Gartner Observations – SIEM, MDR, NTA, MTA, EDR

Gartner Observations – SIEM, MDR, NTA, MTA, EDR

Image result for gartner SOC Visibility Triad

SOC Visibility

Threat Detection Trinity.png

The Threat Detection Trinity

SOC Visibility Triad is actually missing a few details – Structured and Unstructured Monitoring, East-West/North-South Traffic. (User email, web and application traffic.)

  1. Detection technologies such as SIEM, EDR and NTA are effective only when use cases are appropriately defined, implemented and tuned. (Key points by Anton Chuvakin at Gartner on 1/28/2019)
  2. A process to manage security monitoring use cases is a prerequisite for the success of any detection capability.
  3. Most organisation include some third-party providers, such as MSSPs or MDR providers, in their detection and response plans. However, outsourcing functions and responsibilities does not mean outsourcing accountability. 
  4. Ensuring the effectiveness of both basic and advanced detection and response capabilities requires not just tools, but also the entire triad of people, processes and technology.
  5. Security operations center (SOC) owners struggle to make the right technology investments, and unfortunately chase the latest and greatest technologies that may dilute, rather than enhance, the efficacy of the SOC. (‘Selecting the Right Tools for your SOC’ by Tony Busa at Gartner on 1/23/2020)
  6. Looking to peers with SOCs or trying to benchmark against others in their vertical is of limited use. Each SOC is constructed to meet its own organization’s nuances, and current and target maturity level.
  7. Artificial intelligence (AI)- and machine learning (ML)-powered technologies, or any that promise to fully automate your SOC, are not going to magically transform an SOC from low maturity to high maturity overnight. Your SOC needs trained staff and fine-tuned workflows to use and operate tools that support its goals and capabilities.
  8. SRM leaders are failing to identify and understand relevant threats and risks to the organization, which increases the chances of devastating security incidents. Lack of initial and continuous threat modeling affects all components of the SOC target operating model, resulting in increased risk and reduced efficacy of SOC operations. (‘Create a SOC Target Operating Model to Drive Success’ by John Collins at Gartner on 1/15/2020.)
  9. Without operational alignment and defined agreements for an SOC, SRM leaders face resistance and avoidance from other business units, increasing the risk of security incidents with direct fiscal impact on the business.
  10. Security and risk management leaders often struggle to convey the business value of their security operations centers to non security leaders, resulting in reduced investment, poor collaboration and eroding support.
  11. ‘SOCs are like snowflakes, no two are alike…’
    1. Infrastructure, People Process Technology
    2. Digital Transformation
    3. Digital Workforce
    4. Business Innovation
    5. Mergers, Acquisitions & Divestitures
    6. Geography Expansion
    7. Regulations and Laws
    8. Cloud, NOC, SOC, Fraud





Leave a Reply