IT Focus Area: security
October 19, 2021
From Prevention to Detection: NDR and the SOC Visibility Triad
The escalating complexity of ransomware attacks and security threats has caused many organizations to begin implementing prevention-only tactics like zero-trust policies to stop potential security threats from breaching their infrastructure.
The zero-trust model sets forth the concept that nothing is to be trusted—inside or outside of the network—and that verification must always occur before access is granted. While the zero-trust model is one of the strongest ways to improve your security posture in theory, achieving a true zero-trust architecture can be difficult in practice, depending on your organization’s unique needs and resources.
Rather than focusing solely on prevention-only tactics, one of the most effective ways that security teams are catching and stopping attackers today is by using multiple sources of data to detect and respond to threats early. This means finding gaps in security as well as active threats and responding to them quickly.
Implementing this strategy means ensuring enough visibility to capture actionable insights without overwhelming security teams with too much data. This is where the Security Operations Center (SOC) Visibility Triad, especially network detection and response (NDR), can make a world of difference.
What Is the SOC Visibility Triad?
The SOC Visibility Triad is a network-centric approach to threat detection and response first introduced by Gartner that allows security teams to obtain quick threat visibility across their entire environment.
Although NDR and the SOC Visibility Triad aren’t necessarily core components of a true zero-trust architecture, they can help accelerate adoption by providing security teams the IT visibility they need detect and respond to threats quickly.
The SOC Visibility Triad leverages data from three core elements:
1. Security information event management (SIEM) collects and analyzes data with user behavior analytics, AI and machine learning in place to go over the tremendous ingestion of data.
2. Endpoint detection and response (EDR), which sits at the user endpoints itself, is focused on containment, investigation and remediation.
3. Network detection and response (NDR) provides the important network data that the SIEM needs to add context to the various threats and vulnerabilities that it detects.
While each section of the triad provides security features of its own, holistically, the triad utilizes the strengths and mitigates the weaknesses of each solution.
While most security operations centers relied heavily on EDR and SIEM solutions for incident management and response in the past, those tools tended to be a heavy lift for security teams, requiring more time to reach security maturity. They also tended to leave visibility gaps into network traffic, leaving the enterprise vulnerable.
NDR solutions fill these gaps by providing complete visibility where SIEM and EDR can’t—inside the network. This is where most bad actors tend to slip by, exploiting internal resources and doing significant damage.
Linking each of these solutions together in the SOC Visibility Triad provides unparalleled visibility across the ever-growing and complex attack surface. This allows security teams to detect threats in real time and enable automated or rapid responses to security incidents for remediation and containment.
What drives the SOC Visibility Triad?
To better understand how each of the elements of the triad work together, let’s pretend we’re going on a road trip.
Getting to our destination as safely as possible means protecting our vehicle and our passengers from all potential threats inside and outside of the car. If we were to use the SOC Visibility Triad to help us get to there, we’d be able to steer clear of any potential bumps on the road.
EDR acts as the dashboard, giving us the information we need about the car itself—like the oil pressure, tire pressure, and the heat of the engine. EDR lets us know whether there is malicious activity directly within our endpoint (our car) and helps us avoid stalling on the road or popping a tire. So, EDR can help us bypass potential issues in the car itself but getting to our destination safely means understanding more about what’s going on outside of the vehicle.
Some endpoint security solutions can provide additional visibility into the known devices on the network, acting essentially as blind-spot detectors in our car. This will tell us when potential threats are near us, but to prevent a potential collision (or breach), we need additional visibility into the traffic around us.
This is where SIEM comes in.
SIEM solutions act as our dash cam, allowing us to look around the road (network) at other cars (or devices) that we might not be managing and offering some visibility into the unknown. This dash cam gives us insight into the threats on the road; however, it’s only providing us snapshots of our immediate vicinity. This means that we can see the cars in the lane next to us, but because we lack visibility into their connectivity, we’re not certain where these cars are going or why.
