Your network is not finite, with a clear beginning or end. Your network is always expanding, connecting to internet of things (IoT) devices, cloud applications and infrastructure, operational-technology (OT) networks, partners and suppliers. Constant change and growth are necessary to deliver new services and products and keep employees productive.
Many organisations are exploring IoT. Business drivers include making data analytics more accessible, better informed decision-making, uncovering new business opportunities, creating a safer and more productive workplace, and process or behavior monitoring and optimisation.
IoT is a new source of risk
Controlling risk and exposure on IoT devices with embedded operating systems creates new challenges. Traditional endpoint security and patching are often impossible through normal operating procedures, and IoT devices often have an open attack surface. Security tools focusing on malicious code or perimeter defense provide limited visibility once the attacker has successfully infiltrated the environment. Security analysts are flying blind when it comes to compromised IoT devices.
A powerful triad
But there’s a better way to gain full visibility into threats: The security operations center (SOC) visibility triad, recently introduced by Gartner.
The SOC visibility triad consists of network detection and response (NDR), endpoint detection and response (EDR) and security information event management (SIEM) or log-based detection. A uniquely powerful combination, the triad offers the best coverage of all threat vectors across cloud workloads and enterprise infrastructures and user and IoT devices. With this combination, threat analysis does not depend on signatures or reputation/blacklists. Instead, detection focuses on attacker behaviors and malicious patterns from inside the network, whether the inside attacker is a rogue employee or an outsider.
EDR provides clear visibility into host-level activity but requires extended visibility for hosts that can’t install agents at all, such as IoT or hosts that support a selective installation of agents. SIEM and log-based tools are great for business intelligence, reporting and correlation across data sources, but require additional information for lateral movement, network detection and response use cases. With NDR, the network provides defense layer visibility into all IP devices acting suspiciously. This defense layer helps you detect the real unknown threats in your IT environment by focusing on the agenda the attacker has and what actions the attacker needs to perform to succeed.
AI-driven network detection and response
The Cognito network detection and response platform from Vectra is a key element in the SOC visibility triad. Security analysts use Cognito for threat hunting and to perform conclusive incident investigations. The AI-driven Cognito detects active threats in real time across the enterprise — from cloud and data center workloads to user and IoT devices. Cognito analyzes cloud and network traffic, enriches the metadata with security insights, and prioritizes the highest-risk threats in real time.
For more information about the SOC Visibility Triad, check out our solution brief, or contact us to schedule a demo.
Henrik Davidsson is director of sales business development at Vectra, where he is responsible for customer value creation & managed service providers. He has over 15 years’ experience in working with large enterprises, service providers and always stays in the frontline of new security challenges and coaching end customers and partners alike on how to augment their security posture and cyber resilience. Henrik has held leading position at companies such as Cisco, Juniper Networks, VMware, FireEye and NTT Security.