Network Detection and Response

What is network detection and response (NDR)?

• Sensors and agents: Sensors are passive devices that monitor and capture traffic as it flows across the network, analyzing it for threats without directly interacting with endpoints. Agents are active components installed on individual devices or endpoints, providing deeper visibility into the activities and behavior of those specific devices. Sensors and agents are placed throughout the network to capture and analyze traffic data in real-time. By monitoring traffic patterns, sensors help detect suspicious activity that could indicate a possible threat.
• Network telemetry: Data that is collected and analyzed to monitor network performance, health, and behavior is called telemetry. Elements of network telemetry can include: Destination IP, Port, Protocol, application traffic, client information, SSID, session information, location, role, and UserID.
• Threat intelligence: NDR systems can detect known known threats more effectively by using external data such as malware signatures or IP addresses linked to cybercriminal activity.
• Behavioral analysis: Advanced NDR systems can identify threats using behavioral analysis, which doesn’t just look for known threats or attack signatures, but also monitors for abnormal patterns of behavior. For example, if a device suddenly starts communicating with an unfamiliar IP address or transfers large amounts of data, that could be flagged as suspicious.
• AI and ML: AI and machine learning can improve detection and response capabilities over time. The system learns from the traffic it monitors and the network environment, potentially becoming more accurate in identifying suspicious activity and recommending appropriate responses.

Not all NDR solutions are created equal. Consider the following when evaluating an NDR solution.

• Does the NDR solution use AI and ML to enhance detection and response? Cybersecurity threats are always evolving and NDR techniques relying solely on known patterns, such as signature detection, can fall behind, leaving the organization vulnerable. AI-based approaches can help NDR solutions learn from both the organization’s environment as well as other environments, to aid in detecting novel and emerging threats. AI can also be used to assist security teams in defending against attacks more swiftly and effectively by providing response recommendations and more accurate impact assessments.
• Is the AI backed by robust data? AI is only as good as the data behind it. Ensure that the AI and ML techniques used by the NDR solution are backed by data with strong variety, volume, and velocity.
• Does the NDR solution integrate well with other solutions? Cybersecurity is best thought of as an ecosystem, not an isolated island. Threat information and alerts from the NDR solution that can be easily disseminated and consumed by other systems to take protective actions can help organizations achieve a strong security posture and comprehensive defense.