The increased sophistication and ingenuity of today’s cyberattacks continue to put pressure on CISOs and their teams. Thomas Pore, Director of Product, LiveAction, explains in detail why adding an NDR(network detection and response) solution to your existing security tech stack is essential.
According to a recent SpyCloud reportOpens a new window , security teams are growing less confident in detecting and responding to cybersecurity threats like ransomware. As a result, organizations are working to better contain and neutralize threats with more modern perimeter defenses. In fact, GartnerOpens a new window predicts that organizational spending on security and risk management solutions will increase by 11.3% next year.
But today’s most elusive attacks aren’t breaking in through the front door; they’re waltzing in through encrypted traffic, logging into your networks undetected, and sometimes even masquerading as guests (via stolen credentials). As a result, SOC teams are looking to bolster defense capabilities, especially those that still rely on legacy systems with limited network visibility or remediation tools.Â
As the growth of malicious cyberattacks continues – AAG researchOpens a new window shows a 125% increase through 2021 and predicts further increases in 2022 – organizations are increasingly considering the value of NDR solutions. Â
See More: Coming Full-circle: Zero-Knowledge End-to-End Encryption for Zero Trust
What Is an NDR Solution?Â
First, what does an NDR solution deliver? An NDR platform is designed to detect cyber threats on corporate networks using machine learning (ML) and data analytics. It provides an in-depth investigation into network traffic, quickly identifies malicious traffic and behaviors, and automates an intelligent threat response for remediation.Â
But not all NDRs are created equal. Over the last two years, next-generation NDR solutions have become available that push the boundaries around anomaly detection and encrypted traffic analysis (ETA).Â
How to Choose an NDR Solution
If your team is considering adding an NDR solution to your tech stack (or upgrading an existing one), what are some key areas to consider? Let’s explore five.Â
1. The breadth and depth of data collection, inspection, and analysis capabilities are crucial
Data is the driving force behind most good businesses. Today’s next-generation NDR platforms should tap into that data and successfully monitor network activity and traffic – and distinguish anomalous or potentially malicious activity from safe activities. Therefore, collecting broad amounts of network data is vital to success; there is no single source of truth. For example, one shortcoming of legacy NDR solutions is their overreliance on NetFlow data – which delivers low visibility. While ports and IP addresses are the typical entry points for hackers, no experienced cybercriminal is just walking through the front door. They’re masking entry via encryption, phishing users, stealing credentials, etc. Â
As a result, collecting and inspecting as much deep packet data as possible, including collecting packet data contents, traits, and behaviors is essential. For an NDR to be effective, it must ingest metadata from network flow, data packets, device activities, fault information and alerts and enrich that metadata with information to help rapidly identify anomalies and malicious threats. It must also ingest network traffic, including network logs, NetFlow, alerts from other systems, intrusion detection data, and more. And finally, it must analyze user and entity behaviors. Â
2. Emerging technologies like AI and ML detect and prevent threats
AI and ML help identify legitimate threats and reduce noise and false positives. Next-generation NDR solutions leverage AI/ML to support deep data science and analytics capabilities that analyze collected network data and automate workflows, threat identification, and remediation. For example, ML provides anomaly detection capabilities, complete signature and non-signature-based data normalization, device profiling, and DNS analysis. AI/ML delivers the computational juice needed for NDRs to deliver powerful behavioral and anomalous data analysis. Â
3. Support for a broad number of deep threat protection use cases
The more specific threat use cases an NDR solution can cover, the better. Take encrypted traffic analysis (ETA) as an example. It combines traditional traffic analysis with deep packet dynamics, cryptoanalysis, and machine learning to not only eliminate encryption blindness but allow for threat detection without the performance burdens of decrypting network traffic. Today’s NDR solutions should also support incident and network forensics, threat hunting, financial fraud detection, Zero Trust initiatives, detect known attacker tactics, techniques, and procedures, identify advanced persistent threats, capture lateral movement, and more.
4. Rapid response and remediation of threats
A scalable incident response workflow that enables collaboration among SOC analysts and prioritizes the timely remediation of multiple threats is vital in today’s threat landscape – and modern NDR solutions can be the cornerstone of a security tech stack. That means intelligent alerts and notifications that inform SOC specialists or on-call technicians, workflows that support triage and response and collaboration on packet analysis, and dashboards and insights to support the prioritization of MITRE ATT&CK labeling, risk scores and incident details for faster responses.
See More: The Dilemma: How to Balance Network Security and Performance with Testing
5. Cohesive threat response capabilities
As mentioned earlier, there is no single source of truth or single solution to stop all attacks. That’s why NDR solutions must integrate seamlessly with other tools like SIEM, SOAR, XDR, and other threat intelligence solutions. For example, workflow automation should integrate with products that take immediate action on security events to quarantine hosts or block threats. In addition, native integration with a Network Performance Monitoring (NPM) solution could help cross-team coordination of threats or performance issues. Â
As we gear up for another active year of increasingly elusive cyberattacks, it’s crucial that SOC teams have a comprehensive set of security tools that can not only stop attackers at the edge but identify those that may already be within the network perimeter.Â
Without NDR solutions, teams will struggle to identify this anomalous behavior, which often masks itself in encrypted traffic. The next generation of NDR solutions delivers the necessary visibility teams need to identify, coordinate, and remediate these advanced threats. Â
What key features are you looking for in your next-gen NDR solution? Share with us on  FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!
Image Source: Shutterstock
MORE ON NDR (NETWORK DETECTION AND RESPONSE)
- NDR vs. EDR vs. XDR — Which Is Right for Your Cybersecurity Stack?
- Why Network Detection and Response is Critical to Cyberattack Forensics
- Four Next-generation Tools to Take Security to the Next Level: XDR, SCA, SASE & RASP
- What Is a Man-in-the-Middle Attack? Definition, Detection, and Prevention Best Practices
- Top 10 Network Behavior Anomaly Detection Tools in 2022