff and only do network monitoring. This could be a tricky sell; normally network monitoring systems are able to read all the data passing by on your company network - including all your customer data, internal emails and other sensitive stuff. To get around this NOC396 have developed their own non-intrusive “NetProbe” which actually sits outside your network, normally in your DMZ (De-Militarized Zone - the outer layer of your network which faces the Internet and is separated from your corporate LAN by firewalls). Being in the DMZ means that the NOC396 netprobe can’t scan your network traffic, but it can test that your systems are up and receive the log files, alerts and real-time statistics you choose to send to it.

This approach eliminates the major problem with using third-party network monitoring services. Because you remain in complete control of your security you can be confident that NOC396 are monitoring your network not your data, so it overcomes a major fear for IT managers and company executives. For additional assurance NOC396 are ISO 27001 certified by the British Standards Institute - this is the primary international standard for IT Security Management.

So what’s the benefit? Firstly, systems uptime. The beauty of real-time network monitoring is that it can let the IT team know immediately something goes wrong, including out of hours, without having to wait for users to report problems, so it gives IT teams a head start. IT systems are complex, very often the problem seen by users is a secondary symptom or consequence of another less visible failure. Being alerted to failures immediately saves the IT team from the diagnosis work of tracking back a failure to its original root cause, and sometimes allows the root failure to be fixed before users ever see a problem. Going a step further, network monitoring can also be used to detect degradation in systems so that they can be fixed before something actually breaks - as all computer systems fail eventually this proactive problem detection is the key to achieving 100% uptime. Network monitoring can constantly check the performance of your network, your servers, your disks, your databases, your Internet connection, email systems etc. to help you stop potential problems before they actually happen.

The second major benefit, which I have harped upon previously, is security. Data on your network is going somewhere - it doesn’t just sit there, it’s only on the network to get from A to B. Knowing where A and B are, how much data is going from A to B, and what protocols or methods are being used to move it, is crucial in detecting intruders, malware and viruses. Just like the forensic tracing of money in criminal investigations, the forensic tracing of data provides strong evidence of wrongdoing. If data is going out of your network to an unexplained destination, or someone has an unusual connection into your systems, you can be pretty confident that there is something going on which probably ought to be stopped. Similarly, if computers in your network are talking to each other using unusual protocols or desktop PCs are talking to each other instead of to the servers it’s a pretty reliable indication that you have an undetected virus doing the rounds. The data gathered by NOC396 can enable these anomalous patterns to be detected in real-time so the IT team can respond to them before any serious harm occurs.

Unsurprisingly, network monitoring produces a lot of data - one of the difficulties in mastering it is learning to see the wood for the trees. An experienced network manager can usually spot anomalous patterns but it takes time, especially if you don’t know exactly what type of anomaly you’re looking for, and nobody can watch 24x7. Network monitoring is best achieved using substantial automation. The choice of which automation tools to use is paramount, different tools have different strengths, and significant experience is needed to learn which tools are best for what and how to program them so that they automatically raise alerts for the likely failures to watch out for.  NOC396 use a selection of the best network tools on the market, but they also use big-data statistical analysis to determine the normal patterns of behaviour on each individual network which enables them to automatically spot anomalies faster and beyond the range of simply looking for known causes of failure. It is precisely this approach which is so powerful in the early detection of unauthorised network activities.

As mentioned earlier, NOC396 has only been operational since January. Founders Andy Bridson and Ian Comish have laboured long and hard to bring the offering to market and already have 15 clients. The primary target market for the moment is the UK, where they have two salesmen operating, but the customers’ networks can be worldwide - they can ship a NetProbe to anywhere and it’s simple for customers to install. Therein lies the beauty of the business model, they can supply globally by providing the service from their Network operations Centre (“NOC”) in Tromode. Given the lack of competition in this new market segment there is massive potential for growth and Andy expects to more than triple the size of the company this year before opening new NOCs in other countries - starting with the UK - to scale up the business.

NOC396 have structured their offering into three levels, meaning that even the smallest of businesses can afford to have full-time professional network monitoring. At the most basic level they monitor and alert you when something’s awry. For small companies who have outsourced their IT provision this is usually all that’s needed because once alerted they can call their regular IT provider to dive in and fix. At the next level NOC396 will diagnose and tell you exactly what and where the problem is so that your IT team can go straight to the source and fix it without further diagnosis. In the top package the firm will manage the resolution of the problem, working with your IT team and suppliers to get it fixed in the shortest possible time.

This is all music to my ears. Historically, as an IT Director, I’ve had to provide this capability entirely in-house, including dedicated monitoring systems, automatic real-time SMS alerts, and fixing problems all the hours God sends. Even with all the tools in place you either have to have regular “all is well” reports or you end up worrying that there are no alerts because the network monitoring system has broken! Being able to outsource the 24x365 burden of monitoring the IT systems is a real winner and can save a fortune on IT overtime.

I’m obviously not the only IT leader who thinks like that - despite only being operational since January NOC396’s customers even include a commercial data centre. To my mind the service is very inexpensive for the benefits it brings - in NOC396 I think the Isle of Man technology sector has spawned a real home-grown winner with the potential to go global. And yes, when I was talking with Andy and Ian I asked them if they thought they would have spotted the Mossack Fonseca hack, and like me they think they would have caught on to it very quickly.

Visit them at www.noc396.com