Highlighting the Role of Response in Network Detection & Response

Network Detection and Response is the latest trend in network-based cybersecurity. In case you missed it in our first podcast on NDR, we focused on how Network Detection and Response (NDR) solutions – powered by anomaly and behavioral machine learning models – improve the detection of suspicious or malicious network activity.

NDR provides holistic visibility of the cyber terrain, produces high confidence detections and automates response in a cyber relevant time. In the second part of this NDR series, our COO, Craig Harber, joins us to discuss the role of Response in NDR.

Highlighted in this podcast:

  • How automation is used within an NDR solution
  • Types of responses that should be provided by NDR solutions, including predictive, proactive and retrospective capabilities
  • Summary of NDR capabilities and why it is so important to an enterprise

Listen now!


CLAIRE: Introduction: Welcome to the Fidelis Cybersecurity Threat Geek podcast, where we’re joined today by our COO, Craig Harber. Thanks for joining us today.

CRAIG: “Thank you”

CLAIRE: Last week’s podcast focused on how Network Detection & Response (NDR) solutions, powered by anomaly and behavioral machine learning models, improve the detection of suspicious or malicious network activity. One of the points made you made during that session was response is equally as important as detections. I thought that might be a good place to start.

CLAIRE: Craig, could you explain why this is so important?

CRAIG: “I believe early detection and response is the most effective strategy for defending enterprises against malicious actors. This is even more important today because cyber attackers continue to innovate and evolve their capabilities — increasingly with the help of adversarial machine learning.

Responses should be automated (when possible) to improve the efficiency and speed with which security teams are able to identify potential cyber incidents, investigate and validate the anomalous activity, and then ultimately respond to a cyber incident. This will reduce the dwell time of a cyber-attack which continues to be measured in terms of months and days instead of hours or minutes.

I believe NDR is a core component of an enterprise solution ― it will provide holistic visibility of the cyber terrain, it produces high confidence detections, and it automates responses in cyber relevant time.”

CLAIRE: Craig, can you provide a deeper discussion of automation? Can you describe how automation is used within the NDR solution? Can you give some examples?

CRAIG: “Great questions…First, automation can be native to the NDR solution or it can be achieved using a Security Orchestration, Automation and Response (SOAR) product. Automation can drive the analytic process as well as any type of response action through the use of cyber playbooks.

Cyber playbooks can be used to automate the individual steps to efficiently investigate anomalies across an enterprise AND then to globally deploy any required changes. For example, an incident or event might trigger a set of rules to be updated; it might change the network configuration to block malicious activity; it might delete corrupted or malicious files; it might quarantine an endpoint, or it could send commands to a firewall to drop suspicious traffic. There is no limit on the possibilities.

Almost any actions taken by a security team in response to an event or incident can be automated to some degree including deploying threat hunting and incident response teams to further investigate an incident.”

CLAIRE: Interesting. I’d like to shift gears a little – I’ve heard there are different types of responses that should be provided by NDR solutions, and that those types are predictive, proactive and retrospective responses.

CRAIG: Correct…NDR solutions should support a full spectrum of defensive capabilities in order to counter a constantly evolving and growing sophisticated cyber threat.

I believe traditional prevention capabilities must be augmented with predictive, proactive, and retrospective capabilities. AND to keep these capabilities updated to track with evolving and emerging threats, NDR solutions must provide integration path for all applicable threat intelligence feeds.

CLAIRE: Let’s walk through each of these individually, starting with predictive responses. What are predictive response capabilities, why are they important, and can you provide some examples?

CRAIG: “As discussed in our last podcast, machine learning coupled with threat intelligence plays a pivotal role in the discovery of sophisticated actors attempting to gain access to networks and systems. It is the key to being able to respond predictively, rather than reactively, to individual threats.

Predictive response capabilities allow the network cyber security posture to be changed dynamically in response to the changing threats. I believe NDR solutions should use machine learning to predict how to adjust its internal detection logic and its response actions by correlating the execution sequence of an attack ― what I mean by that is using the techniques and sub-techniques detailed in the MITRE ATT&CK framework to drive detections and responses to known threats.

When the response is automated, it provides the security team the tools to stay at least one step ahead of the attacker.”

CLAIRE: Can you discuss proactive capabilities now? What are they and how are these capabilities used by security teams?

CRAIG: “Absolutely…Perhaps one of the most important aspect of NDR solutions is the ability to understand and then manage the perception of your network’s attack surface from the perspective of the attacker. This does two things:

  • First, it allows the security team to perform a risk analysis of their network to assess security gaps in their environment and then to prioritize corrective action to change their posture before an attack occurs; and
  • Second, it allows the security team to go on the offensive by introducing breadcrumbs to lure the attacker to decoys creating high fidelity alerts. This creates risk, complexity, and cost to the attacker.

Remember the attacker spends 80 to 90 percent of their time in preparation for the attack. In order to defend the network, security teams must understand the network better than the attacker because you can’t defend your blind spots.

CLAIRE: What about retrospective analysis? What is it and how can this be used to better secure our networks?

CRAIG: “Retrospective analysis provides security teams the ability to apply new insights or threat intelligence against historical “traffic” (think metadata stored about prior network traffic) to determine if the environment was compromised by a previously unknown threat – for example, a zero-day vulnerability. Ideally this analysis is automated and continuously running in the background against stored network metadata.

Security teams can then analyze the details of a security incident, including how the cyber defenses were breached, what resources were accessed, and what changes were made within the environment. This information is critical to formulating your incident response and determining what needs to be done to prevent future breaches.”

CLAIRE: Craig, this was a lot of information in a short period of time. Would you summarize how all of these capabilities comes together in an NDR solution?

CRAIG: “Sure…let me start by saying Network Detection and Response provides cybersecurity professionals with a powerful set of capabilities to combat existing threats as well as new and evolving threats.

  • The first step as we discussed in last week’s podcast is the ability to detect cyberattacks with high confidence – without detection, criminals can attack your environment, steal information, and cause financial and political harm.
  • However, as we discussed today, robust response is equally important. The role of response is to provide efficiency to cyber operations.
  • It provides security teams the core capabilities to analyze the network risk posture and remedy security gaps prior to an attack; to change the perception of the attack surface causing the attacker to look for alternative targets; to dynamically change the defensive posture based on anticipated attacker behaviors; and to constantly assess new threat intelligence looking both forward and backwards in time.

In summary, NDR is a core component of an enterprise security solution ― it will provide holistic visibility of the cyber terrain, it produces high confidence detections, and it automates responses in cyber relevant time.

Detection solutions without the ability to respond, just adds noise to an already noisy environment. And I can’t emphasize this fact enough…operational efficiency is gained by NDR.”

CLAIRE: This has been very insightful, thank you for joining us today, Craig. We’re continuously posting new blogs, podcasts, and infographics on NDR and more cybersecurity news and product highlights at our site at fidelissecurity.com. If you’d like to have these posts sent straight to your inbox, please subscribe to our Threat Geek Blog at fidelissecurity.com/threatgeek. Thanks for listening!