What Is the SOC Visibility Triad?
Learn how a combination of EDR, NDR, and SIEM/UEBA provides a comprehensive view of an ever-changing threat landscape.
The security operations center (SOC) serves as the nerve center of the enterprise’s presence in the digital world. With a dedicated cadre of security experts, proven technology, robust processes and specific metrics, the SOC monitors the organization’s digital infrastructure and responds to indications of malicious activity from any threat vector.
Given today’s infinite threat landscape, SOCs must rise to that challenge to oppose attackers using novel tactics. In some cases, by deploying stealthy methods such as hiding in normal or encrypted traffic (such as Solarwinds or Log4j), attackers’ presence may go unnoticed for weeks, or even months. Moreover, stealthy attackers will often persist with a low-level foothold within the digital infrastructure for weeks or months before escalating and prosecuting their objectives. In this environment, SOCs must keep pace in an asymmetric resource environment where the attackers have the advantage of time, money, automation, and personnel.
In 2015, Anton Chuvakin developed the concept of "SOC nuclear triad.” Repurposed from Cold War-era strategic defense models, it described the key elements in a well-curated, core collection of cyber defense capabilities. These core capabilities enable defenders to detect and respond to malicious activity before an attacker can achieve their operational objectives.
Since then, the concept has evolved and is now commonly referenced as the “SOC Visibility Triad.”
What is the SOC Visibility Triad?
The SOC Visibility Triad defines the three key areas an enterprise must implement to project a complete picture of its security posture and operational state:
It includes endpoints, the network, and logs generated by many facets of the enterprise’s IT infrastructure.
How does the SOC Visibility Triad benefit security teams?
The Triad’s design provides security teams with three resources that are essential to advanced, proactive threat hunting:
- Data. To prepare for advanced persistent threats (APT) and novel attack patterns, SOC teams need relevant, contextual data from every part of the network, all endpoints (managed or unmanaged), and logs. The pillars of the SOC Visibility Triad cover these general areas, and help the SOC aggregate the assembled data. When paired with intelligence in the form of indicators of compromise (IOC) or expertise in threat hunting, the data transforms into the evidence by which a validated detection and response action occurs (i.e., triage, evaluation, and remediation as appropriate).
- Analysis capability. In addition to real-time response, the SOC needs robust analytic capabilities and must be able to process enormous volumes of data. The elements of the SOC Visibility Triad include machine learning algorithms and statistical models that can help the SOC identify known attack patterns and detect anomalous behavior that may indicate high-risk events or previously undetected threats.
- Enhanced visibility. Security teams depend on tools that can present analysis and activity through intuitive interfaces and highly readable formats to manage workflow efficiently and avoid alert fatigue or resource exhaustion. The SOC Visibility Triad provides for the employment of dashboards, charts and mapping that is easy to consume and comprehend, expediting decision-making and threat response effort.
Provided with these benefits, SOCs can curate and leverage a collection of capabilities to gain deep visibility into their infrastructure, with and provide real-time responsiveness, measured in minutes rather than days. As such, the SOC utilizing the Triad framework gains a more holistic view of the enterprise’s overall security posture. Threat detection and incident response times improve, making the team more efficient and provide analysis that aids forensics and suggest improvements in the security apparatus of the digital enterprise to bolster defenses.
What challenges does the SOC Visibility Triad address?
The Triad represents a proven framework to avoid the serious problems of monitoring overload, alert fatigue, and lack of visibility that are common in SOCs that have not been able to reconcile their toolset, especially those that are understaffed, or lacking sufficient threat hunting expertise.
Enhanced visibility is especially important in an era when zero-trust is becoming a guiding principle for many organizations. The SOC Visibility Triad’s construction is meant to address the limitations of different tool sets, and to eliminate blind spots at the edges of each tool’s monitoring capacity. At a time when organizations are increasingly reliant on remote or hybrid workers, cloud workloads, and third-party access, the SOC needs a framework with breadth and depth.
The individual components of the SOC Visibility Triad
- Endpoint Detection and Response (EDR): As the name suggests, EDR takes a deep dive into endpoints such as laptops, desktops, and servers. Each endpoint represents a potential ingress into the enterprise’s infrastructure, so EDR monitoring looks for evidence of threats like ransomware and malware. The behavioral analysis component of EDR helps establish patterns of normal activity and detect anomalous behavior that may be an indication of compromise. It provides real-time visibility and enhanced protection for endpoints, but its monitoring capabilities do not extend to the network or cloud deployments. Moreover, there are more and more devices and “things” that comprise modern digital infrastructure that cannot host an agent in their operating environment.
