Enterprise Network Performance Monitoring in 2024: Best Practices

1. For an advanced SPOG setup, implement an AIOps tool capable of intelligently correlating data between systems and data streams.

Evaluate and select an AIOps platform capable of ingesting data from all monitoring sources, such as Moogsoft or BigPanda. Consider factors like ease of use, customization capabilities, and alignment with your existing technology stack.

2. Whether AIOps is feasible or not, configure your integrations with existing monitoring tools (e.g., infrastructure monitoring, APM, log analytics).

We prioritize integrations based on the criticality of the systems being monitored and then work with vendors or internal teams to develop and test integrations for each monitoring tool. One of the most important nuances here making sure that all relevant metadata from source systems is preserved during ingestion and normalizing the data to ensure consistent formatting across all ingested events. With this in place, you can set up real-time data streaming where possible to minimize delays in event detection.

3. Implement event correlation rules to reduce noise and identify related issues.

Too many teams generate incident tickets expressing the same underlying issue, which is inefficient at best and downright chaotic at worst. Setting up even simple event correlation rules isn't difficult and can enormously impact efficiency.

Here's our approach:

• Analyze historical event data to identify patterns and relationships between events.
• Develop correlation rules based on common scenarios in your environment.
• Implement time-based correlation to group events occurring within specific time windows.
• Use topology-based correlation to relate events based on infrastructure dependencies.
• If AIOps is in the workflow, implement machine learning algorithms to continuously improve correlation accuracy over time.

4. Set up automated ticket creation for actionable events.

With the proper tooling in place, NOCs can define clear criteria for what constitutes an actionable event and then configure automatic ticket creation in the ITSM system for events meeting these criteria.

We only suggest doing this when a robust CMDB can enrich those tickets with context. With ticket automation in place, teams can implement intelligent routing to assign tickets to the appropriate teams or individuals and automatically update them based on event lifecycle changes.

5. Configure dashboards for NOC engineers to view and manage events efficiently.

We always build out role-specific dashboards that provide relevant information for different team members. All NOC dashboards should include key metrics such as open events by severity, MTTR, and SLA compliance, allowing engineers to drill down capabilities for detailed event analysis.

Advanced dashboarding should incorporate visualizations like heat maps or network topology views for intuitive problem identification. Read our other post for more on reporting in the NOC.

5. Above all, make sure 100% of actionable events are ticketed to enable comprehensive tracking and reporting.

Above all, make sure 100% of actionable events are ticketed to enable comprehensive tracking and reporting. By ticketing all actionable events, you create a comprehensive audit trail that can be used for various purposes:

• Tracking all events allows for accurate calculation of key metrics like Mean Time to Acknowledge (MTTA) and Mean Time to Resolve (MTTR).
• A complete dataset enables more effective trend analysis, helping to identify recurring issues or problematic systems.
• Understanding the full volume and nature of events helps in making informed decisions about staffing and skill requirements.
• A comprehensive record of events and their resolutions provides valuable data for ongoing process improvement efforts.

How to get started

Talk to us about a NOC Operations Consulting engagement to implement this process.

1. Conduct a thorough assessment of your current event management processes and tools. 
2. Develop a business case for implementing a SPOG solution, highlighting potential efficiency gains and improved service quality.
3. Form a cross-functional team to lead the SPOG implementation, including representatives from the NOC, IT operations, and relevant application teams.
4. Develop a phased implementation plan, starting with critical systems and gradually expanding to cover all monitored services.
5. Establish clear KPIs to measure the success of the SPOG implementation, such as reduction in MTTR, improved first-call resolution rates, and decreased event noise.
6. Train your NOC staff on the new SPOG platform and associated processes.
7. Implement a feedback loop to continuously refine event correlation rules and dashboard configurations based on real-world usage.

1. Establish an ITSM platform for all incident-related communication.

If you don't use one already, choose a robust ITSM platform that can serve as the central hub for all incident management activities. Then, develop and enforce policies that require all incident-related communications to be logged into that system. Configure the ITSM platform to integrate with other communication tools (e.g., email, chat) to capture external communications.

