Why converged NOC and SOC are so critical to security efficacy

Joining Felicia is Rui Lopes, Senior Technical Evangelist at WatchGuard Technologies. Rui was with Panda Security prior to the WatchGuard acquisition and has spent many years merging the technical with customer enablement at a level rarely seen. His efforts at WatchGuard are projects, partner support, and overall customer enablement of using the endpoint protection technology effectively.

When I listened to an interview with Fortinet's CISO regarding converged NOC/SOC, I had to reach to Rui to formalize several conversations we have had over the last 1+ years because we both have seen the need for this strategy for a very long time. 

At QPC, we have been doing converged NOC/SOC since around 2009.

Listen in to hear our breakdown about why this is such a critical strategy in today's threat landscape.

_________________________________________________________________

The Fortigate CISO talked a lot about NOC and SOC convergence at the network layer, but he did not talk about it at the endpoint level.

 

Convergence architecture, SIEM, network operations, endpoint, cloud, authentication

Panda: since 2015 EDR platform, advanced telemetry collection, for endpoint sensors

 

The people who are monitoring and responding must be the same people who have intimate knowledge of the systems, clients, staff, applications, servers, workstations, cloud tech. They have to know what the technical controls are that are in place and then see the events and make judgement calls about what should and should not be happening and respond effectively.

 

WatchGuard EDPR (formerly Adaptive Defense 360) has service-as-a-feature built into the EDR, zero trust and classify, attested goodware, not malware.

The other service is threat hunting. Zero trust is when we only allow goodware to run. Threat hunting watches what happens when that goodware is weaponized.

IOA are also included in alarming and reporting. This puts the ITSP in a position to effectively provide the MDR service.

 

Service-as-a-feature is applied to the notion that you should get an "endpoint management" team by bringing together malware analysts and threat hunters into the product as "features" which when paired with competent MDR services by the ITSP are a stellar combination not found in other platforms. It's about avoiding a scenario where there are 120+ options to configure and validate that they are correct. With a platform that has service-as-a-feature paradigm, it allows the endpoints to leverage the collective intelligence of the global threat hunting team at WatchGuard combined with the purple team at the ITSP who has intimate knowledge of the client and what should and should not be happening on those endpoints.

 

The people doing the MDR MUST HAVE the knowledge and authorization to trigger host isolation without any other contacts in order to arrest the spread of problems in an attack. There cannot be delays. And the people doing that service must also have full authority to conduct a lockdown at the network layer.

 

 

EPDR also has extremely granular device control which is extremely useful.

 

WatchGuard Fireboxes already have excellent alerting and monitoring when configured properly and used in the proper ecosystem. QPC has used these monitoring and alerting features extensively in its in-house NOC/SOC operations for more than a decade.

 

WatchGuard is continuing to invest in the improvement of its WatchGuard Cloud platform bringing the whole XDR option to fruition for ITSPs that have lacked the capabilities that QPC has regarding deploying converged awareness of the endpoint and network layer with proper real time alerting and monitoring.