Tying together the SOC Visibility Triad for Improved Threat Hunting

The SOC Visibility Triad has emerged as a concept over the last few years. It consists of EDR and NDR solutions running at the endpoint and network respectively, and pulling their alert feeds into the SOC (the third leg of the triad) for improved threat detection and hunting.

We have been working with customers to help them detect adversarial behaviors by correlating these alerts with their alert and log feeds. Bringing in the EDR and NDR alerts into the SIEM provides rich context for threat hunting. A common theme that we have observed in SOCs is the application of consistent data normalization and enrichment to these feeds which enables rapid development and deployment of automated detection and threat hunting content.

The Drivers

What is driving the solution of these technologies? Adversary sophistication and their ability to deploy new variations of known exploits have been successful in getting around traditional prevention technologies are key drivers for these solution categories.

Analyst are noticing it; Gartner called out this out as a top trend for 2020. This trend bleeds into another trend we are have observed where Enterprise SOC’s adopt multiple SIEM/s and data lakes for log and alert aggregation and correlation.

EDR/NDR/XDR Configuration and Alert Management

  1. Detection policy configuration. Product admins have a choice to select which out of the box detection content they want turned on or off, and even author and deploy new detections into these solutions.
  2. Alert Investigation and Triage. Because alerts generated by these detections are not always known bad behaviors, this detection are lower fidelity than detections for known bad behaviors. These lower fidelity alerts require action by the security ops team -
  3. investigate the alert and mark it as a false positive or promote it to an incident for remediation and containment.
  4. In some cases, these solutions come with a managed services component where the vendor offers a service to investigate alerts and resolve them.

SOC Use Cases: Threat Hunting and Automated Detection

  1. Basic investigation and response. Alerts, often in isolation, are ingested, and investigated.
  2. Threat investigation. These alerts could be indicative of a campaign by an adversary, and the SOC investigates these alerts across EDR, NDR and XDR solutions, and combine them with other security product alerts, and correlations from raw logs to detect adversary tactics, techniques and procedures. A core foundational requirement is standardized data models that includes data normalization and standardized enrichment. This can be through:
  3. Ad hoc threat hunting. Experienced threat hunters look at the set of alerts coming form these solutions and other security products, and looks for patterns of adversary behavior. The wider the aperture for analysis, the higher is the fidelity of threat hunting detections. This requires highly skilled personnel and knowledge of behaviors that malicious actors are known to use.
  4. Standardized detection and hunt procedures. This requires data normalization and enrichment, and detection content that can be applied to these alerts for detecting adversary behavior. Alerts from a wide variety of sources are combined to obtain high fidelity detection for adversary behaviors. This environment has higher levels of automation and repeatability than ad-hoc threat hunting.

SIEM Enablers: Data and Content

  1. Data normalization and enrichment. If all of your alerts are stored in a normalized format, threat hunting and automated detection queries development and usage is simplified.
  2. Customized detection content that can hunt for those adversaries that are targeting you and your verticals.

At Anvilogic, we offer a SOC content platform that has a wide variety of data parsers, normalizer and enrichments that you can quickly adopt, and a wide set of behavioral detections that you can assemble to create your unique adversary detection content that would use to hunt for adversary behaviors against your alert and log sources.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Anvilogic

Anvilogic TDIR platform helps unify across signals to gain valuable insights and recommendations to continuously assess, detect, hunt, triage, and respond.