May 28, 2022
Network Detection and Response (NDR)
What is Network Detection and Response (NDR)?
In layman’s terms, network detection and response (NDR) is a cyber security solution that performs real-time, continuous monitoring and analysis of an organization’s network traffic to detect and respond to malware and malicious activity in the network.
NDR complements and goes beyond long-established cyber security solutions such as network firewalls and intrusion prevention systems (IPS) that are designed to prevent known, or signature-based, malware and malicious traffic from entering the internal network. NDR enables the detection of unknown, non-signature-based malware and threats that have breached the network perimeter. NDR leverages advanced technical capabilities such as behavioral analytics, artificial intelligence, and machine learning to perform deep network traffic analysis to detect and provide context to stealthy anomalous activities that may conceal malicious behavior.
The Rise of NDR
Gartner first recognized NDR as an individual cyber security segment in 2020 with the publication of Market Guide for Network Detection and Response. NDR has gained a lot of traction in recent years and is fast becoming a must-have solution in organizations’ cyber security arsenal.
Indeed, NDR is one of the three pillars of Gartner’s SOC Visibility Triage, a security model that also includes Security Information & Event Management (SIEM) and Endpoint Detection & Response (EDR). NDR provides the all-important network data that complements the other pillars to grant security teams complete threat visibility.
Gartner notes with the release of the SOC Visibility Triad that "The escalating sophistication of threats requires organizations to use multiple sources of data for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents."
NDR is a Must-Have
The growing importance of NDR is primarily fueled by the urgent need to protect organizations against increasingly sophisticated cyber threats and a widening attack surface.
Sophisticated Cyber Threats
A large proportion of today’s cyber-attacks originate from unknown malware. With upwards of 500,000 new malware and malware variants created every day, it is impossible to ID every piece of new malware before they are deployed.
What is more, modern-day cyber-attacks employ increasingly complex tactics and techniques; instead of delivering the malware payload directly onto the victim machine, cyber-attacks are carried out in intricate stages that may span weeks or months. In these attacks, known as advanced persistent threats (APT), adversaries commonly rely on legitimate tools, processes, and credentials to evade detection, escalate privileges, and propagate through the network. Once the high-value target that meets the attacker's objectives is reached, the final payload is executed, by which time it is usually too late for the organization’s security defenses to respond. A prime example of such an attack is the SolarWinds supply chain attack that rocked the world in 2020.
A good analogy of a modern, non-signature-based cyber-attack is the police placing a mole inside a crime organization. The mole pretends to blend in with the gang while secretly gathering intel. As the mole earns greater trust and works their way up to higher positions in the gang, they eventually gather enough evidence to incriminate the figurehead of the organization. The mole is so well disguised, and their activities are carried out so secretively, that they remain undetected throughout the operation.
What the crime organization in this analogy really needs is complete visibility of the mole’s every single action, everything they say to root them out before they could do serious damage. That is exactly what NDR provides to the network.
Widening Attack Surface
The attack surface refers to the total number of all possible entry points for unauthorized access into a system. The increase in remote work scenarios and adoption of digital transformation technologies such as cloud computing and IoT devices are widening the attack surface of enterprise networks, leaving them at greater risk of being breached.
Remote Network Access: Remote working has increased the remote access needs, and therefore the threat, to enterprise networks. Personal computers and devices employees use to access the internal network may not have gone through stringent checks to make sure they are clean and malware-free. This is compounded by employees’ use of VPNs and proxy avoidance applications, which have the power to bypass an organization’s weak remote access policies. Attackers can easily breach an organization’s network by infecting a remote user’s device through, for example, a phishing attack.
The Internet of Things (IoT) and BYOD: More and more businesses are incorporating IoT devices into their networks, which range from network printers and smart thermostats to remote patient monitoring systems for healthcare. These network-connected devices have opened new possibilities and boosted business efficiency and productivity, but they also pose a considerable risk to enterprise networks. Many of these devices lack native security capabilities and thus offer threat actors a perfect entry point into the network. In addition, employees and contractors frequently bring their own mobile and compute devices to the company network. Most IT organizations have very little visibility into these BYODs or even some of their IoTs.
Vulnerabilities and Zero-Days: With digital transformation in full flow, businesses are under enormous pressure to deliver applications that satisfy users’ needs. App developers have therefore prioritized features, functionality, and time-to-market over security. In recent years, many widely used applications, services, and components such as Microsoft Exchange, Citrix ADC, Ivanti Pulse Connect Secure, and Drupal have been found to contain critical vulnerabilities. Threat actors have taken full advantage of these to launch devastating and wide-reaching attacks. What’s more, attackers are constantly on the lookout for new vulnerabilities to launch unknown, zero-day attacks.
Attacks Will Come Through
Regardless the size of your organization, and regardless of what kind of firewalls and endpoints you have in place, attacks will come through. The question is, can you detect them in time before damage is made?
What Makes NDR Unique?
NDR is unique in that it takes a whole new approach to cyber security. While conventional security solutions, such as network firewalls and IPS, are designed to prevent the network from being breached, NDR is built on the idea that a breach has already occurred and that adversaries are already present in the organization’s network. Some advanced customers would consider log-based approach such as SIEM, however, that only relies on the logs captured from existing sources of information and limited to understand the entire network traffic and its behavior. Remember that no organization can achieve 100% prevention of cyber threats? NDR embraces this fact and takes a proactive approach to threat hunting and response.
