Modern security teams are notorious for purchasing point solutions, throwing everything at the wall to see what sticks. According to IDC, worldwide spending on security solutions is forecast to surpass $103 billion in 2019.
It's not uncommon for large enterprises to have dozens of security tools deployed in production. The result is a patchwork of isolated tools, shiny objects, and layers of siloed defenses as desperate enterprises strive to protect themselves. It’s understandable, given increasingly sophisticated threats, an expanding attack surface, and understaffed and overworked security teams.
As it turns out, overcoming these pressing challenges doesn’t require flashy new products. Quite the opposite. The secret for enterprises is to get more value from a powerful asset they already have: data.
Gartner is evangelizing a new security model based on this exact premise. The Security Operations Center (SOC) Visibility Triad combines three foundational tools: security incident and event management (SIEM), endpoint detection and response (EDR), and network traffic analysis, also known as network detection and response (NDR). Anton Chuvakin first introduced the concept in 2015, which “seeks to significantly reduce the chance that the attacker will operate on your network long enough to accomplish their goals.”
This isn’t just “another model” to file away. The SOC Visibility Triad signifies a massive paradigm shift in cybersecurity, for two reasons. First, it shifts the focus of security operations from the perimeter to the inside of the network and pivots from a "protect and prevent" mindset to a "detect and respond" mindset. For enterprises today, it’s no longer enough to rely on the ingress/egress (North-South) threat prevention model, they need to take a more realistic approach that focuses on detecting threats that have circumvented the firewall and are living off the land and extending their reach inside the enterprise environment.
Adopting the SOC Visibility Triad is a step toward finally accepting that breaches will happen, and that knowing how to detect, respond and remediate effectively is the correct path forward.
Second, the Triad firmly endorses a critical-asset focused and data-driven security strategy – logs, endpoints, and network traffic. It is intelligence that will enable businesses to detect threats, identify and secure their critical assets, and remediate attacks in real time.
Organize your toolbox
Log data gathered in a SIEM are a mainstay of security operations because they provide a convenient record of exactly what actions were performed, down to the device level. One drawback is that they are vulnerable to tampering: attackers can cover their tracks by turning off, modifying or erasing logs. Logs can also require a lot of labor, expertise, and technology investment to store, analyze, and extract their value.
EDR platforms leveraging endpoint data are essential in any layered defense because they provide insight into user and software activities on devices, detect threats that antivirus software misses, and help monitor against advanced persistent threats. EDR’s weakness is its reliance on software agents that can be disabled by savvy attackers, and do not provide context about broader attack campaigns in progress.
Wire data from the network includes all communications between each system and device across the entire environment. It is extremely difficult to tamper with, which is why it’s considered the most objective source of truth for security investigations.
The challenge with network data is its massive volume that is only continuing to grow. Further, the cloud has both accelerated and complicated the network environments of growing enterprises. NDR solutions collect and analyze wire data, complementing both EDR and SIEM and completing the SOC Triad. Those that can do so at scale across hybrid environments will become the cornerstone of effective security operations in the near future.
Three is more powerful than one
The core benefit of adopting the SOC Triad is complete visibility into network communications, endpoints, and events. This comprehensive view allows analysts to see and understand everything that is happening in the east-west traffic corridor and at the edges of a network.
Beyond visibility, the Triad also supports detection, investigation and automation. By combining rules and signature-based detections from SIEM and EDR products with real-time behavioral detections powered by machine learning from NDR solutions, analysts can rapidly detect anomalous behaviors and threats at endpoints and in internal traffic. Analysts can then investigate threats as well as which protocols have been used in an attack with confidence thanks to a full range of information and context supplied by wire data, logs, and agents.
The combined pillars of the Triad can also conduct or support automated or augmented investigation and response, helping relieve the stress felt by overworked and understaffed security teams.
The benefits of the SOC Triad even extend beyond security. SOCs can integrate wire data from network traffic into SIEM and EDR products, as well as across IT, reducing spend, complexity, and tool sprawl.
Moving forward, this new security paradigm will become a strategic imperative for enterprises. More organizations are adopting a cloud-first strategy to scale their businesses and increase agility. Adoption of the cloud also dramatically expands the attack surface and increases exposure to new threats: security teams must track rogue instances and eliminate risks like misconfigurations, insecure APIs and unauthorized access. Old, on-premise, perimeter-based security models simply won’t work in the cloud.
Fortunately, with the introduction of traffic mirroring capabilities for AWS and Azure, the benefits of the Triad extend beyond on-premise environments to the cloud. The SOC Triad represents a path toward easing the urgent challenges faced by modern enterprise security teams and toward a more secure future.