Machine-Learning Capabilities within Network Detection & Response


Network Detection and Response is the latest trend in network-based cybersecurity. It culminates years of research and software advances to bring together the basic elements of security requirements: Detection & Response, something we’ve been doing for years. NDR is not only beneficial, but necessary for gaining the cyber advantage, but security teams need to know how it’s important in detecting, hunting and responding to their most advanced threats.

Our COO, Craig Harber, and Data Science Manager, Abhishek Sharma, join us in this podcast to discuss how NDR begins with Detections, and the role of Machine-Learning within NDR.

Highlighted in this podcast:

  • How machine learning based on anomaly and behavioral detections improves NDR
  • What ML does for North/South and East/West traffic
  • The future of ML-based detections

Enjoyed this podcast? We’ll be re-joined by our COO, Craig Harber, who will go in-depth about the Response aspect of NDR.


CLAIRE: Introduction: Welcome to the Fidelis Cybersecurity Threat Geek podcast, where we’re joined today by our COO, Craig Harber, and our Data Science Manager, Abhishek Sharma. Welcome to you both.

CRAIG & ABHISHEK: “Thank you”

CLAIRE: Today we’ll be discussing the role of machine learning within the latest trend in network-based cybersecurity, which is Network Detection and Response, also known as NDR. NDR is the evolution of years of network solution development to define how an enterprise should consider defending itself from cyber-attacks,  and it is the latest product of years of research and software advances to bring together the basic elements of security requirements: Detection and Response.

CLAIRE: Craig, before we discuss machine learning can you give us an overview of what NDR is?

CRAIG: Yes, Network Detection and Response (NDR) combines the ability to perform deep inspection of network traffic, detect malicious activity hiding within that network traffic, and automatically responds to the malicious activity in a way that keeps your network environment safe.

CLAIRE: Is the term NDR commonly used, are analysts talking about it?

CRAIG: Yes, absolutely.  NDR is a newly defined Gartner security solution category that is rapidly becoming a must-have capability in modern security operations.

CLAIRE: What are the key capabilities of an NDR solution?

CRAIG: Based on Gartner’s definition of NDR, there are three key capabilities: the first is the ability to “detect and prevent malicious network activity, the second is to investigate and perform forensics to determine root cause, and the third is to respond to and mitigate malicious activity.

NDR can also help protect against insider attacks, credential abuse, lateral movement, and data exfiltration. It gives security teams greater visibility enabling them to identify and stop suspicious network activity earlier in the attack lifecycle and minimize the potential impact of a cyber-attack. 

CLAIRE: That sounds great, do you have any insights into the ROI of investing in an NDR solution?

CRAIG: The potential ROI as a result of deploying NDR solutions is significant given the average cost of a data breach in the US is $8M.  According to the Ponemon Institute, early detection, which they equate to less than 100 days could save companies nearly $1M.

CLAIRE:  If earlier detection is key, can you tell me more about Detections, what are they and what is the role of Machine Learning?

CRAIG: NDR begins with detections. The network must be instrumented with sensors to collect relevant data at critical points throughout the network. Detection uses network data to provide visibility ― this includes visibility of traffic entering and exiting your enterprise via the Internet (so called “North/South” traffic and visibility into internal traffic within your enterprise (so called “East/West” traffic).

Another key aspect of detection is the breadth of visibility ― the supported ports and protocols and the layers of the communication stack that are visible to your network sensors.  A variety of techniques can be applied to detect cyber threats and risks. These techniques include signature analysis, anomaly and behavioral analysis, manual threat hunting by a security analyst, as well as machine learning.

An important benefit of machine-learning is its ability to maximize the capabilities of overwhelmed security teams. Machine learning includes both anomaly and behavioral detections. It improves the detection of threats and provide better information to security operations center teams, enabling them to focus their attention where it is needed most.

CLAIRE: Can you expand upon the role of machine-learning within NDR?

CRAIG: “Machine learning coupled with threat intelligence plays a pivotal role in the discovery of sophisticated threat actors attempting to gain access to networks and systems. It is the key to being able to respond predictively, rather than reactively, to individual threats. It allows the enterprise cyber security posture to be changed dynamically in response to the changing threats.

Threat intelligence provides critical cyber security situational awareness used to inform decision making to drive enterprise cyber security operations. This might be a good point for Abhishek to elaborate on the role of anomaly and behavioral machine-learning detections within the Fidelis Elevate platform.”

CLAIRE: Can you discuss how machine-learning based on anomaly and behavioral detections improves NDR?

