Your network is not finite, with a clear beginning or end. Your network is always expanding, connecting to internet of things (IoT) devices, cloud applications and infrastructure, operational-technology (OT) networks, partners and suppliers. Constant change and growth are necessary to deliver new services and products and keep employees productive.
Many organizations are exploring IoT. Business drivers include making data analytics more accessible, better informed decision-making, uncovering new business opportunities, creating a safer and more productive workplace, and process or behavior monitoring and optimization.
Controlling risk and exposure on IoT devices with embedded operating systems creates new challenges. Traditional endpoint security and patching are often impossible through normal operating procedures, and IoT devices often have an open attack surface. Security tools focusing on malicious code or perimeter defense provide limited visibility once the attacker has successfully infiltrated the environment. Security analysts are flying blind when it comes to compromised IoT devices.
But there’s a better way to gain full visibility into threats: The security operations center (SOC) visibility triad, recently introduced by Gartner.
The SOC visibility triad consists of network detection and response (NDR), endpoint detection and response (EDR) and security information event management (SIEM) or log-based detection. A uniquely powerful combination, the triad offers the best coverage of all threat vectors across cloud workloads and enterprise infrastructures and user and IoT devices. With this combination, threat analysis does not depend on signatures or reputation/blacklists. Instead, detection focuses on attacker behaviors and malicious patterns from inside the network, whether the inside attacker is a rogue employee or an outsider.
EDR provides clear visibility into host-level activity but requires extended visibility for hosts that can’t install agents at all, such as IoT or hosts that support a selective installation of agents. SIEM and log-based tools are great for business intelligence, reporting and correlation across data sources, but require additional information for lateral movement, network detection and response use cases. With NDR, the network provides defense layer visibility into all IP devices acting suspiciously. This defense layer helps you detect the real unknown threats in your IT environment by focusing on the agenda the attacker has and what actions the attacker needs to perform to succeed.
The Cognito Platform from Vectra is a key element in the SOC visibility triad. Security analysts use Vectra for threat hunting and to perform conclusive incident investigations. The AI-driven Cognito detects active threats in real time across the enterprise—from cloud and data center workloads to user and IoT devices. Vectra analyzes cloud and network traffic, enriches the metadata with security insights, and prioritizes the highest-risk threats in real time.