Word Notes 2.16.21
Ep 37 | 2.16.21

SOC Triad (noun)


Rick Howard: The word is: SOC Triad.

Rick Howard: Spelled: S for security, O for operations, C for center and Triad, as in a group of three.

Rick Howard: Definition: A best practice for framing cyber intelligence critical information requirements that recommends collecting and consolidating data from three specific sources: endpoint, network and log.

Rick Howard: Example sentence: In order to detect and prevent adversary actions across the intrusion kill chain, analysts collect intelligence from the SOC Triad.

Rick Howard: Origin and context: In 2015, Gartner's Anton Chuvakin coined the phrase "Your SOC Nuclear Triad." He compared the main task of SOC operations to what Cold War strategists used to preserve their nuclear strike capability and retain escalation dominance. The nuclear triad consisted of strategic bombers, land-based intercontinental ballistic missiles or ICBMs, and submarine-launched ballistic missiles. Enemies could take any two out and the targeted nation still had the ability to respond in kind. Chuvakin's idea was that SOC operations should take a page out of the nuclear triad playbook, but modify it. He said that every SOC should have its own visibility triad: 1. endpoint data, 2. network data, and 3. some place to store the log information. In 2021, the network defender community gets the endpoint data from EDR tools, or Endpoint Detection and Response, the network data from NDR tools, or Network Detection and Response, and we store all that telemetry and other log data in some kind of SIEM, or Security Information and Event Management. Some tools, called XDR, or Cross Layered Detection and Response, combine network and endpoint telemetry.

Rick Howard: Nerd reference: In a 2020 YouTube interview hosted by the Enterprise Strategy Group, the host asked Chuvakin if he thought the SOC Triad was still relevant five years later.

Anton Chuvakin: "My impression was that it's still relevant, but let me quickly clarify what's going on here. So when I described the triad, I described log analysis, traffic analysis, and endpoint telemetry analysis, which is usually done using EDR. And one thing that bothered me back in 2015, when I made it up was that deeper application visibility doesn't really get its own pillar. And admittedly, what I saw in real life kind of indicated that. It doesn't. It's either logs or people just don't do it. So for 2020, I was trying to figure out whether this deserves a separate pillar. And I still feel like perhaps next time I wouldn't be looking at it. It may get a separate visibility angle or visibility line or visibility pillar today. I still think traffic, endpoint and logs, and logs may cover some of the applications.