Network Detection and Response (NDR) is an exploding field of cybersecurity, providing network-wide monitoring and advanced detection of potential malicious threat actors and suspicious activity, that other tools may miss. An NDR solution continuously scans all entities of network traffic while creating a baseline of normal network activity, creating an incredibly difficult environment for attackers to hide within.
NDR stands out in the market due to its advanced suite of technologies used for detecting suspicious and malicious traffic, such as deep learning, AI, heuristic analysis, and machine learning.
Gartner created the NDR category in 2020, changing the name from its previous, “Network Traffic Analysis” due to the ever-increasing size and scope of data expansion across the cloud. The larger the networks, the longer threat actors can remain hidden without triggering alerts. NDR can detect and contextualize these problems via analytical techniques such as machine learning for threat detection, from the collection of telemetry data. NDR solutions create a resilient shield against zero-day attacks while utilizing sophisticated software to spot and anticipate potential threats before they surface, by analyzing all traffic flows at once.
The Beginning
Network traffic has been monitored for quite some time, but as the sheer amount of data dramatically increased, many organizations could not quite reel in the same insight they once relied on, leading to a new set of issues.
As technology evolved and systems began to manage the seemingly never-ending waterfall of data, Network Traffic Analysis (NTA) was utilized to provide analysis and behavioral tracking of network traffic for computer security. While NTA is still in-use within Security Operations Centers (SOCs), the market has evolved to open up to more advanced necessities and capabilities, such as those that NDR provides.
Advanced behavioral analytics, machine learning, and AI all form the primary backbone of NDR solutions enabling improved detection abilities, accurately determining threat risk levels, and automating manual tasks routinely performed by analysts, allowing them to focus on triage and rapid response maneuvers. Machine learning gives way to sophisticated detection of “known unknown” cyber threats and new zero-day threats “unknown unknown”
known-unknown: dangers that the company is aware of but whose extent and impact are unknown.
unknown-unknown: threats that the business is not even aware it is unaware of.
Why do I need Network Detection and Response?
Security Information & Event Management (SIEM) and Endpoint Detection and Response (EDR) are crucial tools, but not the end-all-be-all to protecting your organization. NDR fills the gaps to augment and help provide a fully comprehensive security monitoring platform, especially with IoT and cloud computing enticing threat actors to make their move now more than ever.
More traditional detection-focused solutions are using signature-based detection methodologies, which work to identify a threat while a security analyst is alerted. Next, incident response is performed, but only after the attack is successful, which could leave your network compromised by quick-moving, seasoned threat actors. These solutions alone, place your organization at major risk, relying on reactive measures rather than proactive approaches. NDR uses machine learning and automated response to accurately predict and remediate incoming intrusions before an attack has been fully launched, potentially saving your data.
According to ExtraHop, “What's more, while attackers may be able to fool firewalls and traditional IDS by masquerading as legitimate users and services and avoiding signature-based detection, they can't escape NDR. That's because it's almost impossible for them to avoid certain key activities on the network, which NDR can detect. It enhances rules-based detection with machine learning technology to model the behaviors of entities on the network and contextually identify anything that resembles known attack techniques. That means even legitimate-seeming processes may be flagged if their appearance seems unusual.”
Proactive Approach
Cybercriminals have more advanced tools at their disposal than ever before, even accessing nation-state-level tools.
“Tools developed by nation-states have made their way onto the black market many times. An infamous example is the Eternal Blue exploit, which was used by the WannaCry hackers,” comments Ian Pratt, Global Head of Security, Personal Systems, HP Inc. “Now, the return on investment is strong enough to enable cybercriminal gangs to increase their level of sophistication so that they can start mimicking some of the techniques deployed by nation-states too.
NDR provides a safety net against highly pervasive and sophisticated threat actors, providing a deeper level of security than EDR & SIEM together.
Logs and Endpoint Security Aren’t Enough
SIEMs and other endpoint tools are showing glaring weaknesses in detecting threats that are not simply malware-oriented, leaving lateral movements, such as stolen credentials, potentially undetected.
Furthermore, SIEM reporting can be unbelievably frustrating and complex, leaving only trained SIEM specialists with the ability to accurately determine actionable insights. Non-tech-savvy members of your organization would have immense trouble understanding reports which make for confusing strategies and communication gaps.
According to a NetWrix national survey, 63 percent of survey respondents said that they had difficulty understanding the reports output by their SIEM and a further 53 percent reported that they had to manually tweak their SIEM reporting so that non-tech stakeholders could understand.
IoT Needs Sophisticated Protection
IoT devices do not possess the computing ability or just are too small, like your Nest Thermostat, to run security protocols. Cyberattacks on these devices could lead to critical losses because of immediate physical concerns, such as the loss of front-door lock access or home-security take-over. Many of these devices are used in healthcare for patient vital monitoring and other high-risk situations. IoT devices are generally used throughout a large, interconnected network, with many also being portable, leading to the potential exposure of multiple networks.
Many users possess 10 or more interconnected IoT devices, challenging analysts and professionals in managing the complex web of connected features and configurations. NDR empowers organizations to manage these devices by overseeing their network activity, rather than focusing on each individual device’s software.
Context Matters
NDR solutions provide context-rich insights into your network, painting a full picture of all activity, including important questions:
NDR forms a powerful team when used in conjunction with a SIEM to provide rich context and validation to detections made within each tool.
Final Thoughts
NDR can be a lighthouse to organizations struggling to maintain a coherent, complete picture of their cyber environment, due to its state-of-the-art ability to detect incoming threats and anomalies that other tools inevitably miss. From behavioral analytics and machine learning to threat response automation, with the addition of NDR, your organization is better protected from evolving threats.