EDR within the SOC Visibility Triad

If the increasing amount of cybercrime plaguing organisations in 2023 speaks to anything, it’s that traditional security defences have become less effective. Indeed, as IT environments continue to expand and sprawl (due to cloud adoption, IoT convergence, remote working, and so on), many businesses, unfortunately, just aren’t keeping up in terms of security teams, budgets, and visibility. 

It’s tempting in these cases for organisations to ‘pile up’ cyber security tools in at an attempt to get ahead of attackers; something which often does more harm than good due to several issues including lack of usability, interoperability, and the teams’ inability to manage so many tools at once. 

Of course, security operations routinely use Security Information and Event Management (SIEM) systems to deal with such issues. SIEMs provide a method of identifying, monitoring, recording, and analysing cyber security events in real-time. Using log sources, SIEM technology can sort through huge data sets within seconds to detect abnormalities or malicious behaviour, alerting cyber teams so that any threats can be contained quickly, reducing dwell time. 

Powerful though they are, a SIEM is only as powerful as the data source it logs from. In other words, without reliable feeds and sufficient coverage, the SIEM cannot function effectively. Furthermore, with the right know-how, logs can be tampered with to mask attackers’ activity, and, in some cases, logging may even be turned off. This means that threats could slip through visibility gaps, bypassing remediation efforts.   

Strength in numbers

Understanding these gaps in cyber security led Gartner to develop a concept called the SOC Visibility Triad, which consists of three complimentary pillars designed to, as Anton Chuvakin says, “significantly reduce the chance that [an] attacker will operate on your network long enough to accomplish their goals”.

The Triad is usually displayed as follows:

• SIEM (Security Information and Event Management). 

• EDR (Endpoint Detection and Response)

• NDR (Network Detection and Response)

It promotes a security strategy which encourages teams to accept security breaches as inevitabilities, whilst still understanding how they can detect, respond, and remediate threats effectively. 

According to Gartner, “the escalating sophistication of threats requires organisations to use multiple data sources for threat detection and response” and so, by combining the three pillars above, the Triad works to harness the strengths of each solution whilst mitigating their respective weaknesses. In other words, each solution reinforces the other, creating a multi-layered and comprehensive approach to network security.

More than ‘just EDR’

Still, I’d like to add an important caveat to the above, specifically the EDR pillar of the Triad which seeks to recognise the first signs of an attack. 

In the version of the SOC Triad I recommend, EDR would be expanded, replaced with a word such as ‘tooling’ – which I believe describes my approach more pertinently. ‘Tooling’ denotes the fact that, whilst EDR is an essential element of any cyber security strategy, it is not the be all and end all.

In fact, a more robust cyber security strategy would spread the SOC Triad’s detection and response capability over as many attack vectors as possible, not just end points as is the case with EDR, but also other surfaces including email, user accounts, applications, and cloud infrastructure, after all, the SOC Triad offers so much additional visibility to security teams, but what it can’t do is take back control of these wider attack surfaces which are often controlled externally.

Without this fuller level of control, when the time does come for a fast response, the action would need to be passed over to a third party, resulting in a delay (what we call ‘dwell time’).

It goes without saying that extending dwell time could have potentially disastrous consequences, particularly regarding security incidents which could have been contained at a much earlier stage, before it landed upon an endpoint, which is where an EDR action would be initiated.

In my view, it’s time to look more critically at protecting ourselves from cyber threats across as much of the attack surface as possible. Make sure dedicated teams are in place to protect data and IT and that they’re equipped with the tools to take fast action for initial containment at the earliest stage possible to mitigate an attack. 

Speaking frankly, simply detecting and escalating these alerts to other stakeholders for them to carry out remediation is not good enough in an age where successful compromises and data exfiltration take minutes and hours, not days.