Hence, a holistic understanding of the IT network is elementary to monitor potential threats. However, no single solution can give complete protection in today’s complex IT landscape. Consequently, it is essential to bring different security angles together. Addressing this challenge, Gartner has introduced the SOC Visibility Triad to support IT Security professionals in defining and furthering their architectural setup and closing entry points that adversaries can exploit to gain unauthorised access.
In this article, we’ll first elaborate on Gartner’s SOC Visibility Triad before going more in-depth regarding the special role Network Detection & Response solutions take within this framework.
Suggested by Gartner in 2015, the SOC Visibility Triad aims to prevent cyber attackers from remaining in your network long enough to achieve their malicious goals. Traditionally, enterprises relied on Security Information and Event Management (SIEM) systems to detect and stop cyberattacks. However, a lot of manual analysis was needed to interpret the collected data in a SIEM until Endpoint Detection & Response (EDR) and Network Detection & Response (NDR) solutions were introduced. EDR and NDR both specialise in different use cases: While EDR relies on a piece of software (agent) that is installed on the monitored endpoint to inspect the endpoints’ activities in details, NDR monitors all aspects of network communication for a bird’s eye view of the IT activities independent of whether an agent is installed or not.
Visualisation SOC Visibility triad.
A SIEM solution works by collecting and aggregating security log data from all devices across the network, such as endpoint devices, servers, network devices (switch, router), security solutions (firewalls, IDS/IPS, and EDR), custom applications, and even cloud services. The SIEM stores these logs in a central location using one unified format, where the SOC team checks these logs to detect abnormal activities that can signal a potential cyberattack.
Although SIEM has become an integral part of every enterprise arsenal to detect cyber threats, it still suffers from significant drawbacks:
EDR is an integrated software solution that monitors endpoint devices (laptops, desktops, and servers) activities in real-time to detect malicious behaviour. EDR collects data from endpoints devices and analyses the collected data to discover malicious patterns. Once found, the EDR will automatically respond to threats or isolate the infected host to prevent spreading the infections to other network areas and devices.
Even though EDR is a critical component of corporate security, its abilities to stop advanced cyberattacks are limited:
NDR is the backbone of the SOC triad to gain holistic visibility. NDR analyses network traffic passing through the complete IT environment to detect malicious behaviour and respond accordingly.
NDR provides a plethora of security functions that SIEM solutions cannot offer. For instance, NDR can detect advanced cyberattacks and unknown malware by utilising advanced technologies such as domain-specific machine learning models. In contrast to EDR, NDR provides comprehensive visibility (East-West, North-South) over all interactions across the IT environment independent of agents, including cloud assets. Future-proof NDR solutions, such as ExeonTrace, rely on self-learning device behaviour models that can detect threats independent of traffic encryption. In contrast to traditional security solutions, such as firewalls, IDS and IPS, that rely on deep packet inspection and become blind with the increasing traffic encryption. Thus, a state-of-the-art NDR is able to discover covert communication channels commonly employed by advanced threat actors such as APT and ransomware operators.
By combining an NDR solution with SIEM and EDR, SOC teams will gain complete visibility over their network and become able to detect unknown threats that continue to emerge daily.
The author: Gregor Erismann, CCO of Exeon
Gartner’s SOC Visibility Triad outlines the three angles needed to provide a holistic IT security and mitigate the weaknesses resulting from using each one separately. Whilst SIEMs are already widely adopted, EDR and NDR are relatively new aspects of a state-of-the-art corporate IT Security as suggested by Gartner’s framework. To gain complete visibility, the timely deployment of EDR and NDR makes perfect sense. Among the two newer concepts, NDR is considered the backbone of Gartner’s SOC Visibility Triad providing holistic visibility across all network activities and forming a cornerstone of modern defence strategies.