The Next Generation of Security Architecture Is Here

The SOC visibility triad—consisting of security information and event management (SIEM), endpoint detection and response (EDR), and network detection and response (NDR)—has been a powerful combination for security analysts for years. But just as attackers are evolving their tactics and growing ever faster, so too must security teams.

The next generation of security architecture evolves the SOC triad into something more. Artificial intelligence (AI) enhances analysis and investigation. Cloud-scale architectures enable more efficient logging, scaling, and analysis. And the integration of broader data sources into next generation SIEM technology enables security teams to correlate, identify, and remediate threats more effectively. The result: more reliable and relevant security detections, delivered faster, and with deeper contextual insights.

What Is Next-Gen SIEM?

Legacy SIEMs are a great resource, especially during incident investigations. But it can be difficult to determine which alerts are meaningful without a high level of proficiency in the applications and systems generating the logs. Not to mention the obstacle presented by high-cost log storage. CrowdStrike Falcon® Next-Gen SIEM unifies first- and third-party data, native threat intelligence, AI, and Crowdstrike Falcon Fusion SOAR—a security orchestration, automation, and response platform—to augment SOC capabilities, allowing teams to detect, investigate, and respond to threats much more quickly than they could with a traditional SIEM. Falcon Next-Gen SIEM is also native to the cloud, unlike traditional SIEM solutions. It scales more easily, is better architected to natively support hybrid and distributed environments, and makes use of tight integrations with other sources of security telemetry.

The Role of RevealX in Next-Gen Security Architectures

The ExtraHop RevealX™ NDR platform can accelerate your organization’s transition to a modern security architecture based on next-gen SIEM. As soon as RevealX is deployed on your network, it starts gathering data directly from packets, rather than endpoint agents, thereby providing visibility into otherwise-hidden network layers.

In fact, network data from RevealX can help optimize output by providing clarifying context to the disparate and sometimes conflicting data sources flowing into next-gen SIEM solutions. For one example, a rule- or policy-based data source might denote a certain action as high risk, while another might indicate it’s nothing to worry about. This ambiguity can make it difficult for security teams to determine the right course of action. That’s where RevealX can help: the platform performs behavioral analysis to understand patterns of activity and generate targeted detections, rather than binary policy violations that may lack crucial context. The end result? Enhanced visibility and context for a reliable, normalized data source for next-gen SIEMs.

Network telemetry from RevealX in a Falcon Next-Gen SIEM dashboard

The network-based telemetry provided by RevealX confers several additional advantages to security teams:

1. The network provides security teams with an exceptionally high fidelity source of data about their security posture. The network provides a powerful source of truth and transparency into threat actors’ activity. When attackers compromise an endpoint and begin to move laterally, call out to command and control servers, or attempt to enumerate targets and elevate their privileges, all of this post-compromise activity gets recorded in network packets.

RevealX combines full packet capture with powerful capabilities for decrypting TLS 1.3 and SSL traffic and has fluency in over 90 network, application, database, and internet protocols. As a result, RevealX can see exactly where network packets are coming from, where they’re going, and what they’re saying—providing the richest source of data for threat detection, investigation, and response.

Since the network sees everything, your security team will, too.

The five layers of network-based detection provided by RevealX

1. RevealX picks up where other security controls stop and fills significant visibility gaps.
   1. Traditional EDR: Endpoint agents provide powerful visibility, but not every endpoint can run a traditional agent. In fact, ExtraHop sensor data shows that as much as 60% of an organization’s endpoints are unprotected by EDR agents. Threat actors can also disable legacy EDR agents or bypass them altogether with stolen credentials. RevealX provides organizations with visibility into vast expanses of their infrastructure that are not covered by traditional EDR agents and gives organizations a critical back-up control for when threat actors disable them.
   2. Traditional SIEM: Legacy SIEM logs are not built for detecting live attacks, as they are based on indexed data. They’re also noisy as disparate logs without effective enrichment lack context, and require significant overhead to deploy.
   3. Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS): An IDS only catches known threats and doesn't provide any context. In contrast, RevealX provides five layers of network-based detection, including machine-learning powered behavioral detections, network indicator detections, routinely exploited vulnerability detections, emerging exploit detections, and network malware detections.
   4. Next-Gen Firewalls (NGFWs): NGFWs lack east-west traffic visibility, and data from NGFWs can be cumbersome to bring into investigation workflows in legacy systems.

By combining the powerful network insights provided by RevealX with the advanced, AI-native capabilities of the CrowdStrike Falcon Next-Gen SIEM, security and IT teams can step into the future of the SOC to better defend against advanced threats.