(https://www.gartner.

com/home) LICENSED FOR

DISTRIBUTION

Align NetOps and SecOps Tool Objectives With Shared Use Cases
Published: 22 September 2017 ID: G00333211
Analyst(s): Sanjit Ganguli, Lawrence Orans

Summary
Although often separate, NetOps and SecOps teams share the common goal of maintaining
secure, high-performance network infrastructures. Infrastructure and operations leaders can
leverage shared data and tools to optimize budgets, avoid duplication of effort and improve the
end user's experience.

Overview
Key Challenges
Due to historic divisions, there's little coordination among tool buyers on NetOps and SecOps,
even if those tools share common instrumentation points and use cases.

NetOps and SecOps teams often duplicate effort and waste money, because of tools that share
many of the same instrumentation points and some of the same use cases — specifically those
for network traffic analytics and network automation.

Network complexity and threat sophistication increases demand that NetOps and SecOps
teams automate low-level tasks and network traffic visibility for threat detection, analysis and
response.

Increases in the use of the cloud, as well as network encryption, have hindered network
visibility for both teams, and the rise of disjointed NetOps and SecOps initiatives exacerbates
the challenge.

Recommendations
I&O leaders responsible for optimizing IT operations and DevOps to drive business value should:

Optimize tool budgets, improve network data acquisition and storage, reduce overhead, and
share best practices by assessing SecOps teams' existing toolsets and identifying common
instrumentation points and use cases between NetOps and SecOps teams.

Align procurement processes with those of the SecOps team by coordinating traffic analysis
and automation tool requirements, while acknowledging and seeking to overcome the
challenges caused by the inherent differences between NetOps and SecOps.
 Strengthen cross-functional communications strategies and improve toolset use by sharing the
NetOps team's skill sets with the SecOps team (and vice versa).

Introduction
Network operations (NetOps) and security operations (SecOps) teams coexist as largely separate
entities in many organizations, but they share a common goal — a well-performing and secure
network infrastructure that optimizes the end-to-end user experience for networked applications.
In the event of a service degradation caused by an underlying network issue, end users are not
concerned with whether the cause was a bandwidth issue or an attacker. They just want the
service to perform as expected and for the issues to be resolved as quickly as possible.

With this common goal of protecting the end-user experience, NetOps and SecOps teams also
face common challenges in providing high performance and security, including a lack of visibility
into the traffic that flows over the network. For NetOps teams, visibility of network traffic is
critical to managing application performance and diagnosing the root causes of performance
issues. For SecOps, access to network traffic supports retrospective analysis of traffic flows,
identification of exfiltration attempts, network forensics, and microsegmentation workflows. The
need for this data by SecOps teams mirrors the changing threat landscape, where access to all
traffic — not just at the edge — is important and includes east-west data or lateral movement in
enterprise data centers.

The other common challenge is a lack of automation that impedes the agility of both teams in the
face of business initiatives, security incidents or performance issues. The increased modularity,
dynamism and complexity of the IT infrastructure process multiplies the chances of human error
considerably; hence, the need for automation has grown. NetOps teams often struggle with the
configuration and change management of their network devices, because demands from
application owners and lines of business are forcing NetOps teams to adopt agile practices. Of
course, this is contrary to traditional risk-averse practices that have served them to date. SecOps
teams deal with security policy configuration demand issues for networked devices and the
ability to makes changes in an automated manner. In addition, lack of automation of basic, low-
priority tasks precludes skilled staff from focusing on higher-value activities.

In many organizations, both teams have moved down the path of network traffic monitoring and
automation, but these efforts are largely uncoordinated. Because these initiatives analyze the
same data (network traffic and device configurations), and often use similar toolsets, this lack of
alignment can lead to wasted budget; duplicated instrumentation, training and procurement
efforts; and increased overhead on the network. For example, if multiple tools are decrypting and
re-encrypting streams for analysis, it also can lead to degraded network performance. Therefore,
shared tooling and instrumentation layers are recommended and will be discussed in the
following analysis (see Figure 1).
Figure 1. Shared Tooling and Instrumentation Layers
Source: Gartner (September 2017)

This research will discuss how infrastructure and operations (I&O) leaders can enable NetOps
and SecOps teams to achieve their common goals. By aligning their efforts, NetOps and SecOps
teams can optimize their tool budgets, minimize duplicate work, consolidate efforts to acquire
and store network telemetry data to reduce overhead, and share best practices, processes and
culture.

To be fair, cultural clashes between SecOps and NetOps have undermined convergence attempts
in the past. In addition, it must also be acknowledged that NetOps and SecOps often have
divergent tool requirements, and, in those cases, only limited alignment can be achieved.
However, based on the trends in network complexity and threat sophistication, the time is ripe to
explore alignment options. These can be broken into four levels (see Table 1).

Table 1. The Four Levels of Alignment

Level
Awareness

Description

NetOps and SecOps are aware of each other's tools, with an eye toward higher levels of
alignment.

Coordination

Description

NetOps and SecOps coordinate the purchase of certain tools types that share common
instrumentation points (such as packet/flow/configuration).

Shared Instrumentation

Description

NetOps and SecOps jointly capture and process (filter/decrypt) network traffic and
configuration data, and share that data with each group's individual toolsets.

Shared Tools

Description

NetOps and SecOps find and use common use cases among each other's toolsets.

Table 1. The Four Levels of Alignment

Level

Awareness

Description NetOps and SecOps are aware of each other's tools, with an eye toward higher
levels of alignment.

Coordination
Description NetOps and SecOps coordinate the purchase of certain tools types that share
common instrumentation points (such as packet/flow/configuration).

Shared Instrumentation

Description NetOps and SecOps jointly capture and process (filter/decrypt) network traffic
and configuration data, and share that data with each group's individual toolsets.

Shared Tools

Description NetOps and SecOps find and use common use cases among each other's
toolsets.

Table 1. The Four Levels of Alignment

Level

Awareness

Description NetOps and SecOps are aware of each other's tools, with an eye toward higher
levels of alignment.

Coordination

Description NetOps and SecOps coordinate the purchase of certain tools types that share
common instrumentation points (such as packet/flow/configuration).

Shared Instrumentation

Description NetOps and SecOps jointly capture and process (filter/decrypt) network traffic
and configuration data, and share that data with each group's individual toolsets.

Shared Tools

Description NetOps and SecOps find and use common use cases among each other's
toolsets.
Source: Gartner (September 2017)

Analysis
Assess SecOps Teams' Existing Toolsets and Identify Common Instrumentation Points and Use
Cases
NetOps teams have moved down the path of network traffic analysis with network packet brokers
(NPBs) and network performance monitoring and diagnostic (NPMD) toolsets (see "Market Guide
for Network Packet Brokers" and "Magic Quadrant for Network Performance Monitoring and
Diagnostics" ). Both aid in the capture, storage and analysis of network packet and flow data,
which can be used for performance analysis. Gaining access to these packets and flows is often
complex, involving taps, spans or configuration changes.

SecOps teams have also moved down the path of network traffic analysis (NTA) and network
forensic tools (NFTs), and even in-line tools, such as cloud access security brokers (CASBs) and
security incident and event management (SIEM) tools to understand the flow of traffic in the
network, to enable various security checks. As with NetOps, gaining access to these packets and
flows is often complex, involving taps, spans or configuration changes. In the public cloud, it
relies on the cloud provider's exposure of flow data or, in some cases, agents installed in each
workload to forward packets.

NetOps teams have moved down the path of network automation through network configuration
and change management (NCCM) tools and network configuration automation (NCA) tools (see
"Market Guide for Network Automation" ). These toolsets discover, access, collect, manage and
automate the configuration of network devices to ensure policy compliance, reduce
misconfigurations and enable workflows for troubleshooting issues that arise from network
changes. The configuration of these tools is often complex, because they involve collecting data
from heterogeneous networks, often with many nodes that involve software-defined networking
(SDN), the public cloud, containers, etc.

SecOps teams have also moved down the path of automation through network access control
(NAC) and firewall policy rule management (FPRM) tools, which discover, access, collect, manage
and automate the security configuration of network devices, to ensure that security policies are
being followed and identify vulnerabilities. The configuration of these tools is often quite involved,
because they involve collecting data from complex heterogeneous networks, often with many
nodes.

To align these efforts and avoid procuring multiple tools for the same purpose, I&O leaders must
assess which toolsets are used across the teams, identify the overlapping use cases, and explore
the possibilities using a common tool. If both teams already have a particular toolset in place,
I&O leaders must coordinate the tools' data capture methods (e.g., packets, flows or device
configurations) to reduce overhead on the network (see Figure 1).
The toolsets used by NetOps (NPMD, NCCM, NCA or NPB) are increasingly useful to SecOps and
may obviate the need for a separate initiative. Although all security use cases will not be satisfied
by NetOps' tools, several capabilities may be useful to SecOps.

