Blog
SIEM Alone Won't Stop Advanced Threats. Integrated NDR & SIEM Can. Here's Why.
Chase Snyder
July 29, 2021
Ransomware was a $350+ million dollar business in 2020, and all signs point to major growth in 2021. We saw increased usage of the double-extortion method, in which ransomware gangs exfiltrate data and threaten to release it publicly, on top of their traditional encryption-for-ransom scheme, to extract even greater payments from victims.
On top of that, sophisticated supply chain attacks affected thousands of businesses, showing that every enterprise, not only major corporations and nation states, needs to defend themselves against the globe's most advanced threat actors.
To combat advanced threats such as REvil, DarkSide, and SUNBURST, enterprise SecOps teams need to take every opportunity to increase their ability to detect attacks earlier, especially unknown threats, then investigate and understand their scope precisely and respond quickly.
One of the best steps many SOCs can take to achieve these goals is to integrate a network detection and response (NDR) solution with their security information and event management (SIEM) solution. For many SOCs, the SIEM is the primary console. It shows up on the big screen and is the first place to look when investigating and responding to a threat—but a SIEM is only as good as the data you feed it.
Unfortunately, SIEM data isn't infallible. As threat actors grow more sophisticated at evading threats by tampering with log files, disabling activity logging, and avoiding endpoints with monitoring agents. It grows more and more important to have a passive, covert NDR tool as part of the mix, tightly integrated with the SIEM.
Detect More Hidden and Unknown Threats
ESG research from 2020 indicated that most security operations teams felt their SIEM was good at detecting known threats. That is great news, but it came with the caveat that about 30% of respondents felt their SIEM was less effective for detecting unknown threats.
NDR solutions excel at detecting unknown threats. This is true for a few reasons. First, NDR covertly observes all network traffic in the environment. Attackers must traverse the network for key steps in the attack chain, including command & control, lateral movement, and data exfiltration. Through machine-learning driven behavioral analysis, NDR can detect these subtle behaviors even if they never touch an activity log or EDR instrumented device.
Second, NDR vendors that can decrypt traffic for analysis can detect malicious behaviors that would otherwise stay hidden. Attackers can co-opt and control encrypted protocols to achieve their goals without being caught by security tools that can't see their movements. This allows them to dwell in your environment for months, establish persistence, map the territory, and identify sensitive data and vulnerable systems so that they can do maximum damage when they finally strike.
Note: Not all NDR vendors are able to decrypt traffic at line rate for analysis. When considering an NDR vendor, make sure this capability is present.
By integrating NDR with your SIEM, you can gain a powerful, ground-truth view and detect unknown threats with greater speed and accuracy.
Accelerate Response Time With Correlated Detections & Forensics
When investigating a security incident, speed matters a lot. Gathering and correlating data from different security tools can be a time-consuming process, often impacting multiple teams. This includes those outside the security organization, such as network operations, applications, database, and cloud operations.
The longer the investigation takes, the more damage an attacker can do. Many SecOps teams track their mean time to detect (MTTD) and mean time to respond (MTTR) as key performance indicators. Bringing those numbers down is more important now than ever.
While not all NDR solutions are created equal, we can say with confidence (and data backed by Forrester research) that ExtraHop Reveal(x) enables security teams to resolve incidents 84% faster. By sending NDR detections to your SIEM, you can gain rapid detection and a correlated view of data that can accelerate your threat response and increase your chances of stopping an incident from becoming a headline-making breach.
Inventory Everything and Secure Unmanaged Devices
The CIS Top 20 controls indicate that an inventory of all hardware and software assets connecting to the network is the first step toward a better security posture. Deploying SIEM successfully requires you to know what devices are out in the network so that you can configure them and gather activity logs from them. Not all devices are amenable to this arrangement. Unmanaged IoT and BYOD devices may end up in your environment. Third-party contractors or service providers like Kaseya may be connected to your environment, and you may not be able to fully audit their security posture.
Since NDR solutions observe all traffic that crosses the wire, they can see and identify every device. More advanced NDR solutions can tell what hardware, operating system, EDR agent, and logging activity a device exhibits purely by watching the network traffic going to and from the device. This means you can detect and respond to threats that are completely invisible to a SIEM solution, even if it's not integrated with NDR.
Security Is an Ecosystem and NDR + SIEM are Key Requirements
Every security team has multiple—often too many—tools. Integrating these tools the right way provides a huge boost in security efficacy and can help stretched-thin teams stave off the growing onslaught of advanced threats. In nature, an animal whose behavior has an outsized impact on its ecosystem is called a keystone species.
SIEM and NDR are keystone species for a successful security operations ecosystem. When they work together well, your SOC can take back the advantage from cyberattackers. To learn more about how NDR and SIEM integration can accelerate response times, download our solution brief.
Discover more