ABHISHEK: “Machine Learning in NDR enables signatureless detections. Both, anomalies and behavioral detections are forms of signatureless detections that detect suspicious network activity by learning baseline models to capture the normal behavior in an enterprise network. Typically, this involves a collection of machine learning models that capture different aspects of network behavior. For example, we can have models to analyze external or north-south traffic, internal or east-west traffic, use of different application protocols, movement of file objects, user accounts used to access remote services, etc. These models aim to detect threats like insider attacks, credential abuse, lateral movement, and data collection and exfiltration.”

CLAIRE: you mentioned north and south traffic.  what does machine learning do for this type of traffic, what specific models are used?

ABHISHEK: “If you think in terms of kill-chain or MITRE ATT&CK framework, then north and south traffic can be used to detect threats related to either an adversary trying to get into your network, MITRE ATT&CK framework groups these as Initial Access tactics or adversary trying to communicate to an external system after compromising assets—e.g. Command & Control and Data Exfiltration. E.g., to detect Data Exfiltration, you can look for internal assets sending a large amount of data over a period of time to an external server, especially using application protocols that are rare or unusual for an enterprise. Another example is trying to detect rare TLS Client tools communicating with rare domains because that is often an indication of Command and Control activity.

CLAIRE: You mentioned east and west traffic.  What does machine learning do for this type of traffic, what specific models are used?

ABHISHEK: “East and west traffic refers to traffic that does not leave an enterprise’s network. The threat activity hiding within this traffic relate to an adversary trying to discover what is on a network by performing network scans, lateral movement where an adversary tries to hack and control remote systems, and Data Collection prior to exfiltrating it out. For these, we build anomaly models that capture the normal behavior of assets, e.g. how often does a group of assets with the same role, say workstations, access the different internal servers or which user accounts are used to authenticate such accesses. Flagging new or rare activities with respect to baseline behavior is a good way to detect these threats. Of course, we often have to apply some post-processing to eliminate false positives.

CLAIRE: Where do you see the role of machine learning based detections expanding in the future?

ABHISHEK: Machine Learning in NDR will expand along 3 dimensions. First dimension is high confidence detections that are actionable especially when combined with other aspects of visibility—e.g., asset and terrain information, and risk analysis. Second dimension is as pivots for cyber threat hunting. Analysts and Incident Responders can use the indicators in an anomaly—e.g. URLs, TLS tools, Domain Names, etc.—to dive deeper into Network metadata. Parts of these investigation can be automated. Third dimension is seeding Machine Learning models with knowledge of tactics and techniques used by threat actors. E.g., Do we find any anomalies in web traffic using URLs with base64 encoding?”

CLAIRE: Craig, I know our focus today is detection, but could you briefly tell our audience why response is equally important to the role of security?

CRAIG: “Absolutely…and if I can – let me take a moment to mention next Thursday (July 28th) we will do an entire podcast response which is equally important as detections. In my opinion, detection solutions without the ability to respond just adds noise to an environment that is already too noisy. There is also a temporal element of response; it needs to happen within cyber relevant time. For example, the United States Air Force recently sought a solution that could respond to threats in under 20 minutes to combat the ever-increasing number and sophistication of threat actors.

As most of you probably know, modern malware uses a combination of attack techniques to hide its operation, stage its exploits, evade detection, and leverage network weaknesses. The underlying techniques used by attackers to perform these functions are captured within the MITRE ATT&CK framework. I believe NDR solutions can and should use this framework to focus both their detection capabilities and response actions as documented within the MITRE Navigator tool.

Networks must be fully instrumented to cover all attacker techniques. This requires a comprehensive set of capabilities needed to continuously protect, detect, and respond to all threats in cyber-relevant time. Solutions must increase the discovery, identification, situational awareness, and rapid response capabilities to reduce cyber dwell time, providing the adversary the least amount of opportunity to achieve lateral movement and remove critical data from your enterprise.

One final thought, it is not only defensive security teams that are leveraging artificial intelligence and machine-learning technologies. Attackers will be much faster to react when they encounter resistance, or when security teams fix weaknesses that had previously allowed entry by unauthorized users. Attackers may be able to exploit another vulnerability or start scanning for new ways into the system without waiting for human instructions. This will likely mean that defenders without like capabilities will find themselves unable to keep up with the speed of incoming attacks.”

CLAIRE: This has been very insightful, thank you both so much for joining us today. As Craig mentioned, we’ll be hosting another podcast next Tuesday, July 28th, so tune in then to hear more about the Response aspect of NDR.

Otherwise, if you’d like to know more about our cybersecurity solutions, please visit fidelissecurity.com. Thanks for listening!