NDR acts as an advanced aerial-view GPS and video surveillance system, providing complete visibility of our routes, and letting us know where every car (managed or unmanaged device) is on the highway (or network) at all times. NDR taps into and mirrors network traffic, providing us a wealth of data across a wide range of enterprise protocol.
Actively tracing the devices and services that each car is connected to, NDR gives us insight into each car’s destination, how quickly they’re moving and which other cars (devices) they’re speaking to. This enables us to build a comprehensive and accurate map of our highway in real time.
With EDR, SIEM and NDR working together in a triad, we can rest assured that we’ll have a smooth trip from point A to point B with few hiccups along the way.
What is NDR and why is it so important?
NDR is a relatively new approach to network-based threat detection and response that supports rapid investigation, internal visibility, intelligent response and enhanced threat detection across on-premises, cloud, and hybrid environments.
NDR complements the log analysis that a SIEM solution performs by connecting detected threats and security vulnerabilities with network activity and providing the data it needs to add context to any potential logging gaps. However, unlike log-based approaches like SIEM or agent-based tools like EDR, the data NDR detects cannot be deleted or tampered with.
Since cyberattackers must connect a device to your network to attack it, NDR provides an unrivalled "ground truth" for IT teams in that it's nearly impossible for attackers to avoid certain key activities that alert an NDR solution. NDR provides complete 360-degree, enterprise-wide visibility between all workloads, including users, transactions, services, and even unmanaged IoT devices. If it’s connected to the network, NDR will see it.
NDR helps organizations intensify the extent of protection provided by a standalone SIEM solution.
Together, SIEM, EDR and NDR technologies allow users to gather and use data sources from a broader pool, resulting in improved network visibility, more thorough analytics and the ability to quickly respond to potential threats or security breaches.
How does NDR work?
While SIEM solutions collect most of their data feed from log sources, cyberattackers have quickly learned how to circumvent their sensors. One of the first things that bad actors will do once they infiltrate an environment is modify these logs or the collection scheme to disable their footprint along the way. Since SIEM solutions cannot detect whether these logs have been altered, a major gap exists between collecting these logs throughout an environment and processing them into meaningful data for end-user consumption. This is where NDR comes in.
NDR screens duplicate network events and summarizes them with metadata to ensure that no stone goes unturned. This means that these bad actors cannot hide from network detection as any command and any movement they make is found “on the wire,” even if it is SSL encrypted.
Since everything happens “on the wire” first, NDR is perfectly suited to address security strategies like ransomware prevention, lateral movement, PowerShell exploits and zero-trust compliance (among others). These actions must be performed over the network from device-to-device and cannot be hidden, removed or covered up from the wire itself afterwards.
However, as networks implement encryption, those monitoring traffic for potential issues may be blind to problems within encrypted traffic itself. Keeping network traffic encrypted while safely inspecting it is essential to ensuring that the encrypted traffic is not masking bad actors on the very network that you may be trying to protect.
What benefits does NDR provide to your security operations?
Because of its ability to process an unheard-of 100GB per second of encrypted data at wire speeds, Gartner recently named NDR a must-have capability in modern security operations.
In summary, NDR offers:
- 100% visibility into hybrid networks, cloud transactions, and device types. Thisincludes automatic discovery and classification of every asset on the network and profiling of every managed and unmanaged device, including IoT endpoints.
- Real-time detection of threats and performance anomalies. Using high fidelity advanced machine learning and behavioral analysis, NDR also continually monitors and safeguards network traffic.
- Real-time, integrated threat response across your environment. An ideal solution offers a customized dashboard with robust integration with third-party solutions supporting the SOC Triad. This dashboard enhances automated responses, investigations, and remediation.
- Improves analyst productivity and IT collaboration. NDR providesa single “source of truth” that all silos of IT can leverage and accept to determine the real cause of any issues and formulate the proper response.
NDR and your journey to zero-trust security
Implementing an NDR solution along with any others in the SOC Visibility Triad can be instrumental in initiating your organization’s path toward the ultimate goal of the safest, most secure zero-trust posture possible.
When evaluating NDR, EDR and SIEM solutions, consider working with a partner who has vast networking expertise to help you on this journey toward a safer network.