Shared use cases include the following:

Deep packet filtering, decryption and packet-to-flow generation (NPB)

Network traffic reports (NPMD)

Flow visualization and relationship discovery with Internet Protocol (IP)-to-IP pair conversations
(NPMD)

Traffic reports with port mapping (NPMD)

Traffic dependency mapping (NPMD)

Deep packet inspection to identify protocols details and URLs (NPMD)

Packet storage (NPMD)

Anomaly detection for increases in volume and velocity of traffic between IPs (NPMD)

Auditing and regulatory compliance (NCCM and NCA)

Meanwhile, SecOps tools (NTA, NFT, NAC, FPRM, or CASB) have several of their use cases that
can be useful to NetOps. These can include:

Network traffic reports (NTA and NFT)

Configuration collection of network devices (NAC and FPRM)

Cloud-destined traffic reports (CASB)

There will be situations in which no tool sharing is feasible, given the specific nature of the
requirements. In those cases, I&O leaders must work with SecOps teams to determine ways to
minimize overhead on the network by having single tools (such as an NPB) provide data to both
NetOps and SecOps tools, or by having a single configuration collection engine that shares the
data to both toolsets. Network automation tools, which offer use cases for both NetOps and
SecOps, are likely to be specialized such that each group will need its own toolset. However,
consider coordinating the collection of configuration files to feed into each toolset and
coordinating a tool that maintains the provisioning of these changes.

Gartner has observed this alignment already starting to take place, through inquiries with end-
user clients and vendors (see Evidence). NPBs (see "Market Guide for Network Packet Brokers" ),
typically purchased by NetOps, are increasingly being used to feed raw packet and flow data to
security tools (including SIEMs). In addition, organizations are increasing their use of NPMD tools
for security purposes, including microsegmentation, and to identify infected hosts by analyzing
protocol/port/URL markers of Malware attacks (for example, WannaCry and Heartbleed).
Additionally, NetOps and SecOps teams are viewing newer network orchestration tools (such as
Ansible) as a way to extend their DevOps initiatives to DevSecOps, by embracing the
programmability already in use by other parts of IT (see "DevSecOps: How to Seamlessly
Integrate Security Into DevOps" ). With DevSecOps as a catalyst, the trend to share
instrumentation points across operations and security is happening in other areas as well. For
example, application performance monitoring tools are converging with application security
monitoring tools (see "Application Performance Monitoring and Application Security Monitoring
Are Converging" ).

Gartner has seen use cases that demonstrate the benefits of alignment and highlight the risks of
nonalignment:

A large financial-services company bought both an NAC (through SecOps) and an NCA
(through NetOps). The company is now unable to get a working solution, because the products
don't integrate, and the NCA tool alone controls access to the network devices.

A large electronics manufacturer reported that its NPBs were purchased to feed NPMD tools,
but the company now has 80% of traffic going to its security tools.

During the Heartbleed/WannaCry malware event, several enterprises leveraged NPMD tools to
identify infected users based on deep packet inspection identifying specific port number/URL
markers.

A fashion company's security infrastructure team was looking for a network monitoring tool for
security purposes, but was unaware that network operations already has a network monitoring
initiative in play.

Align Procurement Processes With Those of the SecOps Team

After assessing existing toolsets, if neither team has toolsets that address existing needs, I&O
leaders must coordinate procurements with SecOps teams through an aligned tool selection
process. Aligned selection entails sharing RFP specs (see "Toolkit: RFP for Network Performance
Monitoring and Diagnostics" ) and sharing team members to assist in requirement building,
selection and testing of products.

Expect each team to require individual tools to achieve its requirements, but coordinating that
addresses the challenge of collecting the right data for those tools and ensuring that individual
tools do not interfere with each other. Ideally, the capture and storage of the network data (e.g.,
packet, flow and configurations) can be done centrally, and that data can be made available to
individual NetOps and SecOps featured products for specific analytics tailored to each team's use
cases.

Share Skill Sets Between Teams

In most large organizations, NetOps and SecOps operate as two distinct units. The objectives of
these units are often distinct, so the alignment of processes to include network traffic analysis
and network automation as part of each other's incident response is critical. I&O leaders must
collaborate with the SecOps team to define the actions required to engage each other during a
security or performance incident resolution process and post-mortem analysis. Most incident
resolution processes will start with the NetOps team, until it is determined it might be a security
incident. At that point, some kind of handoff between NetOps and SecOps is required. This
includes actions to pass along required details and the format that the deliverable must be in for
processing by the opposite team. The deliverable may be a report or a customized view of a
dashboard.

