The SOC Visibility Triad has emerged as a concept over the last few years. The SOC triad consists of EDR and NDR solution running at the endpoint and network respectively, and pulling their alert feeds into the SOC(the third leg of the triad) for improved threat detection and hunting.
We have been working with customers to help them detect adversarial behaviors by correlating these alerts with their alert and log feeds. Bringing in the EDR and NDR alerts into the SIEM provides rich context for threat hunting. A common theme that we have observed in SOC's is the application of consistent data normalization and enrichment to these feeds which enables rapid development and deployment of automated detection and threat hunting content.
The Drivers
Traditional prevention technologies whether at the endpoint, the network or at the cloud are evolving into detection and response technologies. At the endpoint, tradition anti-malware is evolving into EDR (endpoint detection and response) solutions; at the network, traditional IDS/IPS are evolving into Network Detection and Response(NDR) solutions; further some vendors are integrating EDR and NDR solutions into an XDR solution.What is driving the solution of these technologies? Adversary sophistication and their ability to deploy new variations of known exploits have been successful in getting around traditional prevention technologies are key drivers for these solution categories.
Analyst are noticing it; Gartner called out this out as a top trend for 2020. This trend bleeds into another trend we are have observed where Enterprise SOC's adopt multiple SIEM/s and data lakes for log and alert aggregation and correlation
EDR/NDR/XDR Configuration and Alert Management
These solutions are characterized by their deployment of a dynamic collection of signature, behavioral and statistical techniques to detect malicious behavior. Care and feeding for these tools involve:- Detection policy configuration. Product admins have a choice to select which out of the box detection content they want turned on or off, and even author and deploy new detections into these solutions.
- Alert Investigation and Triage. Because alerts generated by these detections are not always known bad behaviors, this detection are lower fidelity than detections for known bad behaviors. These lower fidelity alerts require action by the security ops team -
- investigate the alert and mark it as a false positive or promote it to an incident for remediation and containment.
- In some cases, these solutions come with a managed services component where the vendor offers a service to investigate alerts and resolve them.
SOC Use Cases: Threat Hunting and Automated Detection
So how are Security Operation Centers(SOC) effectively using the alerts generated by these EDR/MDR/XDR solutions? In our engagements with enterprise SOC's, we see these patterns emerging for making best use of these alerts.- Basic investigation and response. Alerts, often in isolation, are ingested, and investigated.
- Threat investigation. These alerts could be indicative of a campaign by an adversary, and the SOC investigates these alerts across EDR, NDR and XDR solutions, and combine them with other security product alerts, and correlations from raw logs to detect adversary tactics, techniques and procedures. A core foundational requirement is standardized data models that includes data normalization and standardized enrichment. This can be through:
- Ad hoc threat hunting. Experienced threat hunters look at the set of alerts coming form these solutions and other security products, and looks for patterns of adversary behavior. The wider the aperture for analysis, the higher is the fidelity of threat hunting detections. This requires highly skilled personnel and knowledge of behaviors that malicious actors are known to use.
- Standardized detection and hunt procedures. This requires data normalization and enrichment, and detection content that can be applied to these alerts for detecting adversary behavior. Alerts from a wide variety of sources are combined to obtain high fidelity detection for adversary behaviors. This environment has higher levels of automation and repeatability than ad-hoc threat hinting.
SIEM Enablers: Data and Content
Mature SOC's adopt standardized detection and hunt procedures on the alert stream being ingested and normalized for EDR/NDR/XDR technologies, and combing them with alerts from their other security products, and raw log streams. There are two foundational capabilities that must be in place for this to be successful:- Data normalization and enrichment. If all of your alerts are stored in a normalized format, threat hunting and automated detection queries development and usage is simplified.
- Customized detection content that can hunt for those adversaries that are targeting you and your verticals.