Implement a user-friendly interface to encourage adoption and minimize the temptation to use alternative communication channels. Provide training to all stakeholders on the importance of centralized communication and how to effectively use the ITSM platform.

2. Develop standardized incident templates for common issue types.

We typically go about this by analyzing historical incident data to identify the most frequent types of issues. We then create templates for each common incident type, including fields for all necessary information, including impact assessment, affected services, and required resources.

3. Implement automated workflows for incident triage, escalation, and updates.

Define clear criteria for incident prioritization based on impact and urgency, and then implement automatic assignment rules based on incident type, affected service, or required skills. Here at INOC, we set up automated escalation workflows for incidents that breach defined thresholds or SLAs. We then configure automatic status updates based on ticket activity or predefined time intervals. Lastly, we implement intelligent routing to ensure incidents are directed to the most appropriate team or individual.

4. Configure SLA tracking and alerts for critical incidents.

Define clear, measurable SLAs for different incident priorities and service types — and then implement real-time SLA tracking within the ITSM platform. We also set up automated alerts for impending SLA breaches to prompt timely action.

The NOC's dashboards should be configured to display SLA compliance metrics for individual incidents and overall performance. Escalation procedures should also be established for incidents at risk of breaching SLAs.

5. Set up automated notifications to relevant stakeholders based on incident priority and impact.

Identify your various stakeholder groups and their information needs for different types of incidents. Then, configure automated notification rules based on incident priority, affected services, and stakeholder roles. We take this a step further by implementing customizable notification templates that include relevant incident details and next steps.

We also set up different notification channels (e.g., email, SMS, push notifications) based on incident severity and stakeholder preferences. On the receiving end, it's a good idea to implement a mechanism for stakeholders to easily acknowledge receipt of notifications and request updates.

Building or Outsourcing a Tier 1 NOC

The decision to utilize or build an internal NOC depends on a number of economic and strategic factors. The following elements represent the basic cost drivers required to run or build an internal NOC.

• The volume of events, support requests and incidents
• Initial software and ongoing support
• Initial server hardware and ongoing support
• Implementation, customization and integration of software
• Systems and application engineers
• NOC staffing requirements (hours of coverage [e.g., 24x7, 8-to-5] and number of personnel per shift)
• Training costs
• Miscellaneous costs (e.g., disaster recovery site for redundancy, office space, monitoring stations, telephone, network connectivity, and power)

Most organizations can't justify the high expense of setting up or operating an internal 24x7 NOC. Instead, it's more economically feasible to outsource the Tier 1 NOC service to a qualified company. Outsourcing is a cost-effective option because of the inherent economies of scale that NOC service companies provide.

Here at INOC, Our NOC support framework typically reduces high-tier support activities by 60% or more, often as much as 90%. Need us to take on all levels of support? Dedicate your full time and attention to growing and strengthening your service. We’ll deliver world-class NOC support conveyed through a common language for fast, effective communication with you, your customers, and all impacted third parties.

How to get started

Talk to us about a NOC Operations Consulting engagement to implement this process.

1. Conduct a comprehensive review of your current incident management processes, identifying gaps and inefficiencies.
2. Develop a detailed implementation plan for enhancing incident management, including timelines, resource requirements, and key milestones.
3. Configure your ITSM platform to support the enhanced processes, including customizing fields, workflows, and notifications.
4. Develop a comprehensive training program for NOC staff and other stakeholders on the new incident management processes and ITSM platform usage.
5. Create and document clear escalation procedures, including criteria for escalation and expected response times at each tier.
6. Implement regular incident review meetings to analyze significant incidents, identify trends, and drive continuous improvement.
7. Develop KPIs for incident management, such as Mean Time to Resolve (MTTR), First Contact Resolution rate, and SLA compliance.
8. Establish a feedback mechanism for end-users and stakeholders to assess satisfaction with incident handling and identify areas for improvement.
9. Regularly review and update your incident management processes to ensure they remain aligned with evolving business needs and technological advancement

