Published on October 19, 2020
Abhishek RVRK Sharma, Senior Technical Marketing Engineer
Sudhir Udipi, Director of Pre-Sales
As we read in the headlines every day, cyber attackers keep growing in sophistication and with automation fueling their efforts. Security teams tasked with keeping the attackers at bay struggle to gain visibility into every crevice of their environment. To that end, Gartner introduced the concept of the SOC Visibility Triad. The three parts of the SOC Visibility Triad include security information and event management (SIEM), user and entity behavior analytics (UEBA), endpoint detection and response (EDR), and network detection and response (NDR).
The objective of the SOC Visibility Triad, as outlined by Gartner, is to significantly reduce the possibility that an attacker can evade all of an organization’s cybersecurity defenses. Each part of the triad provides complementary capabilities that help strengthen the whole, resulting in a security architecture that can detect more threats than the individual solutions alone.
How SIEM Compliments NDR
A SIEM commonly utilizes logging mechanisms (either over syslog daemons or API calls) to keep track of security events. However, system exploits and vulnerabilities might not show up in logs, and log collection may not be possible for certain systems and technologies (such as SCADA systems or medical devices). NDR complements a SIEM solution’s log analysis, aggregation, and behavioral threat detection capabilities by correlating detected threats with network activity, thus covering for logging gaps.
A capable next-generation SIEM is essential to complete the SOC Visibility Triad. NDR ties in well with next-generation SIEM architecture, providing essential network data that helps the SIEM add context, detect behavioral threats, and be overall more effective.
Securonix Next-Gen SIEM and UEBA provide scalability, faster search with reduced infrastructure costs, better visibility, and best-in-class analytics, as well as machine learning driven insights. Securonix NDR also sits on the same platform, integrating with multiple network analytics solutions in order to gather network data.
A next-generation SIEM such as Securonix is able to combine events from multiple security data sources in order to identify a threat chain. Often a single event alert may not mean much on its own. But, when the same event is combined with other events as part of a process, it is easier to identify it as a credible threat. Context enrichment, utilizing data from multiple sources to enrich event information, is a key capability that enables effective threat detection and response for a next-generation SIEM. NDR adds expanded network visibility, analytics, and response, greatly increasing the scope of protection provided by a SIEM.
How EDR Compliments NDR
EDR solutions are dependent on agents for monitoring. However, agents may not always be supported. They may add too much processing overhead, or organizations may be limited in their authority to install the agents on all systems in their environment. NDR helps close EDR agent gaps and detect exploit aware malware that attempts to circumvent EDR monitoring.
Why NDR Is More Effective in Tandem With SIEM and EDR Solutions
Network forensics is one of the most difficult security analyses to complete because of the large amount of data analysts must pour through, all while avoiding numerous false positives and difficulties with packet investigation. EDR and SIEM help refine NDR in situations where network visibility is a concern, such as in the case of end-to-end encrypted network connections. Threats are rarely observable from the network only – you need to connect the pieces together.
Securonix developed their Network Detection and Response solution in partnership with leading packet capture and aggregation technology vendors to apply our best of breed analytics capabilities to network traffic data. The solution combines threat intelligence and signatures with machine learning-based anomaly detection techniques that track users, accounts, and system behavior across the network to proactively detect, categorize, and prioritize threats.