Network Detection and Response

Network detection and response (NDR) is an emerging category of cybersecurity solution that ingests and analyzes network traffic to detect suspicious activity and understand security risks and exposure. NDR combines machine learning-powered detections, behavioral analysis, and signature-based detections for known IOCs. Best-in-class NDR solutions also use decryption and protocol decoding to uncover threats hiding in encrypted traffic. Streamlined workflows enable cybersecurity teams to quickly investigate down to packet-level context and respond with confidence.

Like endpoint detection and response (EDR), NDR security solutions do not prevent malicious activity. Instead, they identify attack activity in progress and provide the insight needed to stop attacks before they can do significant harm. NDR is distinct from EDR in that it does not use an agent to monitor east-west and north-south network traffic, relying instead on a network or virtual tap for analysis of network telemetry across on-premises and cloud workloads. NDR is also referred to as network analysis and visibility (NAV) by some independent analyst groups.

How many ransomware threats are currently hiding on your network? It’s just one of many questions you should be asking now that threat actors have mastered the art of sneaking past perimeter defenses.

In this video, Viz from the Ministry of Cyberdefense will show you why advanced network detection and response is an essential component of any modern security strategy — and how it measures up against an IceID malware-based ransomware attack.

The SUNBURST attacks evidenced a sea change, a trend that has continued with increasingly advanced ransomware attacks and headline-making breaches.

When news first emerged detailing the scale and sophistication of the SUNBURST attacks, many global security teams faced an uncomfortable reality. How could a threat, albeit a state-sponsored one, fly under the radar of so many organizations, and linger for so long without detection?

SUNBURST circumvented most of the tools that security leaders rely on: perimeter defenses, endpoint detection, and antivirus. The SUNBURST attacks highlighted the deficiencies of rules- and signature-based detection methods, and exposed the security blind spots left by logging and agent-based approaches.

The attack surface is expanding

The job of cyber defense is made that much harder by the nature of modern IT environments. The traditional notion of a network perimeter perished with the advent of cloud applications, bring your own device (BYOD) policies that opened the door to ubiquitous mobile devices, third-party services, and internet of things (IoT) devices. Digital transformation efforts encompassing cloud, mobile, and IoT are also expanding the corporate attack surface and making it harder for security teams to gain visibility into suspicious traffic. These challenges are compounded by the push for "encryption everywhere". Various sources estimate that the vast majority of traffic today is encrypted, making it difficult to inspect that traffic. Adversaries can disguise their own malicious activity within encrypted traffic to cross the perimeter or move laterally inside networks.

EDR and SIEM provide essential visibility into endpoints and logs, but both tools leave coverage gaps. EDR requires agents to be deployed on each endpoint, but not every endpoint can support an agent. IoT and personal devices are two examples. Sophisticated attackers can also bypass EDR by taking advantage of unmanaged devices — including the 37% of critical devices that are unmanaged. SIEM tools rely on logs, which are useful sources of data, but they lack the context of network packets and attackers can delete logs, wiping away any trace of their activities. Attackers can also avoid firewalls and legacy standalone intrusion detection systems (IDS), but because certain key activities in a successful attack occur on the network, NDR can detect those threats.

NDR complements EDR, SIEM, and IDS tools by filling coverage gaps and continuously monitoring and analyzing network traffic to provide actionable insight. NDR solutions don’t require agents to understand the ways endpoints, workloads, and services communicate with each other. NDR solutions also provide packet-level context, enabling security teams to dive deeper into the activities of assets and investigate down to ground truth.

NDR supports Zero Trust initiatives

Zero trust requires cybersecurity to evolve from static defenses based on network-based perimeters and instead focus on users, assets, and resources. In short, never trust, and always verify. NDR solutions support zero trust initiatives by providing visibility and analytics for all users, devices, applications, and workloads and analytics communicating on the network. With NDR data, security teams can make informed decisions. Best-in-class NDR products also have the ability to securely decrypt traffic, automatically discover and classify assets, and identify vulnerabilities so organizations can make policy-driven access decisions.