www.extrahop.com
Open in
urlscan Pro
52.40.156.168
Public Scan
Submitted URL: https://o.ehlinks.com/api/mailings/click/PMRGSZBCHI4TANBZGMZSYITVOJWCEORCNB2HI4DTHIXS653XO4XGK6DUOJQWQ33QFZRW63JPMNXW2...
Effective URL: https://www.extrahop.com/company/blog/2019/ndr-and-the-soc-visibility-triad/
Submission: On November 26 via manual from US — Scanned from DE
Effective URL: https://www.extrahop.com/company/blog/2019/ndr-and-the-soc-visibility-triad/
Submission: On November 26 via manual from US — Scanned from DE
Form analysis 2 forms found in the DOM
Name: untitledForm-1367515949663 — POST https://s1701.t.eloqua.com/e/f2
<form method="POST" id="form107" name="untitledForm-1367515949663" role="form" action="https://s1701.t.eloqua.com/e/f2" class="reset-disabled" data-parsley-validate="" data-parsley-trigger="focusout" data-onload="extrahop.undisableForm"
novalidate="">
<input type="hidden" name="elqFormName" value="untitledForm-1367515949663">
<input type="hidden" name="elqSiteId" value="1701">
<input type="hidden" name="elqCampaignId">
<input type="hidden" name="campaignId" value="70180000001EqjnAAC">
<input type="hidden" name="elqCustomerGUID">
<input type="hidden" name="elqCookieWrite" value="0">
<input type="hidden" name="GA_Medium" value="">
<input type="hidden" name="GA_Source" value="">
<input type="hidden" name="GA_Campaign" value="">
<input type="hidden" name="GA_Content" value="">
<input type="hidden" name="GA_Term" value="">
<input type="hidden" name="GA_Product" value="">
<input type="hidden" name="GA_Region" value="">
<input type="hidden" name="GA_Funnelstage" value="">
<input type="hidden" name="GA_Version" value="">
<input type="hidden" name="gclid" value="">
<input type="hidden" name="FormURL" value="">
<input type="hidden" name="uniqueid" value="">
<input type="hidden" name="adgroupname" value="">
<input type="hidden" name="redirectUrl" value="https://www.extrahop.com/company/newsletter-signup-success/" data-sync-host="www">
<div class="inline-input">
<div class="form-group email">
<input id="email" class="form-control garlic-auto-save" name="email" type="email" required="" placeholder="Email Address">
</div>
<div class="form-group">
<input type="submit" class="btn btn-basic" value="Subscribe" data-track-newsletter-subscribe="">
</div>
</div>
</form><form>
<input class="st-default-search-input st-search-set-focus" type="text" value="" placeholder="Search this site" aria-label="Search this site" id="st-overlay-search-input" autocomplete="off" autocorrect="off" autocapitalize="off">
</form>Text Content
* The Platform
EXTRAHOP
REVEAL(X) 360
CLOUD-NATIVE VISIBILITY, DETECTION, AND RESPONSE
FOR THE HYBRID ENTERPRISE.
Learn More
Explore Reveal(x)
How It Works
Competitive Comparison
Why Decryption Matters
Integrations and Automations
Cybersecurity Services
What is Network Detection and Response (NDR)?
Cloud-Native Security Solutions
Reveal(x) Enterprise: Self-Managed NDR
* Solutions
--------------------------------------------------------------------------------
SOLUTIONS
With the power of machine learning, gain the insight you need to solve
pressing challenges.
FOR SECURITY
Stand up to threats with real-time detection and fast response.
Learn More >
FOR CLOUD
Gain complete visibility for cloud, multi-cloud, or hybrid environments.
Learn More >
FOR IT OPS
Share information, boost collaboration without sacrificing security.
Learn More >
BY INITIATIVE
* Advanced Threats
* Security Operations Transformation
* Enterprise IoT Security
* Integrate NDR and SIEM
* Implement Zero Trust
* Multicloud & Hybrid Cloud Security
BY VERTICAL
* Financial Services
* Healthcare
* e-Commerce and Retail
* U.S. Public Sector
Featured Customer Story
WIZARDS OF THE COAST
Wizards of the Coast Delivers Frictionless Security for Agile Game
Development with ExtraHop
Read More
See All Customer Stories >
* Customers
--------------------------------------------------------------------------------
CUSTOMERS
Our customers stop cybercriminals in their tracks while streamlining
workflows. Learn how or get support.
