Moving from Prevention to Detection with the SOC Visibility Triad

February 24, 2020
Marcus Hartwig
Director, Product Marketing
Moving from Prevention to Detection with the SOC Visibility Triad

Long gone are the old days when implementing good preventative solutions was sufficient to keep your organization secure from breaches. For on-prem networks, traditional IDS solutions often incorporated in next-generation firewall (NGFWs) have become long in the tooth and have issues keeping up with the ever-increasing volume of encrypted traffic. They rely on deep packet inspection, something that is becoming impossible with modern encryption standards. Other vendors often slap “AI” or “ML” on their solution to try to keep them relevant, but the fact remains—it’s impossible to stop attacks if you can’t even see them.

Modern organizations are also adopting cloud services at an increasing rate. This, coupled with a more mobile and distributed workforce, makes the concept of monitoring traffic going in and out of your network less relevant, as traffic often goes from remote locations directly to the cloud. Newer, preventative approaches have thus adjusted, and they are often focused on enforcing strong user credentials and multi-factor authentication (MFA) to keep user accounts safe. However, attackers have adapted and become adept at compromising already authenticated sessions, thus circumventing MFA and passwords altogether. In fact, account takeover (ATO) has become the most significant attack vector for cloud apps. On this backdrop, there is no wonder that security professionals shifted from compromise prevention to detecting and reducing the amount of time an attacker has access to company resources.

Modern security operation centers (SOCs) today are looking for tools that can give them complete visibility into user endpoints, multi-cloud, hybrid, and on-prem networks, as well as correlation and forensic capabilities. In this search, the SOC visibility triad has emerged as the de-facto standard. The SOC visibility triad encourages three specialized technologies. Endpoint detection and response (EDR) for endpoint, network detection and response (NDR) for Network, and security information event management (SIEM) for security analytics and correlation. But for all of this tech to be successful, they need robust integrations to each other, as SOC analysts’ time is at a premium.

As the leading NDR platform, we have always had a strong focus on building partnerships that will benefit our customers, and it is important for us to build deep technical integrations with all the popular solutions in the SOC triad. Today we announced a partnership with Chronicle Backstory; they will join us in our already rich SIEM integration ecosystem together with Splunk, ArcSight, and QRadar. In the EDR corner, we have also recently added some new partners next to CrowdStrike and Carbon Black, namely Cybereason and SentinelOne.

With these partnerships, organizations can start to feed high-value detections, and security-enriched network metadata using Vectra Stream into existing workflows and automate the correlation with logs from other threat signals in the Chronicle security telemetry. Together, Vectra and the SOC visibility triad deliver a practical solution to the most persistent problems facing today’s enterprise cybersecurity teams—finding and stopping active cyberattacks while getting the most out of limited time and resources.

Read more about our technology integrations and the SOC visibility triad. For more information about threat behaviors and privilege-based attacks or to see the Cognito Platform in action, please visit