Breaking Down the SOC Visibility Triad
Focus on visibility to improve your security posture.
100% prevention is a myth and will never truly be accomplished. As attackers become more sophisticated and the attack surface grows exponentially, the security industry is going to have to pivot from a purely prevention ideology to include focus on early detection and response.
I’m not saying we should eliminate all of the prevention tools in our security arsenal, but we need to accept the fact that security has no goal line: It is a never-ending game, and sometimes the bad actors win and actually gain access to our networks. The only way to increase your security posture is by having the ability to detect suspicious behavior, investigate that behavior, and remediate, if necessary, as early as possible. Breaches will happen no matter what, but the dwell time is where we can actually make a difference. When major breaches happen, we often do an analysis to learn where and how these breaches began and frequently discover these bad actors have had access to our systems for weeks and sometimes many months without being detected.
Visibility Tools and Approaches
So how do we fix this? What tools or ideology will help us detect suspicious behavior sooner? The answer is to focus on visibility because you can’t protect yourself from what you can’t see.
Gartner introduced the visibility triad in a report called “Applying Network-Centric Approaches for Threat Detection and Response.” In this report, Gartner advises: “The escalating sophistication of threats requires organizations to use multiple sources of data for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.”
Let’s break down what each of these tools brings and why they should complement each other.
- Security information and event management (SIEM): SEIM collects log data—a list of events that occur in a computer system, such as connections, errors, or any other problems. A SIEM system analyzes this data, and if you collect the data for long periods of time, such as for a year or two, you can create your own custom detection rules. Some of the downsides are that it’s extremely costly and time-consuming to implement, and it requires a high level of expertise to write custom rules. But collecting log data is important for understanding the operations of your systems, debugging any issues that occur, or even performing an audit of your systems.
- Endpoint detection and response (EDR): EDR captures execution, local connections, system changes, memory activities, and other operations from endpoints. Endpoints are mobile devices such as phones, laptops, and servers. Mobile devices are the most common compromises due to inattentive users accidentally clicking a bad link, bad credentials, or unpatched vulnerabilities such as out-of-date software. These “infected” endpoints routinely connect to the corporate network and, by doing so, give bad actors the ability to move across the network and access the information they desire.
- Network detection and response (NDR): NDR addresses network visibility via tools focused on capturing and analyzing network traffic. NDR solutions are proving to be one of the most important technologies in the security stack because bad actors need to connect to the network to gain access to the information they want, and the network remains the only place an attacker can’t hide. It is the only place to grab a packet capture (PCAP), which holds the absolute truth of a potential breach. Some enterprises believe having a SIEM, and EDR solution is all they require, but this creates visibility gaps, and the only way to bring it all together is by having a network monitoring solution.
Each of these solutions is needed, but much like everything else, each of these solutions has drawbacks, such as log data not providing highly contextual data, EDR needing hundreds—if not thousands—of agents, the rising sophistication of malware that evades EDR, or the lack of ability to deploy agents on IoT devices. Even some NDR solutions have drawbacks as to the quality of data, such as NetFlow data versus packet data or packet capture processes.
How to Achieve End-Through-End Visibility
NETSCOUT complements this visibility triad and is a leading provider of network visibility. NETSCOUT’s core competency for more than 30 years has been to capture packets and conduct deep packet inspection (DPI) at scale. NETSCOUT’s patented Adaptive Service Intelligence (ASI) technology converts those packets into a rich source of unique layer 2–7 metadata that we call Smart Data.
NETSCOUT’s Omnis Cyber Intelligence solution provides continuous full-packet capture, giving you the visibility at the point of intrusion, instead of detection, to see the incident before, during, and after an attack and enabling you to stop and prevent any future attacks.
NETSCOUT’s DPI-based NDR solution can give you visibility without borders and increase your security posture.