Reducing MTTD with the SOC visibility triad
Wednesday 7th April 2021 | 4 minute read
According to the Cost of Data Breach Report 2020, it takes an average of 280 days to identify and contain a security incident and costs £2.9m. If the breach lifecycle can be reduced to less than 200 days, the cost reduces by more than £750,000.
One of the key reasons that breaches take so long to detect and resolve is the complexity of the modern operating environment. With infrastructure, data and applications spread across on-premises data centres and cloud platforms, total visibility is near on impossible using traditional tools and methods.
However, having visibility of what is happening on your entire infrastructure, including applications, network and end points, bridges that gap. Having them integrated and having someone experienced managing the security of that infrastructure can close the gap even further.
Increasingly sophisticated attacks require an advanced three-pronged approach to detection, incorporating Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR) and Network Detection and Response (NDR), which Gartner describes as the ‘SOC Visibility Triad’.
Pillar 1 – SIEM and User and Entity Behaviour Analytics (UEBA)
Collecting, centralising, and aggregating event logs is an essential aspect of running an effective security operations centre, (SOC) making a SIEM a fundamental tool. Collecting the logs is important, but it’s even more important to know what you’re looking at and how to interpret the data.
SIEM is further complemented by UEBA functionality to baseline “normal” activities across your users (and other entities) creating event logs. A platform like Microsoft Azure Sentinel will not only baseline operations, but automatically identify any deviance from that baseline – including anything that may indicate an attack is underway.
Importantly, UEBA is not reliant on pattern detection signatures, so it is capable of identifying unknown security threats like zero-day exploits, compromised or malicious users.
Pillar 2 – EDR
EDR combines real-time, continuous monitoring and collection of endpoint data with analysis of that data to support detection and responses to potential threats on endpoints.
EDR solutions capture execution, local connections, system changes, memory activities, modifications and other operations from endpoints. This visibility helps security analysts spot patterns, behaviours, indicators of compromise or other hidden clues. That data can then be mapped against other security intelligence feeds to detect threats that can only be seen from inside the endpoint.
Endpoint compromises are very common, and can stem from malware, unpatched vulnerabilities or careless users. As an example, mobile devices can be easily compromised on public networks and then reconnected to the corporate network where the infection spreads. Internet-of-things (IoT) devices are also notoriously insecure, to the point that new rules are being considered around security requirements.
The recent increase in remote working (and the speed at which many had to adapt to it) and the proliferation of ‘bring your own device’ (BYOD) policies has increased the risk of ‘infection’ and made endpoint security more important than ever.
An EDR solution tends to provide more comprehensive network security and more sophisticated capabilities than traditional antivirus, with detailed tracking of malicious activities on an endpoint or host device. They provide a real-time, ground-level view of the processes running on an endpoint and the interactions between them.
Pillar 3 – NDR
NDR helps you gain full visibility of the known and unknown threats across your network.
NDR solutions provide an aerial view of the interactions between all the devices on the network. Key data is stored and augmented with machine learning and advanced analytics to detect in-progress attacks, prioritise them and correlate them to compromised endpoints.
A skilled attacker may be able to avoid leaving SIEM log traces and evade EDR endpoint defences, but disguising network activity is almost impossible.
Because raw network traffic is almost completely unalterable, it is extremely effective for identifying threats. This makes NDR is the final part of the visibility puzzle, allowing your security team to see suspicious activity at any point of your operations.
The power of three
The SOC Visibility Triad is important for several reasons. First, as the name implies, combining these three technologies and methods increases overall visibility. With improved visibility, malicious actors have fewer places to ‘hide’ once your network perimeter is breached. This will help to reduce the time to detection and resolution, and the overall cost of the incident.
Second, the SIEM, EDR and NDR feature sets actually strengthen each other by reducing false positives. Suspicious activity alerts can be compared to confirm whether there is a breach in progress or if one system has ‘overreacted’.
Third, a hacker’s activities can be accurately traced backwards from the point of discovery. Investigators will be able to not only assemble a fuller picture of how the network was breached, but also what they did once inside.
By deploying the triad of SIEM, EDR and NDR, security teams can gain a clearer picture and a deeper understanding of threats and breaches, enabling fast and well-coordinated responses across all resources.
This, in turn, enhances the efficiency of security operations and, according to Gartner, can “significantly reduce the chance that attackers will operate on your network long enough to accomplish their goals.”
To learn more about how to build a robust visibility architecture to help mitigate security risk, and reduce mean time to detection (MTTD), please get in touch.