How embracing a data fabric architecture can help the SOC and NOC unify operations

By Seth Brickman, head of global product — platform at Splunk, a Cisco company

The relationship between the SOC and NOC is one fraught with contradictions. While both teams seek to reach the same destination to keep the business secure, protected, and free of disruptions, they’ve taken wildly different routes along the way. Historically, dividing the two teams helped each focus on their respective missions, but this also created a lack of context, preventing either team from conducting in-depth investigations and accurately determining the source of an outage or incident quickly. This begs the question: is it time to merge the SOC and the NOC?

Read more Anthropic’s new models were restricted by the US. Europe’s top AI startup has been waiting for this moment.

Picture a typical weekday morning. Traffic to a customer-facing application spikes 400% in 90 seconds. In the NOC, engineers see latency climbing and start chasing a load balancer misconfiguration. In the SOC, analysts see the same spike and start addressing a suspected DDoS. Two teams, two war rooms, two sets of dashboards, and one customer experience degrading by the minute. Three hours later, they discover it was neither. A botched application release was retrying failed calls in a tight loop, and the pattern only became visible when someone finally put network telemetry and security signals on the same screen. This is the cost of the SOC and NOC operating as separate organizations with separate data. Both teams are doing their jobs well. Both are only seeing half the picture.

The instinct to divide them was correct at one point. Each function had its own specialized tooling, escalation paths, and muscle memory. Splitting the work lets each team get good at what it did. But the threat landscape and the network have both grown more complex, and the seam between them has become where the worst incidents now live. Today’s attacks move through network paths before they show up in security telemetry. The interesting signal is almost always in the overlap, and neither team owns the overlap.

The question is not whether to merge the SOC and the NOC organizationally. That debate has been running for a decade with no clear winner. The more useful question is how to give both teams a shared view of reality so the seam stops being a blind spot.

The importance of data fabric

Most attempts to unify SOC and NOC operations fail at the data layer. Teams try to forward logs from one platform to another, stand up a shared SIEM, or build a custom correlation engine. These efforts collapse under volume, schema drift, and the basic reality that network telemetry and security telemetry were never designed to live in the same index.

A data fabric takes a different approach. Rather than moving data into a single store, it creates a unified access layer across the data sources you already have. Network flow records stay where they are. Endpoint detection telemetry, application performance metrics, cloud audit logs, and identity events all stay in their native systems. The fabric allows them to be queried, correlated, and enriched as if they were one dataset.

Three things become possible that were not before. First, correlation across domains happens in real time rather than after the incident. When a latency spike and an authentication anomaly occur within the same two-minute window on the same set of assets, it’s worth surfacing immediately, not reconstructing in a postmortem.

Second, enrichment happens once and serves both teams. Asset context, user identity, threat intelligence, and behavioral baselines get layered onto raw events as they flow. A NOC engineer investigating a performance degradation sees the same enriched record a SOC analyst would see investigating the same asset for compromise.

Read more Your cheat sheet to Anthropic’s latest drama with the White House

Third, AI becomes useful instead of decorative. Models trained on unified telemetry can tell the difference between an application failing on itself and an actual attack. The quality of the data determines the quality of the inference, and unified data raises the ceiling on what AI can do operationally.

A 90-day roadmap to a comprehensive unit

To take the initial foray into bridging these gaps, organizations can leverage a data fabric as the underlying architecture to resolve ambiguity. The following is a 90-day roadmap to guide teams as they transition from siloed entities to a comprehensive, data-driven unit.

Days one to 30: Establishing the data fabric foundation

The first step is to break down the technical silos by connecting your disparate data sources into a unified fabric. Here’s how:

• Connect telemetry to the fabric: Instead of moving data, use the data fabric to create a virtual layer across your environment and ingest network flow data, firewall logs, WAF alerts, and application performance metrics into a single, AI-ready platform.
• Define a use case: Is that sudden spike in traffic a DDoS attack, or is it a misconfigured load balancer causing a retry storm? Ensure the NOC network performance metrics and the SOCs threat intelligence are normalized, allowing the fabric to correlate a latency spike with a potential security event in real time.

Days 31 to 60: Shared visibility and triage

With the fabric in place, you can now eliminate the guesswork that typically occurs during a service disruption:

• Stand up shared “ambiguity” dashboards: Build a unified dashboard powered by the fabric that overlays network health with security indicators. When a service degrades, the dashboard should automatically highlight the root cause.
• Align triage and escalation: Use the fabric’s real-time enrichment to provide analysts with immediate context. If the fabric flags a “high confidence ambiguity,” both a NOC engineer and a SOC analyst are automatically paged to a joint incident bridge.

Days 61 to 90: Operationalizing with AI and playbooks

Once the visibility is unified, use the data fabric’s predictive capabilities to move from reactive troubleshooting to proactive resilience:

• Develop repeatable, data-driven playbooks: Create joint incident response playbooks that leverage the fabric’s automated insights.
• Leverage AI for predictive modeling: Utilize the fabric’s AI-driven models to anticipate downstream impacts.

By embracing a data fabric architecture that spans security telemetry, network observability, and AI, businesses can create an intelligent operational environment that vastly improves incident detection and response. This will also enhance operational resilience and clear a path for the SOC and NOC to finally unify operations.

Read more Factory CEO says he bought each of his 30 employees a $3,000 cooling mattress cover so ‘they’ll be sharper’ at work

Maximize the value of your data in an AI-driven world with Splunk.

This sponsored post was supplied by Splunk.