Let’s come back from the world where the endpoint won the detection and response wars to this one. As we are ramping up our NTA (but, really, broader NDR for network-centric detection and response) research one mystery has to be resolved.
What motivates some organizations to actually deploy NTA (usually one particular NTA vendor technology built on a large island off the coast of Europe) before any other detection and monitoring controls, and sometimes even before basic logging?
Let’s put aside the offensive jokes and appeals to the principle that “90% of people aren’t in the top 10 percentile.” Seriously, this question somehow bothered me, but I think I cracked it.
I call my explanation THE BIG STEP THEORY.
Imagine a real “Mongolian clusterluck” [no FoaaS for this one, sorry] of a network, where endpoints are unmanaged or clown-managed, switches and routers are poorly configured, nothing is segmented, changes are random, VPN users are dropped into the main LAN and nothing logs anything? In other words, not the networks that my esteemed readers’ employers have, but what other people have …
What is a single step one can take to know what the hell is going on in their IT environment? Where threats lurk? What users cause mischief in the name of “just doing their jobs”? What goes out, in and sideways?
I’d argue that it is NOT SIEM, NOT EDR, NOT NIDS or NGFW – but actually NTA.
SIEM needs several log types to be enabled (!) and collected – then correlated into a coherent picture. EDR needs agents nearly everywhere for decent visibility. NIDS will only get you attacks, unless you write other signatures.
NTA, however, will give you a passable picture of activities after you deploy just one box (typically on egress or in some other central location) that sniffs traffic. For sure, for this you need a layer 7 NTA, not the 1990s-style layer 3.
Hence, in this view, NTA represents the biggest ONE STEP jump to situational awareness from near-total unawareness.
Agreed? Other views?
P.S. A post-scriptum aimed at “all of the above” or “layered defense” crowd who always pedantically reminds us that “in security, the only correct answer is ALL OF THE ABOVE” since you need “oh so many layers of defense.” We know! However, not everybody will do this, almost nobody in smaller and mid-sized organizations will do it, and, frankly, even large enterprises won’t deploy all layers at the same time.
Bog posts related to NTA, NDR and this research:
- Network Anomaly Detection Track Record in Real Life?
- Endpoint Has Won, Why Bother With NTA? (by Augusto)
- Can We Have NDR, Please?
- NTA: The Other IDS?
- Next Research: Deception and Network Traffic Analysis
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.