Blog - article

Sorry, this blog post has not been posted yet. Come back and check again later!

Three cornerstones of the SOC nuclear triad

By:
Kevin Sheu
May 7, 2019

In the Gartner research report “Applying Network-Centric Approaches for Threat Detection and Response” published March 18, 2019 (ID: G00373460), Augusto Barros, Anton Chuvakin, and Anna Belak introduced the concept of the SOC Visibility Triad.

The research provides the following graphic showing the “nuclear triad of visibility,” specifically:

  1. SIEM/UEBA provides the ability to collect and analyze logs generated by the IT infrastructure, applications and other security tools.
  2. Endpoint detection and response provides the ability to capture execution, local connections, system changes, memory activities and other operations from endpoints.
  3. Network-centric detection and response (NTA, NFT and IDPS) is provided by the tools focused on capturing and/or analyzing network traffic, as covered in this research.”

Source: Gartner, Applying Network-Centric Approaches for Threat Detection and Response, March 2019, ID G00373460

The research goes on to state, “Your SOC triad seeks to significantly reduce the chance that attackers will operate on your network long enough to accomplish their goals.”

In the research, the authors write that “EDR provides detailed tracking of malicious activities on an endpoint. Attackers, however, might be able to hide their tools from EDR. But, their activity will be visible by network tools as soon as they interact with any other system through the network.”

The research continues, “Logs can provide the necessary visibility into higher layers. For example, they can provide visibility into what users are doing on the application layer. EDR and logs can also mitigate the issues related to encrypted network connections – a common cause of blind spots in network-centric technologies.”

Security operations teams have asked Vectra very similar questions during their response or threat hunting activities: What did this asset or account do before the alert? What did it do after the alert? Can we find out when things started to turn bad?

Threat history is generally available in three places: NDR, EDR and SIEMs. EDR provides a detailed ground-level view of the processes running on a host and interactions between them. NDR provides an aerial view of the interactions between all devices on the network regardless whether NDR is running on them or not. Security teams configure SIEMs to collect event log information from other systems.

Security teams that deploy the triad of NDR, EDR and SIEMs are empowered to answer a broader range of questions when responding to an incident or hunting for threats. For example, they can answer:

  • Did another asset begin to behave strangely after communicating with the potentially compromised asset?
  • What service and protocol were used?
  • What other assets or accounts may be implicated?
  • Has any other asset contacted the same external command-and-control IP address?
  • Has the user account been used in unexpected ways on other devices?

Although NDR and EDR can provide perspective on this, NDR is more critical because it provides perspective where EDR cannot. For example, exploits that operate at the BIOS level of a device can subvert EDR.

Examples of these exploits are those reportedly stolen from the Equation Group by the Shadow Brokers hacking group. When EDR is asked for a list of devices that a host communicated with, it may report devices B, C and E. Meanwhile, NDR would report that the same host communicated with devices A, B, C, E, and F.

This approach to a modern security operations center is also why Vectra has key integration capabilities with industry leading technology partners, including CrowdStrike, Carbon Black and Splunk.

To learn more, reach out to Vectra for a consultative discussion about these integrations or schedule an inquiry with the authors of the Gartner research note – Barros, Chuvakin and Belak – for more context about achieving visibility across your infrastructure.

About the author

Kevin Sheu

Kevin Sheu leads product marketing at Vectra®. He brings 15 years of product marketing and management consulting experience, where he has demonstrated a passion for product innovations and how they are adopted by customers.  He previously led growth initiatives at Okta, FireEye and Barracuda Networks.  And his perspectives are grounded in foundational work as a strategy and technology consultant; where he worked with G200 companies, private equity firms and government clients.

Author profile and blog posts

Most recent blog posts from the same author

Cybersecurity

Lurking in the shadows: Top 5 lateral spread threat behaviors

April 1, 2019
Read blog post
Cybersecurity

Why network metadata is just right for your data lake

April 30, 2019
Read blog post
Cybersecurity

Tapis dans l'ombre : les cinq principaux comportements malveillants de propagation latérale

June 4, 2019
Read blog post