Defining Network Detection and Response
Gartner defines Network Detection and Response (NDR) as a combination of machine learning, advanced threat analytics and rule-based detection to detect suspicious activities on enterprise networks.
Network Detection and Response is similar to other trends in network cybersecurity, such as Network Traffic Analysis (NTA) and Network Analysis and Visibility (NAV). While all three terms emphasize detection, NDR elevates the role of response on the network. This is a crucial message and needs to be grasped correctly.
Detection uses network data to provide visibility. Based on visibility, a variety of techniques can be applied to detect cyber threats and risks. These techniques include signature analysis, malware detection, sandboxing, indicators analysis, email security, web security, machine learning and AI, deception, and asset risk analysis. Detection via traffic analysis or visibility remains the keystone of NDR.
NDR proposes that Response is equally important to the role of security. Detection can be judged on a sliding scale between false positive and false negative results. Too many detections can inundate the security team with too many alerts, too much information, and a sense of numerous false positive detections. Insufficient detections lead to a false sense of security where silence is mistaken for safety, masking vital information and critical insights required to truly secure the enterprise.
The response is a combination of automated and manual methods to analyze detections and determine – what happens next.
Response within Network Traffic
How quickly your response to detection is extremely important. If your team is spending time triaging false positive detections and poorly configured systems, your team is not effectively able to respond. Network Response requires several forms:
Prevention: In the network, prevention includes packet or session dropping, TCP resets, email quarantine, and web blocking or redirection. An NDR solution should offer prevention capabilities in-line or out-of-band.
Incident Analysis: Network detections can generate many alerts and anomalies. The ability to combine alerts based on similarity by utilizing an attack framework (MITRE ATT&CK) can dramatically increase the efficiency of the NDR solution. By focusing on incidents rather than a list of alerts, the analyst can quickly see the big picture and remediate problems.
Efficient Analyst Tools: The terms NTA and NAV emphasize the ability to detect threats within network traffic. However, many of these detections are just noise signals. Anomalies, probabilities, and unknown data can lead to malicious outcomes, but can also detect justified user behavior. The ability to distinguish malicious outcomes requires aggressive response behaviors, efficient tools that provide all necessary data, and log analysis which should be handled by the tools, not by the analyst.
Automated Investigation: Often, information is required from additional systems where the network data is insufficient. Playbooks that can run investigations with endpoint products are an essential element of response. The NDR system should be able to run playbooks to gain the necessary information to be combined with the network incident analysis and analyst tools. Playbooks can be part of the NDR tool suite or integrated by SOAR technology.
Retrospective Analysis: New information becomes available constantly through new detections – not only in your enterprise, but also by data available from industry and internal experts that may pertain to your vertical industry, your geography, and your enterprise. The ability to connect the dots between current events and past behavior is an important aspect of NDR. An NDR solution should be able to see 30 to 90 days of information with fast search speed and with automated analysis capabilities. In some environments, as much as a year of data may be desired. Minimal storage of 7 days or less is not enough.
NDR is a crucial cybersecurity solution aimed at swiftly identifying and responding to threats within network environments.
NDR tools continuously analyzes raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NDR tools detect abnormal traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NDR solutions can also monitor east/west communications by analyzing network traffic or flow records that it receives from strategically placed network sensors.
Evolution of NDR in network security – Check out the whitepaper!
Why is Network Detection and Response Important?
Advanced threat attacks are designed to evade traditional preventative and detection techniques. Network Detection and Response solutions provide a sound method for identifying cyber threats traversing through the network and cloud traffic. One key attribute of NDR solutions is the coverage across all ports and protocols to ensure full visibility.
There are a multitude of detection techniques that Network Detection and Response solutions leverage, including supervised and unsupervised machine-learning techniques, deep packet and deep session inspection, malware detection, sandboxing, asset inventory, and more.
Beyond detection, organizations also use NDR solutions to help investigate and trigger an incident response. To this end, Network Detection and Response tools that are integrated with endpoint detection and response solutions can offer substantial improvements in speeding alert investigation and resolution. A good example of this concept is the automatic validation of a detected threat through analyzing network traffic, confirming a compromise of one or more endpoints within the environment, and subsequently executing an automatic response, such as isolating the affected endpoints from the network.
Apart from monitoring network traffic, Network Detection and Response tools can also collect and store rich metadata that can be easily searched for deeper investigation and hunting efforts. The value of the metadata is that it is easy to query, facilitates faster investigations and is much more cost-effective than storing full PCAPs.
