Network Detection & Response (NDR) is an emerging technology developed to close the blind security spots left by conventional security solutions, which hackers exploited to gain a foothold in target networks.
Nowadays, enterprises are using a plethora of security solutions to protect their network from cyber threats. The most prominent ones are Firewalls, IPS/IDS, SIEM, EDR, and XDR (which combines the functionality of EDR and SIEM). However, all these solutions suffer from security gaps that prevent them from stopping advanced cyber-attacks efficiently.
NDR was developed based on Intrusion Detection System (IDS). An IDS solution is installed on the network perimeter and monitors the network traffic for suspicious activities.
IDS systems suffer from many downsides that make them inefficient in stopping modern cyber-attacks: IDS use signature-based detection techniques to discover abnormal activities, making them unable to spot unknown attacks.
In addition, IDS systems trigger a large number of security alerts. This results in wasting security team time and making them unable to investigate all security alerts. And finally, IDS was not built to provide any response or investigation capabilities, making it unable to respond efficiently to ongoing cyberattacks.
Network Detection & Response to extract information from network traffic
NDR was the response to mitigate the downsides that IDS systems fail to protect. NDR systems go beyond signature-based detection and analyze all network traffic coming inside or exiting the network and create a baseline of normal network activity. The baseline is used later to compare current traffic with regular network activity to detect suspicious behaviors.
NDR solutions utilize advanced technologies to detect emerging and unknown threats, such as Machine Learning and Artificial Intelligence (AI). Using these technologies allows NDR systems to convert information gathered from network traffic into actionable intelligence used to detect and stop unknown cyber threats.
An NDR solution can run automatically independent of human supervision to detect cyber threats and respond to them. NDR can also integrate with existing security solutions such as SIEM and SOAR for enhanced detection and response.
Traditional NDRs flaws in handling encryption and the increasing amount of data
Up until now, NDRs relied on traffic mirroring, typically combined with hardware sensors to extract the information – very similar to how IDS used to do it. However, there are three game-changers increasingly challenging this approach:
- A large share of internet traffic is encrypted, according to the Google Transparency Report, already 90% of the web traffic. Therefore, the traditional traffic mirroring cannot longer extract information from payload and is thus losing its effectiveness.
- Increasing bandwidths and new networking technologies, making traffic mirroring expensive or even infeasible.
- A shift towards highly distributed hybrid networks where simply analyzing traffic on one or two core switches is no longer enough. Many collection points need to be monitored, which makes traffic mirroring-based solutions even more expensive to operate.
Taking these developments into account, mirroring networks is not a future-oriented solution for securing networks anymore.
ExeonTrace: A trusted future-proof NDR solution
ExeonTrace does not require mirroring the network traffic to detect threats and decrypt encrypted traffic; it uses algorithms that don't operate on payload, but on light-weight network log data exported from an existing network infrastructure via NetFlow.
This enables it to analyse metadata passing through the network at many collection points to discover covert communication channels employed by advanced threat actors, such as APT and ransomware attacks.
NetFlow is an open standard that enables networking devices (e.g., routers, switches, or firewalls) to export metadata of all connections passing through them (physical network, virtualised environment, and private cloud environment – or what is known as north-south and east-west monitoring capability). Thus, this approach is optimal for distributed networks which include cloud environments as well.
ExeonTrace solution provides comprehensive visibility over your entire IT environment, including connected cloud services, shadow IT devices, and can detect non-malware attacks such as insider threats, credential abuse, and data exfiltration. The complete network visibility will make it feasible to inspect all network traffic entering or leaving your enterprise network.
ExeonTrace will not stop here, as it will monitor all internal interactions between all devices across your enterprise network, to detect advanced threat actors hiding in your networks, such as APT and Ransomware.
ExeonTrace's utilisation of supervised and unsupervised Machine Learning models allows it to detect non-malware threats, such as insider threat, lateral movement, data leakage, and internal reconnaissance. ExeonTrace also enables the addition of network-based custom rulesets to verify all users are adhering to the implemented security policies (e.g., stopping users from using particular protocols). On top, ExeonTrace can integrate with available threat feeds or use a customer-specific threat feed to detect known threats.
Conclusion
NDR systems have become a necessity to stop the ever-increasing number of cyberattacks. Traditional NDR solutions need to mirror the complete network traffic though to analyse packet payloads, which is no longer effective in preventing modern cyber threats that leverage encryption to conceal their activities. In addition, mirroring the complete network traffic is becoming increasingly inconvenient, especially with the massive rise of data volume passing through corporate networks. A future-proof NDR like ExeonTrace that relies on the analysis of metadata allows to mitigate those downsides – and should therefore be the mean of choice to protect corporate networks efficiently and effectively.