IT environments are becoming increasingly complex and sophisticated. As a result, organisations adopt increasingly complex cybersecurity solutions to combat security breaches.
Because of these threats, Gartner has developed the SOC visibility triad.
This blog post will cover:
1. Defining Gartner’s SOC Visibility Triad.
2. What are the three pillars of the SOC Visibility Triad?
3. The Importance of the SOC Visibility Triad.
4. How NDR fits in with the SOC Visibility Triad.
What is the SOC Visibility Triad?
A network-centric concept, Gartner’s SOC Visibility Triad consists of three main pillars to create a comprehensive security approach.
- EDR (Endpoint Detection and Response).
- NDR (Network Detection and Response).
- SIEM (Security Information and Event Management).
As the diagram shows, these elements work together to create a seamless security approach.
Gartner suggests that the main reason for creating this new visibility concept is because:
‘The escalating sophistication of threats requires organisations to use multiple data sources for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.’
Collecting multiple data sources is critical; however, we should be focusing on greater visibility beyond EDR and NDR. Although the concept is known as ‘security visibility’, it is more than just detection, investigation, or response alone. Combining three visibility pillars, the SOC Visibility Triad allows for total transparency of networks during an incident response process.
The Three Pillars of the SOC Visibility Triad
SIEM (Security Information and Event Management)
SIEM is the method of identifying, monitoring, recording, and analysing cybersecurity events in real-time for your organisation. A SIEM provides a unified and comprehensive view of an organisation’s IT infrastructure security.
SIEM primarily relies on logging mechanisms to detect threats and vulnerabilities for an organisation. However, there are some issues with this method when used alone.
- Specific system exploits and vulnerabilities rarely- or even do not- show up in logs.
- Technologies and systems do not support log collection (although Sapphire’s SIEM managed service provides the ability to build custom support for systems that may not have out-of-the-box integrations).
- Only as powerful as its data source, SIEM solutions need a reliable feed and sufficient coverage.
EDR (Endpoint Detection and Response)
Endpoint detection and response (EDR) is a security solution that combines endpoint data collecting and real-time threat monitoring with analysis and automated remediation capabilities.
EDR is primarily behaviour-orientated, focusing on detecting malicious activity in endpoints such as servers, desktops, laptops and more and gives zero-day protection.
However, on its own, EDR is not necessarily a fully scalable solution. With increased data and visibility, EDR often requires time, money, bandwidth, and a highly-skilled workforce to provide the complete visibility required.
NDR (Network Detection and Response)
Network detection and response (NDR) is a strategy used among security teams to gain complete insight into known and unknown threats across an organisation’s network.
Network detection and response examine the activities on a company’s network. NDR enables security teams to be aware of current network activities as quickly as possible using machine-based analysis.
Again, just like the other two solutions, there are some disadvantages to NDR alone:
- It is challenging to keep up with the growing number of signature databases.
- False positives are a productivity killer, and security teams can lose time.
Why is the SOC Triad Important?
So, if the solutions have disadvantages, why is the SOC Visibility Triad so important?
The SOC Visibility Triad can help prevent and remediate cyber-attacks. By combining the three pillars above, the triad works to harness the strengths of each solution and mitigate their weaknesses.
Gartner suggests that:
‘Your SOC triad seeks to significantly reduce the chance that attackers will operate on your network long enough to accomplish their goals. Logs, endpoint data and network data provide full visibility of the environment and reduce each other’s weaknesses. Using them together severely reduces the chance that an attacker can evade you for extended periods.’
For example, if a security team needs to analyse a large amount of data, NDR is usually the best solution. However, by adding EDR and SIEM to this problem, the security team can redefine NDR in situations where visibility is a problem.
SIEM and NDR complement each other by closing EDR agent gaps and helping to detect much more manageable malware.
By combining these three pillars, each solution can augment the other and create a multi-layered and comprehensive approach to network security.
Infosecurity Magazine suggests that the SOC Visibility Triad is unique for the following two reasons:
1. ‘It shifts the focus of security operations from the perimeter to the inside of the network and pivots from a “protect and prevent” mindset to a “detect and respond” mindset […] they need to take a more realistic approach that focuses on detecting threats that have circumvented the firewall and are living off the land and extending their reach inside the enterprise environment.’
2. ‘The Triad firmly endorses a critical-asset focused and data-driven security strategy – logs, endpoints, and network traffic. Intelligence will enable businesses to detect threats, identify and secure their critical assets, and remediate attacks in real-time.’
Adopting the SOC Visibility Triad as part of your organisation’s security strategy ensures your team will accept security breaches at some point and know how they can detect, respond, and remediate effectively.
How do the Three Pillars of the SOC Visibility Triad Work Together?
EDR gives security teams information about malicious activity within an organisation’s endpoints within the SOC Visibility Triad. EDR can detect, respond and automatically remediate a vast array of malware, including Zero-Days. EDR provides comprehensive and detailed visibility over devices on the network.
NDR provides complete visibility by mirroring network traffic and analysing it for anomalies and threats. NDR helps build a comprehensive map in real-time.
SIEM provides a single pane of glass for analysts to correlate information collected across an environment, including ingesting data from EDR and NDR. IEM enables security teams to centralise security alerting and threat hunting.
By utilising all three pillars of the SOC Visibility Triad, security teams can ensure that all aspects of their networks are fully visible.