Network Detection & Response (NDR) is an emerging category of security product that uses network traffic analysis (NTA) to fulfill a critical part of Gartner's SOC Visibility Triad. In this blog series, we'll look at how NDR products compare to traditional security tools including SIEM and IDS.
From the boy who cried wolf to Chicken Little (or Henny Penny), stories about false alerts have been around since at least the days of Aesop. The lesson in those fables is just as valuable today as it was way back then.
False alerts have negative consequences, whether you're a boy herding sheep, a frightened fowl, or a security professional protecting the modern enterprise.
For all the good they can do, Intrusion Prevention Systems (IPS) and their thousands of signature-based detections have a bad habit of misidentifying benign behavior as malicious and sounding false alerts. Those false positives waste security analysts' time and they can lead to alert fatigue, increasing the likelihood that a deserving alert goes uninvestigated and allows a preventable breach to occur.
Products in the Network Detection & Response (NDR) category help security teams accurately identify and investigate malicious behaviors, and trigger automated responses to legitimate threats with a far lower rate of false positives than IPS products.
How NDR Works
Network Detection & Response (NDR) products are powered by network traffic analysis (NTA), or the real-time inspection of network communications in order to detect and investigate threats, anomalous behaviors, and risky activity from layer two through layer seven.
These products provide more conclusive insights into security events and forensic-level evidence SecOps teams can use to understand and report the exact scope of incidents. They do this by analyzing every transaction and reconstructing every conversation on the network through full-stream reassembly.
NDR products take the rich wire data provided by NTA and apply advanced machine learning to identify anomalous behaviors and security events, trigger automated investigations, fire contextualized alerts. In some cases, NDR products can help execute automated responses through integrations with firewalls, SOAR products, and other in-line response solutions.
How IPS Works
Located behind the firewall, Intrusion Prevention System sensors are placed in the line of direct communication between information senders and receivers. IPS products use a database of pre-programmed signatures to identify specific exploits in much the same was as their precursor, the IDS, or Intrusion Detection System. In fact, IPS and IDS products often work together.
What IPS Can Do
Intrusion Prevention Systems can use their pre-programmed exploit-facing signatures to fire alarms to administrators, remove malicious packets, block access from offending source addresses, and reset connections.
What IPS Can't Do
With their propensity for firing false alerts, Intrusion Prevention Systems can't always help SOC teams separate signal from noise. IPS products can also have a hard time detecting new or evolving threats because new signatures must be developed, a time-intensive process requiring human intervention. This potential gap in the time between identifying new threats and creating unique signatures can give rapidly innovating attackers the head start they need to stay a step or two ahead of security. An IPS product can also struggle to analyze encrypted data without help from decryption tools.
What NDR Can Do
Enterprise Network Detection & Response security platforms quickly decode dozens of protocols and extract thousands of machine learning features to pinpoint late-stage attack behaviors with context and evidence for confident action.
Because NDR products use machine learning to create predictive behavior models rather than simply relying on signatures as a baseline for detection, they can find never-before-seen security threats and detect low-and-slow tactics, techniques, and procedures that signature-based systems often miss.
If you're already using an IPS product, NDR platforms provide richer data that can shorten the time to detect threats and reduce the number of false alerts.
Continue Exploring NDR for Enterprise Security
Want to see how a real security breach plays out as it's detected, investigated, and resolved using an NDR platform? Check out this blog post walking through our investigation into a fake Postman Chrome Extension.
NDR can also make it a lot easier to follow the CIS Top 20 Critical Security Controls—read this white paper to learn more.