NDR and the SOC Visibility Triad

If you've spent any time hunkered down in front of a monitor writing or reading, at some point you've either used or seen The Rule of Three. It's the foundational structure for presenting information in a format that's easy to process and memorable.

Three is the magic number in more ways than one. Pilots use three different categories of instrumentation to ensure they can "see" what's happening to safely fly. Your middle ear contains three bones that allow you to hear when danger approaches. And stools are comprised of three legs, providing a strong support structure.

Similar to the examples above, the Gartner Security Operations Center (SOC) Visibility Triad supports stronger enterprise security in three ways: providing visibility across complex attack surfaces, detecting threats in real time, and enabling rapid response to incidents.

What Is the SOC Visibility Triad?

First coined by then-Gartner security expert Anton Chuvakin in 2015, the SOC nuclear (now visibility) triad "seeks to significantly reduce the chance that the attacker will operate on your network long enough to accomplish their goals."

Traditionally, Security Operations Centers relied heavily on endpoint detection and response (EDR) and security information and event management (SIEM) tools for incident management and response. But those tools couldn't provide the real-time visibility into east-west, or internal, traffic that's essential for protecting the enterprise.

Network detection and response (NDR) solutions were the missing piece of the triad. When true NDR became technologically possible, the triad became the go-to structure for providing visibility across complex IT environments.

But how does NDR complete the triad? By providing complete visibility inside the network, where SIEM and EDR lack visibility, and where adversaries expand their reach, exploit internal resources, and ultimately do the most damage.

How Does NDR Complement EDR?

EDR products are like cameras pointed at the entrance door. They collect, record, and store data from the activities of devices connected to a network. This visibility into endpoints is essential for creating a layered cyber defense in three key areas:

• Providing insight into user and software activities on devices
• Detecting threats that antivirus software misses
• Helping monitor against advanced persistent threats (APT)

While a valuable piece of the SOC toolset, EDR products rely on agents, which limits their visibility and increases the effort required for management and maintenance. Attackers can hide their tools from EDR products, and those products can't see threats inside the network. NDR solutions see those attackers as soon as they communicate with any device on the network.

NDR solutions also bolster EDR tools by providing real-time behavioral detections that complement an EDR product's signature-based threat detectors. NDR solutions use cloud-scale machine learning capabilities to offload resource-intensive modeling while providing continuous, automated updates to detection models, so security analysts needn't spend their time applying manual updates.

Some NDR products can also provide endpoint information to analysts or share those detections with EDR products for automatic quarantining of infected devices in real time.

How Does NDR Complement SIEM?

SIEM products are at the center of many SOC approaches to security, and with good reason. They're great at collecting logs from other systems and generating reports. SIEM products can also be effective at early detection if threats violate their pre-configured sets of rules.

However, SIEM tools do have blind spots that can be filled by NDR solutions that leverage network traffic analysis (NTA).

SIEMs analyze log data, which limits visibility into east-west corridor attacks, and they have a propensity for firing false positives, which can lead to alert fatigue and weaken security. Logging is also routinely turned off, and logs are modified or destroyed by adversaries to impede detection/investigation.

NDR solutions collect and analyze wire data from network traffic, providing an unalterable source of data to SIEM products and enhancing their ability to create complete, comprehensive, and actionable reports.

Want more information about how NDR products compare to SIEM tools? Read this blog post.

What Problems Does the Triad Solve for SecOps?

You can learn how the SOC Visibility Triad makes cloud security significantly easier in this post, but it's worth noting that the triad provides SOCs with benefits that extend beyond the cloud to edge and on-premises environments.

Visibility: By combining visibility into network communications, endpoints, and events, the triad allows analysts to see and understand what's happening in the east-west traffic corridor and at the edges of a network.

Detection: The triad combines rules and signature-based detections from SIEM and EDR products with real-time behavioral detections powered by machine learning from NDR solutions. The result is the ability to rapidly detect anomalous behaviors and threats at endpoints and in internal traffic.

Investigation: With NDR products continuously capturing packets and reassembling them into structured wire data, access to logs from SIEM tools, and data from EDR agents, analysts have a full range of information to use in investigations. They can see interactions at endpoints and in internal traffic, as well as investigate which protocols have been used in an attack.

Automation: With the ability to conduct or support automated or augmented investigation and response, the combined pieces of the triad can help relieve the stress felt by overworked and understaffed security teams.

Integration: With NDR products forming the foundation of the triad, SOCs can integrate wire data from network traffic into SIEM and EDR products, as well as across IT and security teams, reducing complexity and tool sprawl.

Watch the 4-minute video for an introduction to NDR with live examples of an NDR product's features and capabilities as they relate to the SOC Visibility Triad: