In the Gartner research report “Applying Network-Centric Approaches for Threat Detection and Response” published March 18, 2019 (ID: G00373460), Augusto Barros, Anton Chuvakin, and Anna Belak introduced the concept of the security operations center (SOC_ Visibility Triad.
The research provides the following graphic showing the “nuclear triad of visibility,” specifically:
1. Security event information management (SIEM) / User entity behavior analytics (UEBA)
Security event information management (SIEM) / User entity behavior analytics (UEBA) provides the ability to collect and analyze logs generated by the IT infrastructure, applications and other security tools.
2. Endpoint detection and response (EDR)
Endpoint detection and response (EDR) provides the ability to capture execution, local connections, system changes, memory activities and other operations from endpoints.
3. Network-centric detection and response (NDR, NTA, NFT and IDPS)
Network-centric detection and response (NDR, NTA, NFT and IDPS) is provided by the tools focused on capturing and/or analyzing network traffic, as covered in this research.”
The research goes on to state, “Your SOC triad seeks to significantly reduce the chance that attackers will operate on your network long enough to accomplish their goals.” In the research, the authors write that “EDR provides detailed tracking of malicious activities on an endpoint. Attackers, however, might be able to hide their tools from EDR. But, their activity will be visible by network tools as soon as they interact with any other system through the network.”
The research continues, “Logs can provide the necessary visibility into higher layers. For example, they can provide visibility into what users are doing on the application layer. EDR and logs can also mitigate the issues related to encrypted network connections—a common cause of blind spots in network-centric technologies.”
Security operations teams have asked Vectra very similar questions during their response or threat hunting activities: What did this asset or account do before the alert? What did it do after the alert? Can we find out when things started to turn bad?
Threat history is generally available in three places: network detection and response (NDR), EDR and SIEMs. EDR provides a detailed ground-level view of the processes running on a host and interactions between them. NDR provides an aerial view of the interactions between all devices on the network regardless whether EDR is running on them or not.
Security teams configure SIEMs to collect event log information from other systems.Security teams that deploy the triad of NDR, EDR and SIEMs are empowered to answer a broader range of questions when responding to an incident or hunting for threats. For example, they can answer:
- Did another asset begin to behave strangely after communicating with the potentially compromised asset?
- What service and protocol were used?
- What other assets or accounts may be implicated?
- Has any other asset contacted the same external command-and-control IP address?
- Has the user account been used in unexpected ways on other devices?
Although NDR and EDR can provide perspective on this, NDR is more critical because it provides perspective where EDR cannot. For example, exploits that operate at the BIOS level of a device can subvert EDR. Examples of these exploits are those reportedly stolen from the Equation Group by the Shadow Brokers hacking group. When EDR is asked for a list of devices that a host communicated with, it may report devices B, C and E. Meanwhile, NDR would report that the same host communicated with devices A, B, C, E, and F.
To learn more, reach out to Vectra for a consultative discussion about these integrations or schedule an inquiry with the authors of the Gartner research note – Barros, Chuvakin and Belak – for more context about achieving visibility across your infrastructure.
For more information about the SOC Visibility Triad, check out the solution brief, “The ultimate in SOC visibility.”