What is Network Detection and Response?
Network Detection and Response (NDR) is a burgeoning field of cybersecurity that enables organizations to monitor network traffic for malicious actors and suspicious behavior, and react and respond to the detection of cyber threats to the network. The rise of NDR systems reflects the growing number of systemwide attacks by criminal actors ranging from hackers to nation-states.
Gartner established the NDR solution category in 2020, renaming what it previously called “network traffic analysis.” The evolution of the category underscores the growing importance of response capabilities, which can include automatic responses such as sending commands to a firewall so it drops suspicious traffic, or manual responses such as threat hunting and incident response.
Behavioral analytics for Network Detection and Response
Advanced network detection leverages machine learning, expert analysis, and threat sharing so you can see rated unknown threats faster, accelerating triage and response. See how in one minute.
How did Network
Monitoring network traffic is not a new practice. In the beginning, network metadata was captured to analyze network performance characteristics. Is our network running okay? But as data volumes soared, many organizations were unable to harness network activity, leaving it as an untapped resource for cyber defense.
Eventually, computing power caught up, giving companies network traffic visibility and behavioral analysis detection methods for computer security – technology first called network traffic analysis (NTA). And while NTA remains a fixture in enterprise security operations centers (SOCs), the market category has evolved and broadened to network detection and response. Organizations increasingly value the response capabilities in NDR solutions to address threats detected by network traffic analysis tools, which focus mainly on detection-only threats and mostly around basic variations of known threats.
Today, increasingly sophisticated behavioral analytics; machine learning; and artificial intelligence (AI) of cloud, virtual, and on-premise networks form the backbone of NDR solutions. By harnessing these technologies, NDR vendors have enabled organizations to improve detection capabilities, determine the confidence and risk level of a threat, and increasingly automate tasks manual tasks performed by analysts such as the acquisition of relevant third-party contextual telemetry information and the application of standardized investigative playbooks to further prioritize threats by risk, thereby enabling them to focus strategically on triage and rapid response. By analyzing network behavior using machine learning models, advanced NDR tools can detect sophisticated evasion methods or “known unknown” cyber threats to brand new zero-day threats or “unknown unknowns.”Learn more about IronNet's NDR solutions
What network detection
means to Thomson Reuters
Richard Puckett, VP of Security Operations, Strategy and Architecture at Thomson Reuters, shares how the move to a cloud-first strategy requires behavioral analytics to detect evolving threats.
Why do I need Network Detection and Response?
One common misconception is that Security Information & Event Management (SIEM) and Endpoint Detection and Response (EDR) solutions sufficiently protect the enterprise. These tools are a good start. But with the widespread adoption of IoT, cloud computing, and digital transformation, networks have become an increasingly valuable target for sophisticated adversaries – making NDR solutions an indispensable tool for threat detection.
Stay ahead of cyber criminals
Attackers now have widespread access to what were previously nation-state level tools designed to evade specific security tools. NDR solutions provide an extra layer of security against both sophisticated network attacks and highly organized threat actors.
Move beyond logs and endpoint security
SIEMs have blind spots, and endpoints detection capabilities can be evaded or disabled by a determined adversary. Both SIEM and endpoint tools struggle with detecting adversaries that are not specifically malware-based, such as lateral movement using stolen credentials.
Get fewer alerts
With NDR systems, after a threat is detected, rules are applied to the analytic result to contextualize knowledge of an organization and its threat landscape. This approach further adjusts the initial risk score of an alert by determining whether the alert is indeed a high priority or if the alert can be downgraded in severity based on contextual enrichment.
The truth is in the traffic
Network traffic is massive and pervasive. The sheer amount of network metadata, protocol logs, and network artifacts makes it extremely difficult, if not nearly impossible, for an adversary to hide their activities across or disable an entire network.
Protect your IoT devices
Many IoT devices are either too tiny (like your internet-connected thermostat), too many to manage at scale (think every device that has an IP address), or simply too old (in case of manufacturing systems) and simply do not have the ability to run endpoint security software or analytics. NDR enables organizations to protect these devices by analyzing their network activity without the overhead of having to manage individual device software.
Bolster your overall defense
High-maturity clients use NDR and other network-based technologies as one of the layers in their SOCs, alongside endpoint-, log- and cloud-based technologies for threat visibility. For this reason, NDR solutions have earned a place on Gartner’s SOC Visibility Triad.
How does Network Detection
and Response work?
Each NDR solution is unique. But here’s a quick look at common tools and techniques.
