It’s hard for Security Operations Center (SOC) teams to protect corporate environments from cyber threats if they can’t see what’s happening on the network.
But most SOC teams don’t have that visibility. So, when SOC teams require information on network traffic patterns, they call upon the cooperation of their colleagues in the Network Operations Center (NOC). And when NOC teams require assistance to diagnose behaviors of an endpoint or application that could negatively impact the overall performance and stability of the network, they call upon the SOC.
Blind spots and inefficiencies
This is a manual, ad-hoc process that leaves blind spots which threat actors can actively target and creates inefficiencies that waste valuable time and resources. Additionally, since SOC and NOC team members constantly operate in a pressure-cooker environment where neither has the visibility they need to act swiftly and confidently, the result is stress and burnout.
As my colleague Justin Falck explained in a recent blog, Extended Detection and Response (XDR) is the natural evolution of Endpoint Detection and Response (EDR). And it’s evolving precisely for the reasons noted above: Threat actors continue to adapt in ways that allow them to evade security tools, so to stay a step ahead, it’s been necessary to add more telemetry types to those used by EDR solutions. Incorporating identity intelligence and network telemetry creates more reliable signals, while providing even more context for detecting suspicious activity. This helps to reduce some key security performance metrics, including and especially the mean time to detect and respond (MTTD/MTTR).
What has been missing from both EDR and even XDR solutions —and SOCs everywhere— is the ability to natively combine full network visibility with EDR capabilities. This shortcoming has contributed to two significant challenges for the typical SOC, each with very real costs.
- First, capturing and analyzing network traffic typically requires expensive hardware in the form of packet brokers and network taps.
- Second, SOC analysts have been saddled with the burden of bringing together disparate data sources (EDR, network, and identity) and effectively using them to detect and respond to an attack early and accurately. This has led to stress, burnout, and missed signals.
Arming SOC analysts with native network visibility is a game-changer.
VMware Carbon Black XDR: Natively unities endpoint and network
At VMware Carbon Black, we’ve worked to address that crucial shortcoming. Carbon Black XDR combines EDR capabilities with identity intelligence and other telemetry, while also performing AI/ML-based analytics. It’s a pathway to a more efficient SOC—and a solution for the gaps that have long defined the NOC-SOC relationship.
With VMware Carbon Black XDR, SOC analytics can see more, detect faster, respond with confidence, and ultimately stop more sophisticated attacks. Carbon Black XDR removes the requirement to switch context as information is presented in a single console, agent, and platform. It automatically weaves together various elements of telemetry—including, yes, network-focused telemetry—to provide a cohesive view of sophisticated emerging threats.
Suddenly, those two challenges cited earlier become far less of a challenge. Even without having to invest in hardware network taps, SOCs gain deep visibility into all communications for East-West traffic, North-South traffic, no matter where the endpoint is located. And bringing together disparate data into a cohesive, meaningful whole is no longer a burden. Analysts can correlate network activity to the system and the process. The North-South communication that is seen at egress, depending on network address translation, can be very hard to track back to. Now systems can be identified and not just which system, but which process because visibility is occurring at the same time, without having to join data sets later.
What’s more, all telemetry is visible in one console. Therefore, it’s joining data from the start, the same dataset, all in the same Carbon Black platform. This provides additional correlations, detections, and visualizations in the back end to aid with understanding incident scope.
Benefits to the business
Combining network visibility on the endpoint, without requiring expensive network taps, results in three essential business benefits:
- Lower costs. As we all know, CISOs are under increasing pressure to operate within tight budgets even as security and compliance requirements mount. The good news: the ability to see all communications without having to invest in hardware-based network taps helps drive down operational costs. And as cyber insurers intensify their scrutiny over security controls and capabilities, gaining deep visibility into all traffic should help improve organizations’ insurability and reduce the costs of premiums.
- Reduced risk. According to Forrester Consulting research, 79% of organizations not currently using XDR express a need to reduce mean time to detection and mean time to response (MTTD/MTTR)—metrics that relate directly to minimizing limiting the scope of disruption to critical business functions. As attackers gain new skills, tools, and techniques, SOC teams need every defensive weapon at their disposal. Here again, VMware Carbon Black XDR directly supports those efforts by giving SOC analysts a single console through which to view all telemetry, correlations, detections, and visualizations. This is the context defenders need to prevent and minimize damage to business operations—and minimize risk to the business.
- Faster time to value. Implementing XDR is a journey, but it’s a journey that pays—and VMware Carbon Black XDR helps accelerate it. Incorporating disparate telemetry and data into a single, cohesive picture helps deliver on the bottom-line benefit of XDR by giving SOC analysts a more efficient and effective experience. Simply put, they’re more productive and get more value from the XDR solution. The Forrester Consulting study bears this out, with three out of four XDR adopters stating that increased ROI is the top business benefit of XDR.
Now with Network Traffic Analysis
The latest extension of VMware Carbon Black XDR incorporates Network Traffic Analysis (NTA) capabilities that allow SOC analysts to rapidly identify and investigate anomalous network traffic. By automatically identifying traffic that deviates sufficiently from what’s considered “normal” traffic patterns, SOC analysts can detect further evidence of threat actors attempting to move laterally across an environment or spot malicious connections between customer systems and the internet.
This new NTA capability is a vital enhancement to Carbon Black XDR, dovetailing our comprehensive EDR, identity intelligence, and IDS observations offerings with deep visibility into network telemetry. The result is next-level XDR, designed specifically to help SOC teams stay ahead of the next threat with unparalleled granular visibility.
And it’s available only from VMware Carbon Black.
