Networks Don’t Lie!- Understanding NDR in cybersecurity strategy

There is a lot of perplexity around the role of network detection and response (NDR) in a network security strategy. Organizations often wonder if they need an NDR solution when they already have a SIEM and EDR tool in place. Why can’t they just use legacy IDS/IPS for network security?

Let’s take a step back to answer these questions.

We often come across headlines where a threat actor lurked inside an organization’s network for months, evading detection while exfiltrating enormous amounts of data. Many of these breaches are avoidable when security engineers have access to solutions that detect and respond to network-borne threats. But, SIEM & EDR don’t offer the required network visibility to detect this kind of advanced persistent threats or APTs. The legacy signature-based security tools are also ineffective in countering network borne “zero-day” threats that carry no discernable digital signatures. Besides they don’t present much in response capabilities. That’s where network detection and response chimes in. It is a new class of security solutions that both augment and transcend the capabilities of SIEM and EDR products.

Gartner SOC Visibility Triad

Threat history is usually found in the network, endpoint, and logs. All of them should be used to build a comprehensive Security Operations Center (SOC) Visibility Triad that provides a proactive approach to lessen the risk of a threat actor lingering undetected in the network for months.

NDR solutions are the cornerstones of the triad, delivering unabridged visibility across the entire network. In this scheme, NDR & EDR solutions provide visibility into network and endpoint data respectively while SIEM tools aggregate log data. EDR provides details of the processes running on a host and interactions among them while NDR describes interactions between all devices on the network.

NDR provides perspective where others cannot. NDR solutions passively absorb Layer 2 to Layer 7 network data, analyze them, and monitor all of the north-south and east-west traffic. This class of solutions usually adopts advanced behavioral analytics combined with cloud-scale ML techniques to promptly detect, investigate, and respond to threats that would otherwise remain veiled.

For example, BIOS-level malware can dodge EDR and its activity may not be captured in logs. But, NDR tools will pick them up as soon as it starts interacting with another system in the network.

NDR products eventually made “Gartner’s SOC Visibility Triad” an attainable reality for hybrid environments with real-time visibility into east-west cloud traffic.

A Definition of Network Detection and Response

Network detection and response (NDR) is a new breed of security solution for obtaining complete visibility to both known and unknown threats that traverse through your network. NDR provides centralized, machine-based analysis of network traffic, and response solutions, together with streamlined workflows and automation.

Network Detection and Response vs. Network Traffic Analytics

NTA is the process of collecting and analyzing network traffic. Gartner had defined Network Traffic Analysis (NTA) as an emerging category of security products using network traffic as the predominant data source. Note the absence of “response” in that definition. But network-based solutions should not only detect threats but allow for reliable and fast responses.

NDR is an endeavor to make way for the wider, full-spectrum possibilities of NTA. NDR products employ NTA but include historical metadata for more effective investigations and threat hunting. NDR solutions also allow automated threat response through intelligent integrations with firewalls NAC, EDR, SOAR platforms, or any other enforcement point.

How Network Detection and Response Works

NDR presents an integrated set of detection, investigation, and response capabilities.

Detection: NDR solutions collect network traffic data and rapidly uncover threats with the help of machine-based analytics such as deep packet inspection and AI/ML techniques.

Investigation: NDR provides real-time network insights and analytics to add context that puts the most relevant information at your fingertips. An NDR solution provides a trail of forensic evidence about threat behaviors throughout the entire attack lifecycle revealing the complete scope and scale of an attack. This eliminates the endless hunt and searches for threats and provides irrefutable network-based evidence for threat analysis, policy enforcement, audit support, and legal action.

Response: NDR solutions provide the most relevant information at the security team’s disposal to respond quickly and decisively when a threat is detected. Moreover, NDR solutions can automate security workflows with SOAR capabilities. Many routine actions can be automated, allowing you to focus on more pressing matters.

Do you need an NDR solution?

Security teams seeking visibility across on-prem, remote, and cloud environments within a single solution should consider NDR.

NDR is also an ideal solution in an environment where installing agents for endpoint-based detection is not feasible. For instance, organizations with SCADA systems can use NDR to monitor and inspect traffic flow between devices and alert on protocols that are hardly ever seen.

Technology evangelist |Building next-generation cloud network security products