I was an early advocate of the Gartner approach that calls for combining endpoint detection and response (EDR), network detection and response (NDR) and security information and event management (SIEM) to achieve the SOC visibility triad. But the bumpy road to security operations center (SOC) visibility has been fraught with challenges when it comes to deploying attacker detection tools
One observation about the SOC visibility triad was that traditional SIEMs might be unable to handle the high volume of events, certain types of data, and a variety of other challenges. This is something I’ve have observed many times when working with enterprises. Security teams struggle to build SIEM use-cases or maintain them, even when they work perfectly with manageable data-set sizes.
The technical and human resources that are required to select, build and maintain complex SIEM use-cases are immense. There are significant operating costs well before you consider the resources required to perform security operations using a SIEM.
Saint Gobain, a Vectra customer, faced these issues a few years ago and came to the following conclusion:
In terms of SOC investment prioritization, I’ve seen a clear trend emerge: People that were thinking about their SIEM have moved to an EDR-first approach. However, EDR can never cover every device or workload in an enterprise and its deployment location only provides a local view of files and processes. A different yet complementary approach is needed.
This need is driving the rapid adoption of NDR today. NDR adds immeasurable value to security operations by providing complete visibility inside networks—from cloud and data center workflows to user and IoT devices—and brings clarity to EDR and SIEM workflows.
The agentless approach of NDR provides an eye-the-sky view and focuses on the interactions between different hosts and accounts. This is achieved across cloud, data center, IoT, and enterprise networks, where NDR identifies the immutable behaviours of hidden attackers.
This pervasive visibility—along with the level of automation and significant workload reduction NDR brings to the SOC—it’s clear why forward-thinking security teams are adopting an NDR-first approach:
Security teams are now changing their answers to the question of how to prioritize and balance their detection investments: