Tuesday, August 04, 2015

Your SOC Nuclear Triad [BACKUP FROM DEAD GARTNER BLOG]

 NOTICE: after Gartner killed ALL blogs in late 2023, I am trying to salvage (via archive.org) some of the most critical blogs I've written while working there, and repost them with backdates here, for posterity. This one reminds the world that I invented the "SOC visibility triad" model back in 2015.

Let’s talk modern SOC tools. The analogy I’d like to use is that of a “Nuclear Triad” – a key cold war concept. The triad consisted of strategic bombers, ICBMs and missile submarines (strictly speaking, submarine missiles – SLBMs) and sought to “significantly reduce the possibility that an enemy could destroy all of a nation’s nuclear forces in a first-strike attack.”

b-52 https://flic.kr/p/kXwSiYICBM https://flic.kr/p/cboYVNsub https://flic.kr/p/bbGz7Z

Your SOC should have its own nuclear triad of visibility:

  1. SIEM – if I need to explains this, please read something else instead :-)
  2. Network Forensics (NFT) – tools that can capture all network traffic (full packet capture), extract metadata (including application layer, L7 metadata such as HTTP user-agent, DNS query response, FTP username, email subject, etc) and payloads, retain some raw traffic and metadata, enable searching and analysis. There are several commercial tools, and then there are moloch and OpenSOCBro sort of fits in as well. [See more details here and in this GTP document]
  3. Endpoint Detection and Response (EDR, formerly ETDR) – typically agent-based tools to capture execution, local connections, system changes, memory activities, etc. There are a lot (A LOT!) of commercial tools, and then there are GRRMIG (update: not really MozDef, as I mentioned in the previous version)  as osquery, sort of. [See more details here and in this GTP document]

Similar to the above, your “SOC triad” seeks to significantly reduce the chance that the attacker will operate on your network long enough to accomplish their goals.

Of course, your SOC will make use of other tools and capabilities, such as threat intelligence (TI) data, malware sandboxes and reversing tools [to push the above analogy a tad too far, maybe this is like a suitcase nuke? Very much an auxiliary weapon, but also very cool? :-)] as well as some workflow system to organize all your work [strategic forces underwound command center?]. However, I always think of SIEM + NFT + EDR as “SOC nuclear triad” of visibility!

There you have it! Enjoy!



Dr Anton Chuvakin