By Aimei Wei, Chief Technical Officer (CTO) and Founder
Network detection and response (NDR) has a long history, evolving out of network security and network traffic analysis (NTA). The historical definition of network security is to use a perimeter firewall and Intrusion Prevention System (IPS) to screen traffic coming into the network, but as IT technology and security technology have evolved due to modern attacks leveraging more complex approaches, the definition is much broader now.
Today, network security is everything a company does to ensure the security of its networks, and everything connected to them. This includes the network, the cloud (or clouds), endpoints, servers, users and applications. Traffic from all of these systems must pass over the network, so the network is the logical source of true information about security exploits.
Analyzing endpoint data and security tool logs is not enough to thwart today’s attacks. If there is one important thing to know about the network, it’s that it doesn’t lie. That’s why NDR completes an organization’s attack detection and response journey to XDR / Open XDR alongside EDR for endpoint data and SIEM for security tool logs. Specifically, NDR sees what the endpoints and other logs don’t see (the entire network; devices, SaaS applications, user behavior), acts as the true data set and enables real-time response.
As Zero Trust continues to be adopted, the network will undergo different segmentations improving security fundamentals. As with any complex system, a “trust but verify” approach must be taken. NDR perfectly complements Zero Trust as its verification counterpart. NDR enables organizations to adopt Zero Trust with confidence and verify its enforcement.
How Does NDR Work?
NDR solutions use non-signature-based techniques (for example, machine learning or other analytical techniques) for unknown attacks alongside quality signature-based techniques (for example threat intel fused in-line for alerts) for known attacks to detect suspicious traffic or activities. NDR can ingest data from dedicated sensors, existing firewalls, IPS/IDS, metadata like NetFlow, or any other network data source, assuming strategic placement of sensors and/or other network telemetry. Both north/south traffic and east/west traffic should be monitored and traffic in both physical and virtual environments should be monitored. All data is collected and stored in a centralized data lake with an advanced AI Engine to detect suspicious traffic patterns and raise alerts.
Response is the critical counterpart to detections to enable a performant network-based approach to security operations, and is fundamental to NDR. Automatic responses such sending commands to a firewall in order to drop suspicious traffic or to an EDR tool in order to quarantine an affected endpoint, or manual responses such as providing threat hunting or incident investigation tools are common elements of NDR.
NDR is a critical component of every modern cybersecurity infrastructure. It allows you to “see the entire elephant” – the whole network – rather than viewing only certain endpoints, users or devices tied to it.
About the Author