In the Gartner research report “Applying Network-Centric Approaches for Threat Detection and Response” published March 18, 2019 (ID: G00373460), Augusto Barros, Anton Chuvakin, and Anna Belak introduced the concept of the SOC Visibility Triad. In this note, Gartner advises:
“The escalating sophistication of threats requires organizations to use multiple sources of data for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.”
According to the research, “modern security operations tools can also be represented with an analogy to the ‘nuclear triad,’ a key concept of the Cold War. The triad consisted of strategic bombers, intercontinental ballistic missiles (ICBMs) and missile submarines.
As shown in Figure 1, a modern SOC has its own nuclear triad of visibility, specifically:
1. SIEM/UEBA provides the ability to collect and analyze logs generated by the IT infrastructure, applications and other security tools.
2. Endpoint detection and response provides the ability to capture execution, local connections, system changes, memory activities and other operations from endpoints.
3. Network-centric detection and response (NTA, NFT and IDPS) is provided by the tools focused on capturing and/or analyzing network traffic, as covered in this research.”
This three-prong approach gives SOCs increased threat visibility, detection, response, investigation, and remediation powers.
Network metadata is the most authoritative source for finding threats. Only traffic on the wire reveals hidden threats with complete fidelity and independence. Low-resolution sources, such as analyzing logs, only show you what you’ve seen, not the fundamental threat behaviors that attackers simply can’t avoid as they spy, spread and steal.
An NDR solution collects and stores key network metadata and augments it with machine learning and advanced analytics to detect suspicious activities on enterprise networks. NDR builds models that reflect normal behavior, and enriches the models with both real-time and historical metadata.
NDR provides an aerial view of the interactions between all devices on the network. In-progress attacks are detected, prioritized and correlated to compromised host devices.
NDR provides a 360-degree, enterprise-wide view—from public cloud and private data center workloads to user and internet-of-things devices.
Endpoint compromises are all too common, whether from malware, unpatched vulnerabilities or inattentive users. Mobile devices can be easily compromised on public networks, and then reconnected to the corporate network, where the infection spreads. Internet-of-things (IoT) devices are notoriously insecure.
An EDR solution offers more sophisticated capabilities than traditional antivirus, with detailed tracking of malicious activities on an endpoint or host device. EDR provides a real-time, ground-level view of the processes running on a host or device and interactions among them.
EDR captures execution, memory activities as well as system changes, activities and modifications. This visilbity helps security analysts spot patterns, behaviors, indicators of compromise or other hidden clues. That data can be mapped against other security intelligence feeds to detect threats that can only be seen from inside the host.
For decades, security teams have relied on SIEMs as a dashboard to security activities across their IT environment. SIEMs collect event log information from other systems, provide data analysis, event correlation, aggregation and reporting.
Integrating threat detections from EDR and NDR can make a SIEM an even more powerful tool, enabling security analysts to stop attacks faster. When an incident occurs, analysts can quickly identify the affected host devices. They can more easily investigate to determine the nature of an attack and if it succeeded.
A SIEM also can communicate with other network security controls, such as firewalls or NAC enforcement points, to direct them to block malicious activity. Threat intelligence feeds can enable SIEMs to proactively prevent attacks as well.
Security teams that deploy the triad of NDR, EDR and SIEM are empowered to answer a broader range of questions when responding to an incident or hunting for threats. For example, they can answer:
Economic loss due to cybercrime is predicted to reach $3 trillion by 2020, according to the World Economic Forum. Nation-states and criminals are taking advantage of a borderless digital world, but by adopting a nuclear triad of visibility, a SOC can protect its organization’s sensitive data and vital operations.