1. Establish a dedicated problem management team or assign responsibilities to senior NOC staff.

We typically approach problem management through a few steps:

• Start by assessing the current state of problem management in your organization and identify gaps.
• Define clear roles and responsibilities for problem management. If resources allow, create a dedicated problem management team. Otherwise, identify senior NOC staff who can take on problem management responsibilities.
• Make sure that problem management staff have the necessary skills and authority to investigate issues across different IT domains.
• Provide training on problem management principles and techniques to the designated staff.

2. Implement proactive problem identification processes using trend analysis of incidents and events.

Problem management requires tooling to analyze incident and event data to identify patterns and trends. Once this tooling is in place, we set up automated reports to highlight recurring incidents or events that could indicate underlying problems.

A key component of problem management is establishing thresholds for automatically triggering problem investigations (e.g., three similar incidents within a week). Here at INOC, we take this a step further for our clients by using machine learning algorithms to detect anomalies and potential problems before they cause significant impacts. In addition to machine-based problem detection, we also suggest implementing a process for NOC staff to flag potential problems based on their observations and experience.

3. Develop a standardized root cause analysis (RCA) methodology.

To determine root causes, choose an appropriate RCA methodology, such as 5 Whys, Ishikawa diagrams, or Fault Tree Analysis — and create templates and guidelines for conducting and documenting RCAs.

Establish criteria for when a formal RCA should be conducted (e.g., for all major incidents or recurring issues) and implement a simple peer review process for RCAs to ensure thoroughness and quality.

4. Create a process for tracking and implementing problem resolutions.

Implement a system for recording and tracking identified problems, separate from incident records. If problems tend to pile up, develop a prioritization framework for addressing problems based on their impact and urgency.

To operationalize your tracking and implementation process:

• Create a workflow for proposing, reviewing, and approving problem resolutions.
• Establish clear ownership and timelines for implementing approved solutions.
• Implement a process for verifying the effectiveness of implemented solutions.

5. Establish regular problem review meetings with relevant stakeholders.

Schedule regular problem review meetings, inviting representatives from key IT teams and business units to these meetings. Use these meetings to review open problems, discuss proposed solutions, and track progress on implementations. Analyze trends in problem data to identify systemic issues or areas for improvement. Use these meetings as a forum for knowledge sharing and cross-team collaboration.

How to get started

Talk to us about a NOC Operations Consulting engagement to implement this process.

1. Conduct a gap analysis of your current problem management capabilities against industry best practices.
2. Develop a detailed implementation plan for enhancing problem management, including timelines, resource requirements, and key milestones.
3. If not already in place, implement a dedicated problem management module in your ITSM platform.
4. Develop and document problem management policies and procedures, including criteria for problem identification, prioritization, and escalation.
5. Create templates for problem records, RCA reports, and solution proposals.
6. Implement tools and processes for trend analysis of incident and event data.
7. Establish KPIs for problem management, such as number of problems identified, time to root cause identification, and reduction in related incidents.
8. Develop a training program on problem management principles and processes for NOC staff and other relevant IT teams.
9. Implement a knowledge management process to capture and share lessons learned from problem investigations.
10. Establish a regular cadence of reviews to assess the effectiveness of the problem management function and identify areas for improvement.

1. Establish a formal Change Advisory Board (CAB) with representation from key IT functions.

• Define the composition of the CAB, ensuring representation from key IT functions.
• Establish regular CAB meetings to review and approve changes.
• Define the roles and responsibilities of CAB members.
• Implement a process for emergency CAB meetings for urgent changes.

2. Implement proactive problem identification processes using trend analysis of incidents and events.

Problem management requires tooling to analyze incident and event data to identify patterns and trends. Once this tooling is in place, we set up automated reports to highlight recurring incidents or events that could indicate underlying problems.