Machine learning leverages machine computing power to analyze large sets of data in order to make more accurate predictions. With NDR solutions, machine learning models can detect “unknown unknown” threats to your network using behavioral analytics. Machine learning algorithms can see cyber threats coming around the corner (e.g., ports suddenly being used that have never been used before), in turn enabling more rapid triage and mitigation. Machine learning models are also used to continually reweigh prioritization of potential threats based on real-world outcomes.
Deep learning is a powerful form of machine learning that uses artificial neural networks to enhance NDR capabilities. At IronNet, we use deep learning but constrain its use to only the NDR applications that are well-suited to the training data requirements and interpretability challenges of deep learning models.
Statistical analysis is a useful behavioral technique that is sometimes marketed as “AI” by a handful of NDR providers. These can range from simple outlier analysis (e.g., which URL has not be seen in this group of devices) to basic Bayesian analysis of network traffic pattern to other statistical methods. Commonly there is an element of sample to determine a baseline that is then used to identify which activity deviates from normal traffic usage, allowing SOCs to model normal network traffic and highlight suspicious traffic that falls outside the normal range.
Heuristic analysis detects threats by analyzing data for suspicious properties. In NDR solutions, heuristics extend the power of signature-based detection methods to look beyond known threats and spot suspicious characteristics found in unknown threats and modified versions of existing threats. Some network sandbox vendors position analysis of file-based malwares as a variation of network behavioral analysis.
Threat Intelligence Feeds
Threat intelligence feeds are data streams containing information on previously identified cyber threats. Threat intelligence, if timely and actionable, can assist NDR solutions in identifying known threats or providing additional contextualization for prioritization of a detected network anomaly by risk. The limitation of threat intel feeds is the need to actively procure, manage, and curate threat intel so that the information is relevant and timely to the enterprise, which can be beyond the scope of all but the most security mature enterprises.
Signature-based detection methods use a unique indicator of compromise (IOC) identifier about a known threat to identify that threat in the future. Signatures were effective a generation ago, but the process of using unique identifiers to guard against known threats has become increasingly ineffective in a world where custom malware, malware toolkits, and non-malware based attacks such as credential replay are the norm. Furthermore nearly three quarters of all network traffic today is encrypted, part of an upward trend that’s rendering signature-based tools ineffective by preventing the content inspection required to match certain categories of IOCs.
To learn more:
“Signature-based cybersecurity solutions are unlikely to deliver the requisite performance to detect new attack vectors. In fact, our data shows that 61% of organizations acknowledge that they will not be able to identify critical threats without AI.”
See Capgemini ReportView Report
How do I integrate Network Detection
As with any cutting-edge security tool, NDR solutions are not deployed in isolation and often complement existing solutions already in place. Here’s how NDR solutions integrate with common systems.
With your enterprise network
NDR solutions are engineered to introduce minimal friction into SOCs while still providing network threat detection. NDRs leverage sensors that are deployed off a SPAN or TAP port to passively monitor network traffic.
With your SIEM
Integrations with SIEMs allows SOCs to seamlessly add NDR solutions to existing workflows. Why is this useful? Most organizations leverage their SIEMs as the central aggregation point for alerts related to malicious activity. Native integrations as a downloadable app for their preferred SIEM is often the preferred method for SOC teams to investigate, confirm and respond to those alerts. This allows the full visibility of the NDR to work within your SOC team’s workflow while allowing them to pivot into the NDR as needed for deeper analysis.
With your SOAR
Many NDR integrations occur within large enterprises with mature SOCs who prefer to leverage their own playbooks and workflows for response. Consequently the focus of NDR vendors is to provide integrations with market leaders in SOAR tools such as Splunk, Palo Alto XSOAR (Demisto), and Swimlane.
With your workloads in public or private cloud providers
As organizations move data and workloads to the cloud, NDR vendors are integrating with public cloud providers like Google and Amazon Web Services to enable NDR capabilities across cloud and hybrid cloud environments. Cloud integrations or private cloud environments should include the ability to monitor network traffic in their respective domain and not just deploy in a particular cloud or virtual network provider.
What is IronNet Network
Detection and Response?
IronDefense is a leading NDR solution that uses a combination of behavioral detection techniques – including machine learning and deep learning – plus statistical analysis and heuristic techniques to detect suspicious traffic. For response, IronDefense has strong manual hunt capabilities, enabling threat hunters to investigate across network flow data and pull packet capture on any flow. IronDefense’s AI-powered Expert System prioritizes threats and provides contextual information for incident responders.Learn about IronDefense