Most of cybersecurity is based on having visibility of security events and providing protection ranging from preventing the action from being executed as it is being found to alerting the security team of a threat in progress. Endpoint protection, or now endpoint detection and response (EDR), has existed since the beginning of security, but with the nature of threats today, how many endpoints are really protected? There are so many ways to compromise a client and a traditional malware attack is only one of them. In a way, the ultimate goal of SIEM was meant to be the network equivalent to EDR and the way of establishing visibility across the network and protect servers and other critical infrastructure.
The combination of the two types of security—EDR and the SIEM with all its data sources—still leaves most organizations relatively unprotected. Data breaches are all but a foregone conclusion; ransomware spreads like wildfire and even the most security-conscious organizations such as the NSA are unable to secure some of its most sensitive resources. Organizations have visibility, but for most it is incomplete. In fact, the visibility most security teams have is nebulous. Without trying to be pedantic, nebulous is often defined as cloudy, hazy, indistinct or indefinite. That is exactly the state of most organization’s security. Yes, many events can be identified and much can be prevented or curtailed, but far too much passes unnoticed until way too late.
Gartner has helped develop a balanced approach toward security with its model of the SOC Visibility Triad. The strategy combines three pillars—two that are largely existing and one that may be new for organizations. The three pillars are EDR, SIEM (or what Gartner categorizes as user and entity behavior analytics, or UEBA) and a growing category called network detection and response (NDR), formerly network traffic analysis (NTA). The three pillars combine to provide complete visibility and bring greater clarity and precision to the commonplace nebulous security visibility.
The three vantage points are not just about a wider field of vision. The strategy is to have integrated information that brings better fidelity to identify attacks early. Being able to connect a network event to an event on an endpoint or server helps make sense of what is going on and can sort out a meaningful needle from a haystack of security data. Integrating the three vantage points makes good on the original hope for the SIEM as a way of combining multiple data sources to provide clarity and completeness of security visibility.
The addition of the NDR may be new for many organizations. Large enterprises with valuable data and other resources have been first to adopt NDR, but now technological advances, such as L7-enriched flow data—which now provides visibility that as a much less complex and costly alternative to full packet capture—have brought the capability within reach of many companies. It’s easy to see why NDR is important. Visibility of attacker targets, the most valuable assets in your organization, is at least as important as visibility of endpoints, the common starting place for an attack. At the least, it is an important complement to EDR.
At first glance, it may seem that adding another tool would only increase the amount of work and number of alerts facing an already overtaxed security group, but the opposite is true. Insights gained from NDR tools tend to be high in fidelity and drive faster triage and investigation. NDR also improves the productivity of the whole security by supporting automation and enabling prompt response. Without an NDR tool, you will have a difficult time validating indicators of compromise as well. And in light of the ever-increasing adoption of cloud platforms, NDR covers visibility blind spots, despite the fact that the digital environment is sprawling beyond the confines of company premises.
The old analogy of a stool needing three legs for durability may well apply to security. The combination of EDR, NTA and a re-imaged SIEM gives organizations the ability to evolve from nebulous visibility and have true vision and control of valuable assets. With the new approach, security teams can start turning the tables on would-be attackers. Security needs completeness of visibility, but it also needs the combined data to find attackers quickly and accurately.