Blog

How to gain full threat visibility where only the network exists

Posted by Henrik Davidsson on Jun 6, 2019 9:30:00 AM

Your network is not finite, with a clear beginning or end. Your network is always expanding, connecting to internet-of-things (IoT) devices, cloud applications and infrastructure, operational-technology (OT) networks, partners and suppliers. Constant change and growth are necessary to deliver new services and products and keep employees productive.

Many organizations are exploring IoT. Business drivers include making data analytics more accessible, better informed decision-making, uncovering new business opportunities, creating a safer and more productive workplace, and process or behavior monitoring and optimization.

IoT is a new source of risk

Controlling risk and exposure on IoT devices with embedded operating systems creates new challenges.

Traditional endpoint security and patching are often impossible through normal operating procedures, and IoT devices often have an open attack surface.

3-2Source: “Applying Network-Centric Approaches for Threat Detection and Response,“ 18 March 2019, Augusto Barros, Anton Chuvakin, Anna Belak, Gartner, ID Number: G00373460

Security tools focusing on malicious code or perimeter defense provide limited visibility once the attacker has successfully infiltrated the environment.

Security analysts are flying blind when it comes to compromised IoT devices.

A powerful triad

But there’s a better way to gain full visibility into threats: The security operations center (SOC) visibility triad, recently introduced by Gartner.

The SOC visibility triad consists of network detection and response (NDR), endpoint detection and response (EDR) and log-based detection (SIEM). A uniquely powerful combination, the triad offers the best coverage of all threat vectors across cloud workloads and enterprise infrastructures and user and IoT devices.

 With this combination, threat analysis does not depend on signatures or reputation/blacklists. Instead, detection focuses on attacker behaviors and malicious patterns from inside the network, whether the inside attacker is a rogue employee or an outsider.

EDR provides clear visibility into host-level activity but requires extended visibility for hosts that can’t install agents at all, such as IoT or hosts that support a selective installation of agents. 

SIEM and log-based tools are great for business intelligence, reporting and correlation across data sources, but require additional information for lateral movement, network detection and response use cases.

With NDR, the network provides defense layer visibility into all IP devices acting suspiciously. This defense layer helps you detect the real unknown threats in your IT environment by focusing on the agenda the attacker has and what actions the attacker needs to perform to succeed.

AI-driven network detection and response

The Cognito network detection and response platform from Vectra is a key element in the SOC visibility triad. Security analysts use Cognito for threat hunting and to perform conclusive incident investigations.

The AI-driven Cognito detects active threats in real time across the enterprise – from cloud and data center workloads to user and IoT devices. Cognito analyzes cloud and network traffic, enriches the metadata with security insights, and prioritizes the highest-risk threats in real time.

Related content

Read this blog to learn more about the SOC visibility triad. 

Topics: "Security operations"

Subscribe to the Vectra Blog



Recent Posts

Posts by Topic

Follow us