The Packet Holds the Key
There is no better place to search for hidden threats than at the network level. Unless in the extremely unlikely event that an attacker lands directly on a target that meets all their objectives in the very first stage of an attack, all malicious activity, however minute and well-disguised, generates network traffic and communication. Once traffic is generated, it can be analyzed and any activity that deviates from baseline models is contextualized. Suspicious activity is flagged for either automated or manual investigation and response. Another benefit of NDR is that, unlike other security defenses, attackers are not necessarily aware that their activities are being monitored, which prevents them from taking evasive actions and enhances the detection of their activities.
Complete Network Visibility
Because NDR takes traffic from the core switches, it offers two unique use cases. First, NDR can detect new or unknown devices on its network. Second, it sees much more traffic such as lateral moving traffic. If a remote user brings his compromised laptop into the network, the malware would start attacking all your internal assets.
Going back to the previous analogy. NDR is like having hidden CCTV cameras installed all over the gang’s premises. The cameras can monitor the mole’s every action and everything they say. With such visibility, they will certainly raise suspicion and be detected in no time.
How Does NDR Work?
NDR leverages multiple cutting-edge technologies to enhance its detection and response capabilities, including Machine Learning, Behavioral Analytics, Artificial Intelligence, Data Decryption, Threat Intelligence, and Security Device Correlation.
Core Detection Capabilities
Machine Learning: Machine learning (ML) is the fundamental technology that underpins NDR. As more and more network traffic is analyzed, ML dynamically optimizes baseline models for normal network activity for users, applications, etc. ML can be thought of as conferring NDR with the memory of all network activity that allows for the correlation of historical and real-time traffic to contextualize anomalous events.
Behavioral Analytics + AI: Traffic pulled from the network is analyzed with AI-powered behavioral analytics to identify anomalous activity across your network. Behavioral analytics cross-references historical and real-time data to correlate seemingly unsuspicious events. Through behavioral analytics, NDR identifies signals showing user actions that break from patterns, like location or naming conventions, and looks at activity, apps, and accessed files to identify threats.
Traffic Decryption: The majority of all network traffic is encrypted today for data privacy. However, encrypted traffic provides attackers with the perfect cover to conceal their activities, such as C2 communication and data exfiltration. Without the ability to inspect encrypted traffic, conventional security solutions are blind to any malicious activity that is hiding in the traffic. On the other hand, NDR solutions have built-in traffic decryption capabilities, enabling complete transparency of traffic and any malicious activity that it may conceal.
Threat Intelligence: NDR integrates threat intelligence feeds of the latest cyber security threats to provide added contextualization and prioritization of detected network anomalies.
Core Response Capabilities
Threat History: NDR is not only able to detect threats but is able to provide complete visibility of threat history, that is, the timeline of malicious activity covering the whole cyber kill chain. In this case, security teams are able to answer a broad range of questions when responding to an incident. For example, they can answer: What did the asset or account do before the alert? What did it do after the alert? When did the situation start to escalate? In this way, NDR greatly empowers security teams with the knowledge for fast response and remediation.
Solution Correlation: NDR not only functions as a standalone solution but also correlates with other cyber security solutions to enhance detection and response capabilities. For example, NDR can communicate with the network firewall to block IP addresses that have been deemed malicious. NDR can also integrate with SOAR (Security Orchestration, Automation & Response) to take automated responsive action once rules in preconfigured SOAR playbooks are triggered.
The Practical Business Values of NDR
So NDR is an excellent solution for detecting and responding to network threats. But how does this tie in with business goals and translate to practical business value?
Prevent Damaging Losses: Cyber-attacks have the potential to cause major damage to businesses and organizations. These range from costly data loss or data leakage, huge ransom payments for ransomware attacks, expensive business downtime, and significant reputational damage. NDR actively searches for hidden threats in the network that other security solutions miss, enabling faster detection of threats before they cause significant losses and disruption.
Streamline Security Operations: Other security solutions either produce too many false positives or require extensive manual investigation that IT/security teams suffer from alert fatigue or are overburdened with workloads. Not only does this lead to low work enthusiasm but also stifles innovation. NDR helps streamline the threat investigation with contextualized alerts and efficient incident response through the complete visibility of threats, including a timeline of activity indicating the point of entry, compromised hosts, the propagation paths, etc.
Empower Digital Transformation: Consider the fact that the majority of businesses that have adopted cloud computing do not have a clear cloud strategy. With a lighter burden to investigate and respond to threat alerts, IT teams are empowered with greater freedom to plan and launch innovative IT initiatives that generate practical business value.
Go Bold in Digital Transformation: Organizations may be put off from taking on bold and transformative digital transformation initiatives out of security concerns. For example, organizations may refrain from investing in IoT devices that enhance business efficiency and productivity due to their lack of native security capabilities. With the ability to detect any anomalous traffic, including to and from IoT devices, NDR allows business leaders to go bold in their digital transformation with the peace of mind that their systems are underpinned by secure foundations.