Today's IT infrastructure is becoming increasingly complex; consisting of hybrid environment (both cloud and on-premises), IoT devices, and integrating with many third-party providers. They sometimes include legacy systems that no longer receive security patches and updates. Providing complete protection across such complex environments is an incredibly challenging task.
This complexity makes it practically infeasible to close all attack vectors. Basically, it is a question of time that at some point attackers will find ways into corporate networks. This raises the need for technologies enabling companies to efficiently react in cases of successful network compromises.
Network Detection and Response (NDR) is a modern security solution for countering advanced cyberattacks, such as APT, ransomware, and lateral movements, that traditional security solutions cannot stop. NDR analyses all network traffic in real-time and utilises a variety of advanced technologies such as machine learning to detect unknown malware and any abnormal activity that indicate a cyberattack. NDR creates a baseline of regular network traffic and compares it with the current traffic; when suspecting malicious activity, NDR will instantly inform the security team and provide additional information to mitigate the attack.
There are different NDR solutions in the market; however, they are not all created equal. The following section will discuss the primary features that we advise to consider when evaluating an NDR solution.
According to numerous customer conversations, these are the main features determining a superior NDR solution:
1. Visibility: Provide complete visibility of all network data sources and flows; this includes monitoring all connection points, on-premise and in the cloud.
2. User Interface: Display alerts in an intuitive user interface to simplify the process of investigating and tracking all security events
3. Data Encryption: Intercepting encrypted traffic for deep packet inspection poses a security risk. Therefore, the NDR needs to analyse encrypted traffic without need for interception. Analysing metadata recorded by network devices and systems is the way to go.
4. Increasing Bandwidth: Given the ever-increasing network traffic, collecting and analysing all network data for a holistic overview on all activities becomes ever more challenging. Traffic mirroring often becomes technically infeasible or highly expensive. Therefore, the analysis should be based on network metadata which is easy to collect.
5. Data Handling: Choose an NDR solution that does not send sensitive data outside of your network for analysis. Regulatory compliance bodies, such as GDPR, impose restrictions when sharing confidential data with external parties – in this case, your NDR provider.
6. Data Storage: Support lightweight storage of historical network data for later inspection. This effectively aids the SOC team when conducting digital forensics investigations to identify the source of a cyberattack or policy violation.
7. Integration Capabilities: Integration with other security solutions, such as SOAR and SIEM. In addition, the NDR solution shall also be able to integrate with cyber threat intelligence feeds from various sources (both public and private) to better detect emerging cyberattacks and zero-day vulnerabilities.
8. Deployment: Choose an NDR solution that is easy to deploy, doesn’t need additional hardware and requires a short learning curve. Also, consider whether your chosen solution can monitor cloud environments, as most enterprises utilise hybrid IT environments.
An NDR solution allows an enterprise to strengthen its security defence against advanced cyberthreats and other non-malware attacks. As more enterprises opt to leverage cloud technologies and IoT devices in their IT environment, having an NDR solution is a must for any company that wants to become cyber resilient in today's information age.
The author: Gregor Erismann, CCO of Exeon