Paul and I have talked a lot about his enchanted quadrants on the podcasts, but for those who haven’t watched, here’s a quick summary… An effective security program requires the integration of four key data sources:
- Logs (firewall, network, application, etc.)
- Endpoint (files, processes, logs, etc.)
- Network (flow and packets)
- Threat Intelligence
Most organizations build their programs starting with either logs or endpoints. The log focused organizations start with a security incident and event management (SIEM) solution, then add threat intelligence, endpoint, and eventually network data. The endpoint focused organizations start with an endpoint detection and response (EDR), then add logs, threat intelligence, and eventually network data. Notice that network data is usually last. Why?
Traditionally, network data has been the hardest and most expensive data to collect (and store). Early solutions could only provide flow or required lots of specialized hardware to collect packets. Only the most mature security programs and teams could afford collecting and storing network packets. But as technologies advance, that reality has shifted.
We all know the network never lies, where logs can be deleted and agents evaded with so much as a simple, automated script. So why wouldn’t we all want access to the ground source of truth? With the move to cloud and remote work, getting that visibility without the need for endpoints or logs, is even more important. So how do we flip the model?
We recently interviewed Mike Campfield, VP, Global Security Programs at ExtraHop, on Enterprise Security Weekly to discuss why network detection and response (NDR) belongs in your security strategy. We actually went deeper and proposed that NDR is the foundation of your security strategy, flipping the traditional model. Try as we might, attacks will find a way past your defenses. When they do, it’s critical to have visibility into their post-compromise behavior as they attempt to move laterally across your network. That’s where NDR and ExtraHop shine, allowing you to quickly stop attackers before they can achieve a full-scale breach. No one data source or tool is enough, but combining best of breed NDR, EDR, and threat detection and response (TDR) solutions, can help organizations build a strong security foundation for detection and response.
ExtraHop gives you the perspective you need to understand and defend your hybrid attack surface from the inside out. Their industry-leading NDR platform is purpose-built to help you stop breaches 84% faster by:
- eliminating blind spots,
- detecting threats that other tools miss, and
- clearing the queue faster