To serve as these counterparts, I&O leaders should request that SecOps teams identify
individuals that will liaise NetOps to ensure that requirements are being met and NetOps has
sufficient insight into SecOps' priorities to provide useful deliverables. At the same time, a joint
team should be nominated with top troubleshooters for performance and security that can be
called on during severe performance or security events to leverage either set of tools, as well as
other relevant solutions to mitigate issues in the most efficient manner.

The following actions can help I&O leaders share skill sets with SecOps teams:

Identify the specific information and data that NetOps and SecOps should be monitoring to
help each other. For example, review prior security incidents and determine where network
forensics information would have been helpful to the SecOps team.

Agree on a formal communications strategy for sharing timely information. For example, if the
security team learns of an attack that is affecting other organizations (an "attack in the wild"), it
needs to communicate exactly the data that it needs from the NetOps team. The Heartbleed
Bug is a good example of how NetOps can help the SecOps team. If a server had been
compromised by Heartbleed, the attack could be detected by comparing the size of a request
to the server with the size of the reply. Unless they were informed about this scenario, most
NetOps teams would not notice this subtle anomaly in network traffic. Thus, NetOps and
SecOps teams need to establish a formal communications strategy (for example, identify who
will speak to whom) to communicate relevant information.

Solicit input from other teams when it's time to purchase new solutions or renew existing
contracts. One tool may satisfy the needs of both teams, allowing the organization to avoid
purchasing two separate solutions.

Evidence
Approximately 100 end-user inquiries, vendor inquiries and conference one-to-one discussions on
the topic of joint network operations and security operations use cases. Evidence was also
garnered from several NetOps-focused, roundtable discussions during Gartner conferences.
These interactions covered topics such as:
 NPB use cases to feed both NetOps and SecOps tools

Best practices for network automation initiatives by both NetOps and SecOps teams

Use of packet and flow data sources to aid in threat mitigation

Best practices for NetOps to share packet and flow data with their security counterparts

Best practices for NetOps and SecOps to work more cooperatively together, especially during
outages and degradations

Note 1
Sample Vendors
NPB vendors: Gigamon, Ixia (Keysight Technologies), Big Switch Networks, Apcon

NTA vendors: Darktrace, Vectra, Lancope, Kaspersky, Trend Micro, SS8, ProtectWise, Cisco
(Tetration)

FPRM/NAC vendors: AlgoSec, Tufin, Firemon, ForeScout Technologies

SIEM vendors: Splunk, IBM

NPMD: ExtraHop, NetScout, Viavi, Riverbed, Plixer, Niksun

NCCM: NetBrain, HPE (MicroFocus), BMC, SolarWinds, Infoblox

NCA: Red Hat Ansible, AppViewX, Anuta Networks, Forward Networks

© 2017 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or
its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written
permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines
for Gartner Services (/technology/about/policies/usage_guidelines.jsp) posted on gartner.com. The
information contained in this publication has been obtained from sources believed to be reliable. Gartner
disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no
liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of
Gartner's research organization and should not be construed as statements of fact. The opinions expressed
herein are subject to change without notice. Gartner provides information technology research and advisory
services to a wide range of technology consumers, manufacturers and sellers, and may have client
relationships with, and derive revenues from, companies discussed herein. Although Gartner research may
include a discussion of related legal issues, Gartner does not provide legal advice or services and its research
should not be construed or used as such. Gartner is a public company, and its shareholders may include firms
and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may
include senior managers of these firms or funds. Gartner research is produced independently by its research
organization without input or influence from these firms, funds or their managers. For further information on
the independence and integrity of Gartner research, see "Guiding Principles on Independence and
Objectivity. (/technology/about/ombudsman/omb_guide2.jsp)"
About (http://www.gartner.com/technology/about.jsp)
Careers (http://www.gartner.com/technology/careers/)
Newsroom (http://www.gartner.com/newsroom/)
Policies (http://www.gartner.com/technology/about/policies/guidelines_ov.jsp)
Privacy (https://www.gartner.com/privacy)
Site Index (http://www.gartner.com/technology/site-index.jsp)
IT Glossary (http://www.gartner.com/it-glossary/)
Contact Gartner (http://www.gartner.com/technology/contact/contact_gartner.jsp)