COMMUNITY
* Customer Portal Login
* Solution Bundles Gallery
* Community Forums
* Customer Stories
SERVICES
* Services Overview
* Reveal(x) Advisor
* Deployment
TRAINING
* Training Overview
* Training Sessions
SUPPORT
* Support Overview
* Documentation
* Hardware Policies
Featured Customer Story
WIZARDS OF THE COAST
Wizards of the Coast Delivers Frictionless Security for Agile Game
Development with ExtraHop
Read More
See All Customer Stories >
* Partners
--------------------------------------------------------------------------------
PARTNERS
Our partners help extend the upper hand to more teams, across more platforms.
CHANNEL PARTNERS
* Channel Overview
* Managed Services Providers
* Overwatch Managed NDR
INTEGRATION PARTNERS
* CrowdStrike
* Amazon Web Services
* Security for Google Cloud
* All Technology Partners
PANORAMA PROGRAM
* Partner Program Information
* Partner Portal Login
* Become a Partner
Featured Integration Partner
CROWDSTRIKE
Detect network attacks. Correlate threat intelligence and forensics.
Auto-contain impacted endpoints. Inventory unmanaged devices and IoT.
Read More
See All Integration Partners >
* Blog
* More
* About Us
* News & Events
* Careers
* Resources
* About Us
* The ExtraHop Advantage
* What Is Cloud-Native?
* Leadership
* Board of Directors
* Contact Us
* Explore the Interactive Online Demo
* Take the Hunter Challenge
* Upcoming Webinars and Events
* Newsroom
HUNTER CHALLENGE
Get hands-on with ExtraHop's cloud-native NDR platform in a capture the flag
style event.
Read More
* Careers at ExtraHop
* Search Openings
* Connect on LinkedIn
* All Resources
* Customer Stories
* Remote Access Resource Hub
* White Papers
* Datasheets
* Industry Reports
* Webinars
* Network Attack Library
* Protocol Library
* Documentation
* Firmware
* Training Videos
Login
Logout
Start Demo
THE PLATFORM
SOLUTIONS
CUSTOMERS
PARTNERS
BLOG
MORE
START THE DEMO
CONTACT US
Back
EXTRAHOP
REVEAL(X) 360
Cloud-native visibility, detection, and response
for the hybrid enterprise.
Learn More
HOW IT WORKS
COMPETITIVE COMPARISON
WHY DECRYPTION MATTERS
INTEGRATIONS AND AUTOMATIONS
CYBERSECURITY SERVICES
WHAT IS NETWORK DETECTION AND RESPONSE (NDR)?
CLOUD-NATIVE SECURITY SOLUTIONS
REVEAL(X) ENTERPRISE: SELF-MANAGED NDR
Back
SOLUTIONS
Learn More
SECURITY
CLOUD
IT OPS
USE CASES
EXPLORE BY INDUSTRY VERTICAL
Back
CUSTOMERS
Customer resources, training,
case studies, and more.
Learn More
CUSTOMER PORTAL LOGIN
CYBERSECURITY SERVICES
TRAINING
EXTRAHOP SUPPORT
Back
PARTNERS
Partner resources and information about our channel and technology partners.
Learn More
CHANNEL PARTNERS
INTEGRATIONS AND AUTOMATIONS
PARTNERS
Back
BLOG
Learn More
Back
ABOUT US
NEWS & EVENTS
CAREERS
RESOURCES
Back
ABOUT US
See what sets ExtraHop apart, from our innovative approach to our corporate
culture.
Learn More
THE EXTRAHOP ADVANTAGE
WHAT IS CLOUD-NATIVE?
CONTACT US
Back
NEWS & EVENTS
Get the latest news and information.
Learn More
TAKE THE HUNTER CHALLENGE
UPCOMING WEBINARS AND EVENTS
Back
CAREERS
We believe in what we're doing. Are you ready to join us?