A key component of problem management is establishing thresholds for automatically triggering problem investigations (e.g., three similar incidents within a week). Here at INOC, we take this a step further for our clients by using machine learning algorithms to detect anomalies and potential problems before they cause significant impacts. In addition to machine-based problem detection, we also suggest implementing a process for NOC staff to flag potential problems based on their observations and experience.

3. Develop a standardized root cause analysis (RCA) methodology.

To determine root causes, choose an appropriate RCA methodology, such as 5 Whys, Ishikawa diagrams, or Fault Tree Analysis — and create templates and guidelines for conducting and documenting RCAs.

Establish criteria for when a formal RCA should be conducted (e.g., for all major incidents or recurring issues) and implement a simple peer review process for RCAs to ensure thoroughness and quality.

4. Create a process for tracking and implementing problem resolutions.

Implement a system for recording and tracking identified problems, separate from incident records. If problems tend to pile up, develop a prioritization framework for addressing problems based on their impact and urgency.

To operationalize your tracking and implementation process:

• Create a workflow for proposing, reviewing, and approving problem resolutions.
• Establish clear ownership and timelines for implementing approved solutions.
• Implement a process for verifying the effectiveness of implemented solutions.

5. Establish regular problem review meetings with relevant stakeholders.

Schedule regular problem review meetings, inviting representatives from key IT teams and business units to these meetings. Use these meetings to review open problems, discuss proposed solutions, and track progress on implementations. Analyze trends in problem data to identify systemic issues or areas for improvement. Use these meetings as a forum for knowledge sharing and cross-team collaboration.

How to get started

Talk to us about a NOC Operations Consulting engagement to implement this process.

1. Conduct a gap analysis of your current problem management capabilities against industry best practices.
2. Develop a detailed implementation plan for enhancing problem management, including timelines, resource requirements, and key milestones.
3. If not already in place, implement a dedicated problem management module in your ITSM platform.
4. Develop and document problem management policies and procedures, including criteria for problem identification, prioritization, and escalation.
5. Create templates for problem records, RCA reports, and solution proposals.
6. Implement tools and processes for trend analysis of incident and event data.
7. Establish KPIs for problem management, such as number of problems identified, time to root cause identification, and reduction in related incidents.
8. Develop a training program on problem management principles and processes for NOC staff and other relevant IT teams.
9. Implement a knowledge management process to capture and share lessons learned from problem investigations.
10. Establish a regular cadence of reviews to assess the effectiveness of the problem management function and identify areas for improvement.

Our recommendations

• For the most advanced SPOG setup, an AIOps tool capable of intelligently correlating data between systems and data streams is key. Evaluate and select an AIOps platform capable of ingesting data from all monitoring sources, such as Moogsoft or BigPanda. Consider factors like ease of use, customization capabilities, and alignment with your existing technology stack.

• Whether AIOps is feasible or not, configure integrations with existing monitoring tools (e.g., infrastructure monitoring, APM, log analytics). We prioritize integrations based on the criticality of the systems being monitored and then work with vendors or internal teams to develop and test integrations for each monitoring tool. One of the most important nuances here making sure that all relevant metadata from source systems is preserved during ingestion and normalizing the data to ensure consistent formatting across all ingested events. With this in place, you can set up real-time data streaming where possible to minimize delays in event detection.
• Implement event correlation rules to reduce noise and identify related issues. Too many teams generate incident tickets that express the same issue. Setting up even simple event correlation rules isn't difficult and can have an enormous impact on efficiency. Here's our approach:
  
