Network Detection and Response is the latest trend in network-based cybersecurity. NDR follows years of prior product category discussions and three-letter algorithms to help define how an enterprise should consider defending itself from cybersecurity. Over the years network security has been defined by IPS, IDS, DLP, ATD, ADR, SA, NAV, NTA, and several more.
Fidelis has participated in magic quadrants, waves, market studies, and terminology changes since our first network cybersecurity solutions in the mid-2000’s. NDR culminates years of research and acronym changes to get to the point we’ve been discussing for years: Detection and Response.
What is NDR?
Network Detection and Response is similar to more recent trends in network cybersecurity, including Network Traffic Analysis (NTA) and Network Analysis and Visibility (NAV). While all three terms emphasize detection, NDR elevates the role of response on the network. This is an extremely different message and cybersecurity professionals need to understand the difference.
Detection uses network data to provide visibility. Based on visibility, a variety of techniques can be applied to detect cyber threats and risks. These techniques include signature analysis, malware detection, sandboxing, indicators analysis, email security, web security, machine learning and AI, deception, and asset risk analysis. Detection via traffic analysis or visibility remains the keystone of NDR.
NDR proposes that Response is equally important to the role of security. Detection can be judged in a sliding scale between false positive and false negative results. Too many detections can inundate the security team with too many alerts, too much information, and a feeling of too many false positive detections. Too few detections lead to a false sense of security where no-news is good-news, masking vital information required to truly secure the enterprise.
Response is a combination of automated and manual methods to analyze detections to determine – what happens next?
Response within Network Traffic
How quickly your response to a detection is extremely important. If your team is spending time triaging false positive detections and poorly configured systems, your team is not effectively able to respond. Network Response requires several forms:
- Prevention: In the network, prevention includes packet or session dropping, TCP resets, email quarantine, and web blocking or redirection. An NDR solution should offer prevention capabilities in-line or out-of-band.
- Incident Analysis: Network detections can generate many alerts and anomalies. The ability to combine alerts by similarity by utilizing an attack framework (MITRE ATT&CK) can dramatically increase efficiency of the NDR solution. By focusing on incidents rather than a list of alerts, the analyst can quickly see the big picture and remediate problems.
- Efficient Analyst Tools: The terms NTA and NAV emphasize the ability to detect threats within network traffic. However, many of these detections are just noise signals. Anomalies, probabilities, and unknown data can lead to malicious outcomes, but can also detect justified user behavior. The ability to distinguish the malicious outcomes requires aggressive response behaviors. Efficient tools that provide all necessary data are required. Log analysis should be handled by the tools, not by the analyst.
- Automated Investigation: Often, information is required from additional systems where the network data is insufficient. Playbooks that can run investigations with endpoint products are an essential element of response. The NDR system should be able to run playbooks to gain the necessary information to be combined with the network incident analysis and analyst tools. Playbooks can be part of the NDR tool suite or integrated by SOAR technology.
- Retrospective Analysis: New information becomes available constantly through new detections – not only in your enterprise, but also by data available from industry and internal experts that may pertain to your vertical industry, your geography, and to your enterprise. The ability to connect the dots between current events and a past behavior is an import aspect of NDR. An NDR solution should be able to see 30 to 90 days of information with fast search speed and with automated analysis capabilities. In some environments, as much as a year of data may be desired. Minimal storage of 7 days or less is not enough.
Using NDR to Proactively Improve Security Posture
Perhaps the most important aspect of NDR is to determine security gaps in your environment and to correct your posture before an attack occurs. These capabilities include:
- Decryption: To gain visibility into network traffic, decryption is highly advised. Most importantly, use of a decryption technology that is highly integrated with the NDR product is required to fully gain the detection and response capabilities of the system.
- Cyber Terrain: NDR solutions can analyze network traffic to identify and classify assets and communication paths within the environment. Cybersecurity defense must start with an accurate understanding of the environment.
- Risk: The combination of terrain and current events leads to a risk analysis. Risk includes alerts, incidents, vulnerabilities, and available mitigation paths in the environment.
- Risk simulation: Building on asset risk, simulations can be applied. Red and blue team analysis can reveal security gaps to address in your environment. The information derived from the simulation can help to improve your security posture to eliminate gaps before an adversary can exploit them.
Network Detection and Response provides cybersecurity professionals with a hope to combat threats. The first step is to detect cyberattacks – without a detection, criminals can attack your environment, steal information, and cause financial and political harm.
However, robust response is equally important. The role of response provides efficiency to cyber operations. To analyze current practices and to remedy security gaps prior to an attack; to view data as incidents rather than individual alerts; to automate actions as a result of incident awareness; to witness all network activity by relying on efficient tools; to automate retrospective analysis; and by providing holistic visibility into your cyber terrain.
Detection solutions without the ability to respond, just adds noise. Operational efficiency is gained by NDR.