Q&A on Network Detection and Response (NDR)
What is NDR?
Today’s network detection and response (NDR) has a long history, evolving out of network security and network traffic analysis (NTA). The historical definition of network security is to use a perimeter firewall and Intrusion Prevention Systems to screen traffic coming into the network, but as IT and security technology have evolved, the definition is much broader now due to modern attacks leveraging more complex approaches.
Today, network security is everything a company does to ensure the security of its networks, and everything connected to them. This includes the network, the cloud (or clouds), endpoints, servers, IoT, users and applications. Network security products seek to use physical and virtual preventive measures to protect the network and its assets from unauthorized access, modification, destruction and misuse.
Why is NDR important?
NDR is important because the network is the backbone of the IT infrastructure, and every user and device is connected to it — it’s the single source of truth if you can see into the traffic in a meaningful way. Traffic from all your systems, including endpoints, servers, applications and internet, must pass over the network, so the network is the logical source of true information about security exploits, and NDR is the tool that captures that information.
There are a lot of security tools that cover endpoints, applications like e-mail, and servers, but analyzing data and logs from these tools is not enough to thwart today’s attacks. If there is one important thing to know about the network, it’s that it doesn’t lie. That’s why NDR completes an organization’s journey to Everything Detection and Response (i.e., XDR) alongside Endpoint Detection and Response (i.e., EDR) for endpoint data and SIEM for security tool logs. Specifically, NDR sees what the endpoints and other logs don’t see (the entire network; devices, SaaS applications, user behavior), acts as the true data set and enables real-time responses.
How does NDR work?
NDR solutions use non-signature-based techniques (for example, machine learning or other analytical techniques) for unknown attacks alongside quality signature-based techniques (for example threat intel fused in-line for alerts) for known attacks to detect suspicious traffic or activities. NDR can ingest data from dedicated sensors, existing firewalls, IPS/IDS, metadata from NetFlow, or any other network data source, assuming strategic placement of sensors and/or other network telemetry. Both north/south traffic and east/west traffic should be monitored as well as traffic in both physical and virtual environments. All data is collected and aggregated in a central data lake, enriched with contexts such as Threat Intelligence, host name and/or user information, then processed by an advanced AI engine to detect suspicious traffic patterns and raise alerts.
Once alerts are triggered, the analyst or NDR solution must respond. Response is the critical counterpart to detections and is fundamental to NDR. Automatic responses such sending commands to a firewall to drop suspicious traffic or to an EDR tool to quarantine an affected endpoint, or manual responses such as providing threat hunting or incident investigation tools are common elements of NDR.
How do you integrate NDR with other security tools?
NDR tools integrate with other security tools through application programming interfaces (APIs) provided by the NDR vendor. Of course, if you’re using Stellar Cyber’s Open XDR platform, NDR is already integrated into it, along with a next-generation SIEM and threat intelligence.