  • Analyze historical event data to identify patterns and relationships between events.
  • Develop correlation rules based on common scenarios in your environment.
  • Implement time-based correlation to group events occurring within specific time windows.
  • Use topology-based correlation to relate events based on infrastructure dependencies.
  • If AIOps is in the workflow, implement machine learning algorithms to continuously improve correlation accuracy over time.
• Set up automated ticket creation for actionable events. With the proper tooling in place, NOCs can define clear criteria for what constitutes an actionable event and then configure automatic ticket creation in the ITSM system for events meeting these criteria. We only suggest doing this when there's also a robust CMDB that can enrich those tickets with context. With ticket automation in place, teams can implement intelligent routing to assign tickets to the appropriate teams or individuals, and automatically update them based on event lifecycle changes.
• Configure dashboards for NOC analysts to view and manage events efficiently. We always build out role-specific dashboards that provide relevant information for different team members. All NOC dashboards should include key metrics such as open events by severity, MTTR, and SLA compliance and allow analysts to drill down capabilities for detailed event analysis. Advanced dashboarding should incorporate visualizations like heat maps or network topology views for intuitive problem identification.
• Above all, make sure 100% of actionable events are ticketed to enable comprehensive tracking and reporting. By ticketing all actionable events, you create a comprehensive audit trail that can be used for various purposes:
  • Tracking all events allows for accurate calculation of key metrics like Mean Time to Acknowledge (MTTA) and Mean Time to Resolve (MTTR).
  • A complete dataset enables more effective trend analysis, helping to identify recurring issues or problematic systems.
  • Understanding the full volume and nature of events helps in making informed decisions about staffing and skill requirements.
  • A comprehensive record of events and their resolutions provides valuable data for ongoing process improvement efforts.

Our recommendations

• Establish the ITSM platform as the single source of truth for all incident-related communication.
• Configure integrations with existing monitoring tools (e.g., infrastructure monitoring, APM, log analytics).
• Implement event correlation rules to reduce noise and identify related issues.
• Set up automated ticket creation for actionable events.
• Configure dashboards for NOC analysts to view and manage events efficiently.
• Make sure 100% of actionable events are ticketed to enable comprehensive tracking and reporting. This is crucial for maintaining a complete record of all incidents and issues affecting the infrastructure.

Visualization of Metrics and Data

Observability platforms, such as LogicMonitor, play a crucial role in converting raw data from IT infrastructure into visual formats that are easy to interpret. This visualization capability enables IT teams to see beyond mere data points and understand complex system behaviors over time.

For example:

• LogicMonitor can automatically discover network devices across various brands, such as Cisco, Juniper, and Meraki. This allows for quick integration and monitoring setup, helping organizations rapidly achieve visibility across their network infrastructures.
• LogicMonitor provides detailed monitoring for various network elements such as firewalls, routers, switches, and SD-WAN solutions. It supports multiple protocols, including SNMP, API, jFlow, NetFlow, sFlow, and more, ensuring thorough coverage and visibility.
• The introduction of Datapoint Analysis in LogicMonitor's new UI offers deep analytical capabilities. It allows users to analyze and visualize data in depth, which facilitates informed decision-making and efficient problem resolution.

Graphical Representations

Unlike traditional network monitoring, which might only alert to a system's up/down status or basic performance thresholds, observability includes detailed graphical representations like charts and graphs. These visuals help identify trends, understand resource utilization patterns, and pinpoint the top network traffic sources.

(Actually) Actionable Insights

The ultimate goal of observability is to transform data into actual insights that inform decisions. This process involves not just collecting and monitoring data but analyzing it in useful ways to make informed decisions that can preempt potential issues. For example, observability can reveal a slowly developing problem before it becomes critical, enabling proactive interventions.

Beyond Real-Time Monitoring

While “network monitoring” often focuses on real-time data and immediate issues, observability encompasses both real-time and historical data analysis. This allows for trend analysis and long-term planning, providing a strategic advantage in IT management and the NOC, more specifically. Observability tools can aggregate data over extended periods, offering insights into seasonal impacts, long-term growth trends, or recurring issues that require structural changes in the network or applications.

For example, an e-commerce company might experience frequent downtimes during peak sales periods due to inadequate server load and network capacity monitoring. They might lack specialized IT staff and trending data capabilities to understand how to optimize network performance under varying loads at certain times.

