In the Gartner research report “ApplyingNetwork-Centric Approaches for Threat Detection and Response” publishedMarch 18, 2019 (ID: G00373460), Augusto Barros, Anton Chuvakin, and Anna Belakintroduced the concept of the SOC Visibility Triad.
The research provides the following graphic showing the “nuclear triad of visibility,” specifically:
The research goes on to state, “Your SOC triad seeks tosignificantly reduce the chance that attackers will operate on your networklong enough to accomplish their goals.” In the research, the authors write that “EDR provides detailed tracking of malicious activities on an endpoint. Attackers, however, might be able to hide their tools from EDR. But, their activity will be visible by network tools as soon as they interact with any other system through the network.”
The research continues, “Logs can provide the necessary visibility into higher layers. For example, they can provide visibility into what users are doing on the application layer. EDR and logs can also mitigate the issues related to encrypted network connections – a common cause of blindspots in network-centric technologies.”
Security operations teams have asked Vectra very similar questions during their response or threat hunting activities: What did this asset or account do before the alert? What did it do after the alert? Can we find out when things started to turn bad? Threat history is generally available in three places: NDR,EDR and SIEMs. EDR provides a detailed ground-level view of the processes running on a host and interactions between them.
NDR provides an aerial view of the interactions between all devices on the network, regardless of whether EDR is running on them or not. Security teams configure SIEMs to collect event login formation from other systems. Security teams that deploy the triad of NDR, EDR and SIEMs are empowered to answer a broader range of questions when responding to an incident or hunting for threats. For example, they can answer:
Although NDR and EDR can provide perspective on this, NDR is more critical because it provides perspective where EDR cannot. For example, exploits that operate at the BIOS level of a device can subvert EDR.
Examples of these exploits are those reportedly stolen from the Equation Group by the Shadow Brokers hacking group. When EDR is asked for a list of devices that a host communicated with, it may report devices B, C and E. Meanwhile, NDR would report that the same host communicated with devices A, B, C, E, and F.
This approach to a modern security operations center must also provide key integration capabilities with industry leading technology partners, including Vectra, CrowdStrike, CarbonBlack and Splunk.
Powered by AI – machine learning, deep learning and neural networks – attacker behavior models constantly learn and adapt to automatically detect advanced threats in real time, before they do damage.
In addition to threat detection, AI is instrumental in triaging and prioritizing the highest-risk threats and correlating attacks with compromised host devices.
Tier 1automation alone can condense weeks – and even months – of work into minutes and reduce the security analyst workload by 37X.
Here are some tips to improve the detection of attacker behaviors in network traffic, security posture and risk management:
When a threat is detected, security teams must answer a wide range of questions in order to respond quickly and decisively. These include:
The first step is to make sure that the attributes necessary to answer these questions are readily available to the analyst. Relevant security information, rich in context, must available to incident responders.
Machine learning-derived attributes, including host identity and beaconing, provide vital context that reveals the complete scope and scale of an attack.
Context that puts the most relevant information at your fingertips provides a trail of forensic evidence about threat behaviors throughout the entire attack lifecycle while eliminating the endless hunt and search for threats.