- Network Detection and Response (NDR). NDR focuses on the raw network traffic and can include coverage for cloud, hybrid, or multi-cloud environments. These tools passively monitor networks and record data about activity occurring within packets. Working independently from the individual systems in the digital ecosystem, NDR sensors capture and monitor transactions and communications as they occur. Like EDR, alerts are generated based on signatures and anomalies when there is evidence of an attack in progress, such as command and control, unauthorized access, or data exfiltration. NDR also utilizes machine learning and automation to inform and expedite response, and speed deep analysis.
- Security Information and Event Management (SIEM). A combination of two security functions that have fused over time, SIEM collects and aggregates security logs from a variety of sources—including EDR and NDR—and provides a centralized repository for security-related data. It also has real-time monitoring and alert capabilities, as well as filtering capacity to help streamline incident response and forensic investigation. SIEMs also have important reporting capabilities that help the enterprise stay compliant with regulatory requirements.
The role of NDR in the SOC Visibility Triad
Security experts consider NDR to be the ultimate source of “ground truth.” While EDR provides the fundamental first line of defense to protect endpoints, and their users, gaps remain in coverage and depth.
Since wire (network layer) data cannot be altered, (i.e., what is communicated on the network is what transpired), NDR provides detailed evidence of past activity that aids forensic analysis as well as threat hunting. Integrated with the SIEM, it provides the analyst with the most comprehensive record of activity and picture of the enterprise’s attack surface. When aligned with a modern EDR and SIEM solution, NDR completes the Triad with the necessary monitoring capabilities to remove gaps in depth and breadth of coverage.
NDR uses passive techniques to generate a real-time view of all entities operating in the digital infrastructure (e.g., users, apps, and IoT devices unmonitored by EDR, email, and cloud controls), and provides essential metadata to the SIEM. It enhances and optimizes real-time detection capabilities by working off anomaly-based analysis. NDR also assists the SOC to detect attacks organized by MITRE ATT&CK TTPs, and provides essential context that can help defenders understand false positive alerts and adjust monitoring parameters.
Is XDR a new pillar in the SOC Visibility Triad?
Extended Detection and Response—or XDR—solutions are a relatively new addition to the security stack. It is defined by an aggregating function, in that it connects and correlates data from different sources, including the network, email, cloud, and endpoints. Like EDR, NDR, and SIEM, it leverages machine learning and automation capabilities to boost analysis and response times.
Because it can potentially provide a truly holistic view of the enterprise’s security posture, some experts are updating the SOC Visibility Triad to include XDR as a replacement for SIEM, or as another segment of the security stack that supports and enhances the Triad’s capabilities. Due to SIEM’s support for compliance and information management, many security teams still consider SIEM to be an important part of their tool set, even if XDR ultimately provides redundancy or replaces it as a security measure.
The case for Open NDR in the SOC Visibility Triad
The SOC Visibility Triad depends on the best metadata to achieve the level of visibility SecOps teams need to detect and respond to attacks. By covering endpoints, logs, and network traffic, threat hunters can comprehensively monitor the enterprise, including cloud, edge, endpoints, ICS/OT, and the critical data found in network packets. The SOC Triad also should provide a level of automation that positively impacts mean time to detection and response.
To pick up on new attack patterns and uncover advanced persistent threats (APT), security teams need the most up-to-date metadata. For this reason, NDR that harnesses high-fidelity transaction logs and community-driven detections provides a cutting-edge advantage.
Corelight’s NDR solution benefits from the widely used Zeek®, an open-source security monitoring platform. Zeek provides the metadata and files that provide the basis for evidence that drives advanced analysis and threat hunting.
The Open Corelight NDR Platform provides a commanding view of all devices that log onto the network, and provides details such as SSH inferences, DNS query/response pairs, file hashes, TLS connection details, and HTTP content. This creates a visibility pillar that provides strong support to EDR and SIEMs—and helps the SOC combat the most persistent and stealthy enterprise attacks. Learn more about Corelight Open NDR.
Book a demo
We’re proud to protect some of the most sensitive, mission-critical enterprises and government agencies in the world. Learn how Corelight’s Open NDR Platform can help your organization tackle cybersecurity risk.