Back in 2015, while working on a Gartner SOC paper, I coined the concept of “SOC nuclear triad” which later morphed into “SOC visibility triad” or even “security visibility triad.” The thing then became very popular with some security vendors, especially with the NDR variety (example, example).
The model was originally built to demonstrate the necessary security visibility via three pillars:
The model referred to “security visibility” as something that is broader than detection or investigation (response) alone. In fact, one can detect in any of the channels separately, or run detection content on a platform that has more than one type of data. Same for investigations: having all three security visibility pillars means that you won’t miss anything big during the incident response process.
Later it became a fancy graphic:
Source: Gartner, Applying Network-Centric Approaches for Threat Detection and Response, March 2019, ID G00373460 (quoted in compliance with relevant policy for personal digital media channels; do not quote on corporate blogs without permission)
(BTW, an astute reader may point out that SIEM may collect netflow and EDR may look at logs, so there is some minor element of overlap. However, I still think that logs / traffic data / endpoint data [other than logs, like say live memory observation, etc] are three distinct pillars of visibility)
Now, some time has passed (FIVE years!) and I wanted to explore the limitations and changes of the model, as it continued to be popular.
First, is “triad of security visibility” model still useful in 2020? Short answer: YES. If asked to deliver good security visibility, I will still reach for logs / traffic / endpoint data combination for my detection and response program.
Now, let’s look at the details.
Any changes in priority order? — Perhaps the order did change a bit: back in 2015, I would always reach for logs first, now I may reach for EDR first (hence XDR). Endpoint data did become more useful and more relevant. However, there are definitely still cases to reach for NDR/NTA first.
Any notable environments where the model does not apply? — Admittedly, things are still settling in the cloud, in IaaS, specifically. Still, I see people rely on logs (traditional system / application logs and cloud platform logs), endpoint sensors and sometimes traffic sensing, so the model holds in IaaS, even if with some change to priority order and technologies used.
What about the places that use a lot of SaaS and have little data-center or IaaS presence? — OK, here things have do change. I’d say EDR (at the point of usage i.e. laptop, etc) becomes more relevant, logs remain relevant (either various SaaS application logs and/or CASB logs) while the network channel largely wanes.
What about cloud environments with a lot of modern cloud-native services, containers, serverless? — Well, here (in my view) both network and endpoint approaches wane and/or die, while logs become the main route, but with a twist …
What about application security visibility? — Well, glad you asked! This was in fact one of the most effective criticisms of my triad model. “But Anton, what about application security visibility?” In fact, one of my favorite pieces of research that I have not written was a paper on application security monitoring (my broken promise to write one is here). I’d say that this criticism is stronger today. And the emergence of observability movement and projects like OpenTelemetry indicate that perhaps application visibility may become its own 4th pillar … turning the triad into a quad (hence ruining my original nuclear triad metaphor). And then there is still RASP that fits here as well (anybody uses RASP?)
What about things that are not in the model? — Well, there are some useful auxiliary detection / visibility controls such as deception. They are there, but to me their role is auxiliary and they do not change the model, in my view.
Anything I missed?
To summarize, the security visibility triad is still good to go, but watch the evolution of application security visibility. Perhaps in 2–3 years, we can talk about security visibility quad instead …