Gerald (“Jerry”) Mancini is Fidelis’ Chief Strategy Officer. He brings valuable experience building and leading product development teams in his tenure with Fidelis. Prior to joining the... Read More
Network Detection and Response is the latest trend in network-based cybersecurity. NDR follows years of prior product category discussions and three-letter algorithms to help define how an enterprise should consider defending itself from cybersecurity. Over the years network security has been defined by IPS, IDS, DLP, ATD, ADR, SA, NAV, NTA, and several more.
Fidelis has participated in magic quadrants, waves, market studies, and terminology changes since our first network cybersecurity solutions in the mid-2000’s. NDR culminates years of research and acronym changes to get to the point we’ve been discussing for years: Detection and Response.
Network Detection and Response is similar to more recent trends in network cybersecurity, including Network Traffic Analysis (NTA) and Network Analysis and Visibility (NAV). While all three terms emphasize detection, NDR elevates the role of response on the network. This is an extremely different message and cybersecurity professionals need to understand the difference.
Detection uses network data to provide visibility. Based on visibility, a variety of techniques can be applied to detect cyber threats and risks. These techniques include signature analysis, malware detection, sandboxing, indicators analysis, email security, web security, machine learning and AI, deception, and asset risk analysis. Detection via traffic analysis or visibility remains the keystone of NDR.
NDR proposes that Response is equally important to the role of security. Detection can be judged in a sliding scale between false positive and false negative results. Too many detections can inundate the security team with too many alerts, too much information, and a feeling of too many false positive detections. Too few detections lead to a false sense of security where no-news is good-news, masking vital information required to truly secure the enterprise.
Response is a combination of automated and manual methods to analyze detections to determine – what happens next?
How quickly your response to a detection is extremely important. If your team is spending time triaging false positive detections and poorly configured systems, your team is not effectively able to respond. Network Response requires several forms:
Perhaps the most important aspect of NDR is to determine security gaps in your environment and to correct your posture before an attack occurs. These capabilities include:
Network Detection and Response provides cybersecurity professionals with a hope to combat threats. The first step is to detect cyberattacks – without a detection, criminals can attack your environment, steal information, and cause financial and political harm.
However, robust response is equally important. The role of response provides efficiency to cyber operations. To analyze current practices and to remedy security gaps prior to an attack; to view data as incidents rather than individual alerts; to automate actions as a result of incident awareness; to witness all network activity by relying on efficient tools; to automate retrospective analysis; and by providing holistic visibility into your cyber terrain.
Detection solutions without the ability to respond, just adds noise. Operational efficiency is gained by NDR.