We often speak about “visibility” to our MDR clients, so I thought I would write a blog post to illustrate why it is so important and what we are doing to get better at measuring it. This morning I also read Anton Chuvakin’s post about visibility, which inspired me further.
From the onset of the creation of Nview, we knew we had to take visibility into consideration when measuring the effectiveness of our MDR solution within a client’s environment. Visibility not only allows us to detect better, but also helps our Response Engineers investigate effectively and efficiently. So we know it’s important, but how does one measure it consistently? One could follow Anton’s approach and break visibility into 3 silos namely: Logs, Network and Endpoint, but even as Anton points out, there is overlap in some cases and we still need to apply metrics to the silos, which could get challenging.
Another approach is to look specifically at data sources and give them a “score” based on how useful they are from a detection and investigative perspective. Florian Roth has a view on valuable log sources:
This seems simpler but is too technology specific, for example we may say AV logs are important and if you don’t have them it may decrease your visibility “score”. The problem is that we know there are other factors like the quality of the logs, how broadly they are representative of the environment, how many detectors exist for them and how valuable they are for investigative purposes.
So we have decided to use a hybrid approach, taking into consideration the technology but also the broader “silo”. But what do we hope to achieve with this “visibility score”? Well we want our clients to know how happy we are with the visibility of their environment and also how it compares to other clients (anonymously of course). This allows clients to set targets and even make smart technology investment decisions. For example, we will provide insight into what is bringing your visibility score down, so you can say maybe that NDR budget is better spent on EDR. We are busy planning this now and hope to have the visibility score ready for clients in the next couple of months.