I was an early advocate of the Gartner approach that calls for combining endpoint detection and response (EDR), network detection and response (NDR) and security information and event management (SIEM) to achieve the SOC visibility triad. But the bumpy road to security operations center (SOC) visibility has been fraught with challenges when it comes to deploying attacker detection tools
One observation about the SOC visibility triad was that traditional SIEMs might be unable to handle the high volume of events, certain types of data, and a variety of other challenges. This is something I’ve have observed many times when working with enterprises. Security teams struggle to build SIEM use-cases or maintain them, even when they work perfectly with manageable data-set sizes.
The technical and human resources that are required to select, build and maintain complex SIEM use-cases are immense. There are significant operating costs well before you consider the resources required to perform security operations using a SIEM.
Saint Gobain, a Vectra customer, faced these issues a few years ago and came to the following conclusion:
- Automate attacker detections using NDR and EDR. Refer to the MITRE ATT&CK framework to ensure complete threat coverage that scales to accommodate growth in IP addresses.
- Consider creating custom threat-detection models based on specific use-cases that are relevant your businesses. A one-size-fits-all approach to NDR, EDR and SIEM won’t work.
- For SIEM detections, create use-cases are relevant to your business and are not covered by other security vendors. This ensures consistency in the quality of detections over time.
In terms of SOC investment prioritization, I’ve seen a clear trend emerge: People that were thinking about their SIEM have moved to an EDR-first approach. However, EDR can never cover every device or workload in an enterprise and its deployment location only provides a local view of files and processes. A different yet complementary approach is needed.
This need is driving the rapid adoption of NDR today. NDR adds immeasurable value to security operations by providing complete visibility inside networks—from cloud and data center workflows to user and IoT devices—and brings clarity to EDR and SIEM workflows.
The agentless approach of NDR provides an eye-the-sky view and focuses on the interactions between different hosts and accounts. This is achieved across cloud, data center, IoT, and enterprise networks, where NDR identifies the immutable behaviours of hidden attackers.
This pervasive visibility—along with the level of automation and significant workload reduction NDR brings to the SOC—it’s clear why forward-thinking security teams are adopting an NDR-first approach:
- Multi-vendor integration is a must in order to ensure consistency and ease of the investigation.
- Getting more detection context exposes the full scope of an attack and enables faster, better-informed response actions.
Security teams are now changing their answers to the question of how to prioritize and balance their detection investments:
- EDR: More precise but less coverage (likely up to 40% of machines will ever have an agent; it is a lot less if you consider IoT and OT).
- NDR: More coverage but no machine-level view of malicious activities.
To learn more, check out the SOC visibility triad and how it enables you to move from prevention to detection.