The following is an excerpt from our recently published guide, “The Next Generation SOC Tool Stack – The Convergence of SIEM, NDR and NTA.” In this guide we analyze the failed promises of SIEM platforms, how Network Traffic Analysis (NTA) and Network Detection and Response (NDR) tools fit into the equation, and how third-wave, self-supervised AI is created outside the limitations of the legacy architectures that are holding back many of today’s security vendors.
NTA and NDR: The Missing Piece
Most SIEM vendors acknowledge the value of network traffic data for leading indicators of attacks, anomaly detection, and user behavior analysis as being far more useful than log data. Ironically, network traffic data is often expressly excluded from SIEM deployments, because the data ingest significantly increases the required data aggregation and storage costs typically 3-5x.
Geoff Coulehan, head of Strategic Alliances for MixMode and decades-long expert in cybersecurity technology shares, “SIEM vendors know that by the end of the first phase of the deployment, customers will realize they need additional data to provide the required security coverage. Forced with a decision to continue to invest additively in a SIEM platform, or acknowledge to their executive sponsors that they vastly underestimated the licensing, deployment, and operational costs, SIEM vendors bet on customers taking the path of least resistance, and absorb the expense.”
Coulehan says that by intentionally eliminating the most high-value data sources, the holistic security threat posture is diminished. “From an operational perspective, the challenges are compounded, requiring more manual investigations of alerts that may or may not have the required data supporting the underlying baseline,” he explains. “Customers feel inclined to maintain the status quo with an existing SIEM vendor to minimize the perceived wasted spend, or accept the realities of a failed deployment.”
Enter Network Traffic Analysis and Network Detection and Response. NTA and NDR are set to revolutionize network security but these solutions are not a “new market” or a “new approach” according to Coulehan.
“It’s fundamentally an organically enhanced market that has evolved to address the shortcomings of legacy SIEM products and associated pricing models,” he says. “Legacy NTA solutions were historically selected to analyze network traffic and flows, detect behavior anomalies, and complement a historical baseline for rules and threshold alerts that weren’t addressed by SIEM log data. With the inclusion of 3rd Wave AI, NTA solutions are exponentially more powerful.”
Ideally, NTA would provide supporting, though separate detail for threat investigations. However, the addition of another network baseline with additive silos of disparate information led to inaccurate, out-of-date, non-evolving baselines. To put it simply, the addition of an inaccurate baseline does nothing to improve network security outcomes, and it may even lead to a less secure environment overall.
Coulehan says this approach and its associated costs are considered essential by many organizations, who invest in NTA as a complement to a failing SIEM deployment because the exclusion of data sources and unavailable or insufficient log data provided limited visibility and prohibitive costs.