A healthcare provider, for example, whose network monitoring tooling isn’t properly configured to recognize the critical nature of certain applications could mean that alerts that signal serious issues go unnoticed until they affect patient care. We step to automate alert configurations and establish thresholds based on application criticality. By employing AI and machine learning, thresholds and alerts can be dynamically adjusted to ensure that critical applications maintain high availability and reliability.

• Calculate Direct Losses: Quantify the immediate financial impact of downtime. This could include loss of sales, reduced productivity, and any costs incurred during the downtime to try and mitigate the impact (e.g., overtime labor, additional resource allocation). Metrics such as sales per hour can help quantify losses due to unavailable services.
• Estimate Recovery Costs: Significant resources are often needed to restore services and systems to normal after an outage. These costs may include technical support expenses, additional hardware or software costs, and the expense involved in identifying and rectifying the issue.
• Evaluate Impact on Customer Satisfaction and Retention: IT downtime can lead to poor user experience, loss of customer trust, and customer churn. Estimating the long-term financial impact of lost customers and the cost of acquiring new ones can be complex but crucial. Surveys and historical data on customer retention rates post-downtime incidents can provide valuable insights.
• Compliance and Legal Costs: Depending on the industry, downtime can result in breaches of legal or regulatory compliance, leading to fines, penalties, and legal costs. Understanding these potential costs is critical for industries like finance, healthcare, and public services.
• Opportunity Costs: Consider what strategic initiatives or innovations were delayed or shelved because resources had to be diverted to address or mitigate downtime.

• Incident Management: We use performance monitoring tools to detect and respond to incidents in real time. Our Ops 3.0 platform uses machine learning and automation (AIOps) in combination with a robust configuration management database (CMDB) to correlate alarm data and generate incidents at machine speed, ensuring immediate attention to potential disruptions.

• Problem Management: Beyond addressing immediate incidents, our service strategy—again, in alignment with ITIL— includes identifying and analyzing recurring problems to prevent future incidents. This aspect of problem management involves analyzing data collected over time from various network components to pinpoint underlying issues that could lead to repeated system disruptions or degraded performance. The goal is to stop waiting for fires to start across a network by fire-proofing it.

• Capacity Management: Through continuous monitoring and data analysis, we routinely assess the capacity needs of our clients’ IT infrastructures so resources are scaled appropriately to meet current and future demands without over-provisioning or resource wastage. We use performance data to forecast growth trends and prepare the infrastructure to handle increased load, thereby optimizing cost efficiency and performance.

• Change Management: We also integrate performance monitoring insights into our change management processes. Thanks to the data captured in our CMDB, we can understand the impacts of potential changes on network performance and make informed decisions about implementing modifications. This careful consideration helps mitigate risks associated with changes and ensures that system stability and performance are maintained.

1. Define the purpose of the IT environment.

Understanding your IT environment's primary function is crucial. Whether it supports critical business applications, user activities, or service delivery mechanisms, knowing its purpose will guide the metrics you should monitor.

• For example, if the IT environment primarily supports financial transactions, then metrics related to transaction speed, security, and uptime are paramount. We recommend setting up performance monitors specifically for these aspects to ensure that performance standards meet the stringent requirements of financial processing.
  
  

2. Identify the critical components of the IT infrastructure.

Pinpointing which elements of your infrastructure are most critical to fulfilling its purpose helps focus monitoring efforts. This could include specific servers, databases, network links, or applications. We suggest conducting a risk assessment to determine which components, if failed, would have the most significant impact on business operations.

• For instance, database servers might be identified as critical components, so their performance in query response time and concurrency would be closely monitored.
  
  

3. Assess your current monitoring tools.

4. Establish appropriate metrics and thresholds. 

Determine the relevant performance metrics based on the IT environment’s purpose and the critical components involved. Set thresholds that, when breached, will trigger alerts. These metrics and thresholds should be established based on historical performance data and industry benchmarks.

5. Continually review and adjust.

Performance monitoring is not a set-and-forget task. Monitoring strategies, tools, and thresholds must be continually reviewed and adjusted to adapt to changing business needs and technological advancements.