Network Detection & Response (NDR) is an emerging category of security product that uses network traffic analysis (NTA) to fulfill a critical part of Gartner's SOC Visibility Triad. In this blog series, we'll look at how NDR products compare to traditional security tools including IPS and IDS.
Security Operations Centers often place Security Information and Event Management (SIEM) products at the center of their approach to protecting the enterprise and there are valid reasons for their popularity.
SIEM products shine at generating compliance reports. They can also be effective at early detection if threats violate a SIEM's set of preconfigured rules. Some SIEM vendors are introducing artificial intelligence for automatic rule generation, anomalous behavior detection, and advanced statistical analysis, but those tools are in their early stages and it's unclear if they provide benefits not found in existing SIEM products.
Despite their popularity, SIEM products also have significant drawbacks. They use log data, which limits their visibility and can leave you vulnerable to east-west corridor attacks. They're also difficult and expensive to install, configure, manage, and scale, which could prevent them from being a proactive solution to future security challenges.
Even if you're already using a SIEM product or are considering adding one to your security suite, a Network Detection & Response (NDR) product is a crucial part of the SOC toolset. In fact, Gartner's SOC Visibility Triad strongly recommends complementing SIEM with Endpoint Detection & Response (EDR) and NDR.
How NDR Works
Network Detection & Response (NDR) products are powered by network traffic analysis (NTA), or the real-time inspection of network communications in order to detect and investigate threats, anomalous behaviors, and risky activity from layer two through layer seven.
These products provide more conclusive insights into security events and forensic-level evidence SecOps teams can use to understand and report the exact scope of incidents. They do this by analyzing every transaction and reconstructing every conversation on the network through full-stream reassembly.
NDR products take the rich wire data provided by NTA and apply advanced machine learning to identify anomalous behaviors and security events, trigger automated investigations, fire contextualized alerts. In some cases, NDR products can help execute automated responses through integrations with firewalls, SOAR products, and other in-line response solutions.
How SIEM Works
A SIEM product collects log data generated on an enterprise's technology infrastructure, including host systems and applications, analyzes that data and provides views and filtering for analysts, and shares that information with security tools such as antivirus filters and firewalls.
What SIEM Can Do
SIEM products got their start as compliance management tools more than a decade ago. In recent years, the demand for more security measures has driven SIEM products toward security operations centers. SIEM products can create reports on incidents and events, including malware and other malicious activity. If analysis determines activities violate pre-determined rulesets, a SIEM product can fire alerts.
What SIEM Can't Do
SIEM products historically require a lot of work to configure and use, and they rely on logs that were also configured and are not self-adapting. There are preconfigured products available, but they're more expensive and more prone to false alerts. Because they simply aggregate logs and can fire context-free alerts, knowing how to best respond can be a struggle for SIEM users. It can also be difficult to add new data feeds to SIEM products and track existing feeds easily.
What NDR Can Do
Advanced NDR security platforms extract thousands of machine learning features and quickly decode dozens of protocols to pinpoint late-stage attack behaviors with enough context and evidence for analysts to take confident action.
NDR products are also deadly threat hunters because they use machine learning to create predictive behavior profiles to locate previously unseen security threats and detect low-and-slow tactics, techniques, and procedures.
If you already use a SIEM product, adding NDR can reduce your security spend and increase your visibility, alert context, and ability to quickly respond to legitimate threats.
Continue Exploring NDR for Enterprise Security
Want to see how a real security breach plays out as it's detected, investigated, and resolved using network detection & response? Check out this blog post walking through our investigation into a fake Postman Chrome Extension.
NDR can also make it a lot easier to follow the CIS Top 20 Critical Security Controls—read this white paper to learn more.