Learn More
CAREERS AT EXTRAHOP
SEARCH OPENINGS
CONNECT ON LINKEDIN
Back
RESOURCES
Find white papers, reports, datasheets, and more by exploring our full resource
archive.
All Resources
CUSTOMER STORIES
REMOTE ACCESS RESOURCE HUB
NETWORK ATTACK LIBRARY
PROTOCOL LIBRARY
DOCUMENTATION
FIRMWARE
TRAINING VIDEOS
BLOG
NDR AND THE SOC VISIBILITY TRIAD
HOW NETWORK DETECTION & RESPONSE COMPLEMENTS EDR & SIEM FOR STRONG CYBERSECURITY
* Dale Norris
* Updated September 10, 2021
If you've spent any time hunkered down in front of a monitor writing or reading,
at some point you've either used or seen The Rule of Three. It's the
foundational structure for presenting information in a format that's easy to
process and memorable.
Three is the magic number in more ways than one. Pilots use three different
categories of instrumentation to ensure they can "see" what's happening to
safely fly. Your middle ear contains three bones that allow you to hear when
danger approaches. And stools are comprised of three legs, providing a strong
support structure.
Similar to the examples above, the Gartner Security Operations Center (SOC)
Visibility Triad supports stronger enterprise security in three ways: providing
visibility across complex attack surfaces, detecting threats in real time, and
enabling rapid response to incidents.
WHAT IS THE SOC VISIBILITY TRIAD?
First coined by then-Gartner security expert Anton Chuvakin in 2015, the SOC
nuclear (now visibility) triad "seeks to significantly reduce the chance that
the attacker will operate on your network long enough to accomplish their
goals."
Traditionally, Security Operations Centers relied heavily on endpoint detection
and response (EDR) and security information and event management (SIEM) tools
for incident management and response. But those tools couldn't provide the
real-time visibility into east-west, or internal, traffic that's essential for
protecting the enterprise.
Network detection and response (NDR) solutions were the missing piece of the
triad. When true NDR became technologically possible, the triad became the go-to
structure for providing visibility across complex IT environments.
But how does NDR complete the triad? By providing complete visibility inside the
network, where SIEM and EDR lack visibility, and where adversaries expand their
reach, exploit internal resources, and ultimately do the most damage.
Webinar: The case for leading with NDR.
HOW DOES NDR COMPLEMENT EDR?
EDR products are like cameras pointed at the entrance door. They collect,
record, and store data from the activities of devices connected to a network.
This visibility into endpoints is essential for creating a layered cyber defense
in three key areas:
* Providing insight into user and software activities on devices
* Detecting threats that antivirus software misses
* Helping monitor against advanced persistent threats (APT)
While a valuable piece of the SOC toolset, EDR products rely on agents, which
limits their visibility and increases the effort required for management and
maintenance. Attackers can hide their tools from EDR products, and those
products can't see threats inside the network. NDR solutions see those attackers
as soon as they communicate with any device on the network.
NDR solutions also bolster EDR tools by providing real-time behavioral
detections that complement an EDR product's signature-based threat detectors.
NDR solutions use cloud-scale machine learning capabilities to offload
resource-intensive modeling while providing continuous, automated updates to
detection models, so security analysts needn't spend their time applying manual
updates.
Some NDR products can also provide endpoint information to analysts or share
those detections with EDR products for automatic quarantining of infected
devices in real time.
CrowdStrike and ExtraHop: Integrated EDR and NDR for stronger security.
HOW DOES NDR COMPLEMENT SIEM?
SIEM products are at the center of many SOC approaches to security, and with
good reason. They're great at collecting logs from other systems and generating
reports. SIEM products can also be effective at early detection if threats
violate their pre-configured sets of rules.
However, SIEM tools do have blind spots that can be filled by NDR solutions that
leverage network traffic analysis (NTA).
SIEMs analyze log data, which limits visibility into east-west corridor attacks,
and they have a propensity for firing false positives, which can lead to alert
fatigue and weaken security. Logging is also routinely turned off, and logs are
modified or destroyed by adversaries to impede detection/investigation.
