30%

of network observations lead to ticketed incidents

benefits

• Allows you to detect activity in transit
• Enables network containment if threat is present
• Doesn’t require an agent to be deployed

concerns

• Lacks endpoint context so you’re unable to see what you have on that asset
• Relies on threat intelligence of known malicious IP addresses
• Requires scheduling and planning out elements to navigate bandwidth concerns

sources

• Network Traffic Analysis
• Managed IDS

20%

of identity observations lead to ticketed incidents

benefits

• In-depth knowledge of logins and to where they’re authenticating
• Greater centralized control over user access
• Multi-factor authentication promotes proactive security and empowers employees

concerns

• Lack of visibility into what a user does after being authenticated
• A steeper learning curve can result in greater false positives and false negatives
• Privilege management is a constant task

sources

• Duo Security
• Okta
• Azure AD
• Windows AD

15%

of endpoint observations lead to ticketed incidents

benefits

• Provides comprehensive insight into each endpoint
• Real-time visibility into activity
• Allows you to contain and isolate a threat if needed

concerns

• Requires an agent to be deployed
• Vast definition of what is classified as "endpoint"
• Some attack techniques can intentionally bypass endpoints

sources

• Arctic Wolf
• SentinelOne
• Crowdstrike
• SentinelOne
• Microsoft Defender

15%

of SaaS observations lead to ticketed incidents

benefits

• Provides insights and visibility into SaaS applications
• SaaS providers deliver new releases and updates, reducing cost and effort of upgrades

concerns

• SaaS applications can generate high volumes of alerts, causing alert fatigue
• Automatic or continuous updates may impact established configurations with little to no warning

sources

• Google Workspace
• Box
• Office365
• Salesforce
• Mimecast
• Zscaler

10%

of IaaS observations lead to ticketed incidents

benefits

• Shared responsibility model with cloud providers may reduce your workload
• Allows for threat detection before a perimeter breach

concerns

• Shared responsibility models can be complex, potentially leading to gaps in coverage and misconfigurations
• Some of the change controls rest with the third-party provider, rather than the user

sources

• Google Cloud
• Azure
• Amazon Web Services

5%

of firewall observations lead to ticketed incidents

benefits

• Provides full visibility into what’s entering and exiting your internal network
• Active monitoring of traffic and alerts on malicious activity

concerns

• Can be complex to operationalize and highly noisy
• Requires constant tuning
• Assumes trust of everything inside perimeter
• Attackers know to expect a firewall and can plan to defeat it

sources

• Fortinet
• Palo Alto Networks
• FireEye
• Sonicwall
• Cisco ASA
  Cisco FP
  Cisco Firepower

5%

of risk observations lead to ticketed incidents

benefits

• Helps ensure proper vulnerability remediation
• Proactively reduces breach risk by closing gaps before they can be exploited

concerns

• Requires correlations with other sources of telemetry for maximum effectiveness
• As an auxiliary telemetry source, many organizations don’t have it and don’t prioritize it

sources

• External Risks
• Internal Risks
• Host Account Takeover