Examples Of Metadata That Can Be Collected are:
| WHO – | WHAT – | WHEN – | WHERE – | HOW – |
|---|---|---|---|---|
| domain user
webmail user FTP user email address device ID organization name | filenames SHA256 MD5 content tags malware name malware type | from present day/time to as far back as you want to store data | source, destination, country, IP address, organization, url, domain | protocols, applications, file type, user agent, custom protocols, obfuscated files and scripts |
What are the Key Aspects of an NDR Solution?
A robust Network Detection and Response solution should:
- Provide visibility across all ports and all protocols.
- Bi-directionally scan all network traffic to reveal network and application protocols, files, and content via sensors that can be placed at the gateway, internally, in the cloud, and at both the email and web gateways.
- Conduct real-time analysis of raw network packet traffic or traffic flows.
- Monitor and analyze north/south traffic and as east/west traffic.
- Differentiate between normal, anomalous and suspicious activity in network and cloud traffic.
- Leverage machine learning and analytics to detect network traffic anomalies.
- Provide rich metadata that enables retrospective detection and analysis going back many months.
- Profile TLS encrypted traffic based on metadata and certificates, determining human browsing versus machine traffic, and leveraging data science models to detect hidden threats.
- Consolidate “Like” alerts and the related context and evidence to speed alert triage.
- Help automate relevant incident response actions based on what has been detected.
What Threats Do NDR Solutions Avert?
A good NDR security solution can help you avert a range of cyber threats in real-time. Here are some of the threats that can be kept at bay with the NDR solution.
- Malware and ransomware: By examining network traffic patterns and behavioral anomalies, NDR solutions may identify the existence of malware and ransomware. Concerning these dangers, they can recognize abnormal file transfers, communication between command-and-control centers, and other signs of compromise.
- Advanced Persistent Threats (APTs): Often orchestrated by nation-states or sophisticated cybercrime organizations. APTs are highly skilled, and covert cyberattacks. The more subtle indicators of APT activity, like anomalous data exfiltration patterns, lateral network movement, and sustained exploit attempts, can be detected by NDR solutions.
- Data Breaches: By monitoring network traffic for unauthorized access attempts, data exfiltration, and other suspicious behaviors that may point to a breach in progress, NDR solutions assist in preventing data breaches. Utilizing NDR solutions enables swift detection and management of data breaches, mitigating their consequences and safeguarding sensitive information against compromise.
- Insider Threats: NDR security solutions can detect unusual activity within the company’s network, such as staff members gaining access to resources without authorization, trying to get around security measures, or doing malevolent tasks. Insider attacks can be identified and neutralized before they cause substantial damage by using NDR solutions, which monitor user activity and correlate it with other network events.
- Phishing and Social Engineering Attacks: NDR cybersecurity solutions check email and online traffic for signs of fraudulent behavior, including phishing emails, shady URLs, and malware attachments. Through this network-level threat detection and blocking, NDR platforms assist in shielding users against phishing schemes and other forms of social engineering.
Using NDR to Proactively Improve Security Posture
Perhaps the most important aspect of NDR tools is to determine security gaps in your environment and to correct your posture before an attack occurs. These capabilities include:
- Decryption: To gain visibility into network traffic, decryption is highly advised. Most importantly, use of decryption technology highly integrated with the NDR product is required to fully gain the system’s detection and response capabilities.
- Cyber Terrain: NDR solutions can analyze network traffic to identify and classify assets and communication paths within the environment. Cybersecurity defense must start with an accurate understanding of the environment.
- Risk: The combination of terrain and current events leads to a risk analysis. Risk includes alerts, incidents, vulnerabilities, and available mitigation paths in the environment.
- Risk Simulation: Building on asset risk, simulations can be applied. Red and blue team analysis can reveal security gaps to address in your environment. The information derived from the simulation can help to improve your security posture to eliminate gaps before an adversary can exploit them.
Fidelis NDR: The Solution for your Network Security
If Network Detection and Response is what you are looking for, Fidelis Network, our ultimate defense solution against cloud and on-premises network threats is the way to go. With unrivaled visibility and control, it safeguards your entire threat framework from start to finish. Discover how it calculates cyber risks in real-time, providing proactive protection against evolving threats.
Related to Network Detection and Response
Learn how Fidelis Network Security Solution can help you reclaim the advantage over your adversaries in these free downloads.