NDR solutions collect and analyze wire data from network traffic, providing an
unalterable source of data to SIEM products and enhancing their ability to
create complete, comprehensive, and actionable reports.
Want more information about how NDR products compare to SIEM tools? Read this
blog post.
WHAT PROBLEMS DOES THE TRIAD SOLVE FOR SECOPS?
You can learn how the SOC Visibility Triad makes cloud security significantly
easier in this post, but it's worth noting that the triad provides SOCs with
benefits that extend beyond the cloud to edge and on-premises environments.
Visibility: By combining visibility into network communications, endpoints, and
events, the triad allows analysts to see and understand what's happening in the
east-west traffic corridor and at the edges of a network.
Detection: The triad combines rules and signature-based detections from SIEM and
EDR products with real-time behavioral detections powered by machine learning
from NDR solutions. The result is the ability to rapidly detect anomalous
behaviors and threats at endpoints and in internal traffic.
Investigation: With NDR products continuously capturing packets and reassembling
them into structured wire data, access to logs from SIEM tools, and data from
EDR agents, analysts have a full range of information to use in investigations.
They can see interactions at endpoints and in internal traffic, as well as
investigate which protocols have been used in an attack.
Automation: With the ability to conduct or support automated or augmented
investigation and response, the combined pieces of the triad can help relieve
the stress felt by overworked and understaffed security teams.
Integration: With NDR products forming the foundation of the triad, SOCs can
integrate wire data from network traffic into SIEM and EDR products, as well as
across IT and security teams, reducing complexity and tool sprawl.
Watch the 4-minute video for an introduction to NDR with live examples of an NDR
product's features and capabilities as they relate to the SOC Visibility Triad:
* Posted in Security, Industry Trends, Tech, NDR, Decryption, Reveal(x)
* See other posts by Dale Norris
HUNT THREATS WITH REVEAL(X)
Investigate a live attack in the full product demo of ExtraHop Reveal(x),
network detecion and response for the hybrid enterprise.
Start Demo
RELATED BLOGS
8.26.19
HOW ORGS SHOULD APPROACH SHADOW IT (& HOW NDR CAN HELP)
Shadow IT is inevitable, but zero tolerance policies aren't the answer. Learn
the smart, secure, and scalable approach to dealing with shadow IT.
Chase Snyder
7.11.19
2019 SANS SOC SURVEY RESULTS
Learn how your SecOps peers are approaching threat-detection and response in the
hybrid enterprise, and more!
Chase Snyder
8.25.21
HOW TRAFFIC MIRRORING IN THE CLOUD WORKS
Learn how the availability of traffic mirroring in the public cloud fills
critical network visibility gaps for enterprise security teams using AWS or
Azure.
Tyson Supasatit
SIGN UP TO STAY INFORMED
Javascript is required to submit this form
+
ExtraHop uses cookies to improve your online experience. By using this website,
you consent to the use of cookies. Learn More
Global Headquarters
520 Pike St
Suite 1600
Seattle, WA 98101
United States
EMEA Headquarters
WeWork 8
Devonshire Square
London EC2M 4PL
United Kingdom
APAC Headquarters
3 Temasek Avenue
Centennial Tower
Level 18
Singapore 039190
PLATFORM
* Reveal(x) 360
* How It Works
* Competitive Comparison
* Why Decryption Matters
* Integrations and Automations
* Cybersecurity Services
* What is Network Detection and Response (NDR)?
* Cloud-Native Security Solutions
* Reveal(x) Enterprise: Self-Managed NDR
SOLUTIONS
* Security
* Cloud
* IT Ops
* Use Cases
* Industries
CUSTOMERS
* Customer Portal Login
* Services Overview
* Training Overview
* Support Overview
PARTNERS
* Channel Overview
* Technology Integration Partners
* Partner Program Information
BLOG
MORE
* About Us
* News & Events
* Careers
* Resources
* Copyright ExtraHop Networks 2021
* Terms of Use
* Privacy Policy
* Facebook
* Twitter
* LinkedIn
* Instagram
* YouTube
3:59
Close
suggested results