IronNet Blog

The Case for Network Detection and Response (NDR)

Written by Benjamin Whitney | Jul 23, 2020 8:08:00 PM

Since Network Detection and Response is a relatively new approach to cybersecurity, it's not unusual to hear, “Why do I need an Network Detection and Response (NDR) product?” or “I already have those use cases covered with my existing cybersecurity products.” As someone responsible for planning, designing, architecting, building, and selling an NDR product, I’d like to address these common concerns. My response is informed by both hindsight (from my 15 years working Computer Network Operations within Department of Defense) and foresight (working hand-in-hand with cybersecurity analytics specialists who have the expertise to take the industry beyond traditional signature detection). 

My answer is simple. What once was considered the future of cybersecurity — Network Detection and Response as recently categorized by Gartneris cybersecurity today. The ability to discover unknown threats and, at the same time, bring together commercial and government entities to share threat intelligence that can deliver a unified front through Collective Defense is changing business as usual. NDR is a powerful way to strengthen cybersecurity in the face of a threat landscape that has no boundaries. I am pleased to be part of the team at IronNet that delivers those capabilities today.

A turning point for cyber defense

There are two main principles at the root of the IronNet products enabling this tectonic shift:

(1) Finding the unknown and making it known is the only way to turn cybersecurity into a proactive force rather than a reactive game.
(2) Sharing information in real time is the only way to outwit and deter adversaries so the defense can get ahead — and stay ahead — of the offense.

Although the approach of “the best defense is a good offense” is compelling on the surface (and in movies), it would escalate cyber attacks that the majority of corporations and governments are not prepared for. Not to mention the illegality and danger of hacking back. 

The reality is that many companies still have a weak security posture when approaching cybersecurity alone, and aggravating an adversary by attempting to hack back will only entice them to push harder or move their focus to less sophisticated targets in order to accomplish their objectives. Furthermore, as attribution in cyber is difficult, hacking back also could be considered a nation-state response, resulting in catastrophic consequences.

So how does one effectively catch an unknown through cyber defense? Are visions of the film “Minority Report” possible, that is, where perpetrators are arrested prior to conducting malicious activity? I would argue that, yes, we get closer to this vision every day. Zeroing in on the network layer is a key part of this bigger solution and better approach.

Why network defense is the best defense

If we’re going to make collective headway toward weakening cyber adversaries, we must add network defense to our cybersecurity arsenal. NDR complements the firewall and Endpoint Detection and Response (EDR) to fill known gaps. 

Let’s start with the first two security products a corporation should purchase when establishing security for their environment:

Firewall

First, the enterprise needs a firewall, ideally a Next Generation Firewall (NGFW), to protect the environment from known bad activity. As threat intelligence is created and disseminated, firewalls are updated with the latest indicators of compromise (IOCs), and firewall policies are placed to drop the activity from coming into the network or from leaving the network. Additionally, an NGFW has the ability to flag and log certain activity without blocking it using simple logic. 

Endpoint Detection 

Second, the enterprise needs endpoint security, ideally an Endpoint Detection and Response (EDR). This helps eliminate certain intrusions before they start by identifying activity with signatures and by monitoring the host for unusual endpoint-centric activity, coupled with the ability to contain a host should something malicious be detected.

With these basic solutions, a SOC is armed with endpoint and firewall alerts, and the environment is protected at both the network layer with a NGFW and on endpoints with an EDR. This seems like a good solution for preventing known bad threats and for getting some additional alerts to analyze to find things that slip through the cracks, but is it enough? I know I’m leading the witness here a little, but my clear case is that these two solutions are not enough. Network Detection and Response sees unknown threats using cybersecurity analytics.

Adding Network Detection and Response to the mix

Because IronNet’s products are designed to focus on behaviors instead of signatures, and, in turn, provide Collective Defense, cyber defenders can expect machine-speed collaboration in response to detections of unknown threats. Detections are rated and prioritized so as not to contribute to the alert fatigue that plagues SOCs everywhere.

Our approach focuses on behaviors, because we know that signatures easily can be evaded. Signatures are typically deployed leveraging traditional indicators of compromise (IOCs). These include IP addresses, domains, and file hashes. The problem with this approach is that it is far too easy for an adversary to change infrastructure and thus render a traditional IOC signature useless. Adversaries know this and therefore will use a different infrastructure for each target they are pursuing. They also will rotate infrastructures to create a game of cat and mouse or “Catch Me If You Can.” Attackers also know that by recompiling or slightly modifying the executables used in their toolkit, they can prevent file hashes from being effective. With network behavior detection and Collective Defense, we can catch them. 

The cyber defense opportunity at hand

There is a huge opportunity at the network layer to detect what cannot be detected on the endpoint or at the firewall. Because no matter what, adversaries cannot operate without a network. And though firewalls are great with hard and fast rules, effectively blocking known threats, they cannot block the unknown bad without crippling the enterprise’s ability to function. What’s more, there is justifiable concern regarding performance of the firewall when considering how much analytical processing is placed on an in-line critical network device that must keep up with line speed.

When an adversary has root or administrative privileges on an endpoint, all bets are off with regard to the effectiveness of that endpoint security product. Malware may disable certain services or entirely turn off endpoint security. Sophisticated adversaries even have large labs where various endpoint products are tested to determine if their latest malicious toolkits and techniques are being detected. Additionally, some malware with self destruct capabilities will uninstall the malware prior to it being detected by the endpoint product. Though in this case, the adversary is unable to initially fulfil their objective, and they will pivot to another device on the network until they are able to finish. 

As with most things, the path of least resistance will be used by the adversary to accomplish their goals. Another challenge with security at the endpoint is coverage. It can be difficult to ensure that only compliant and protected devices exist on the network. How well can a corporation ensure that no devices exist on the network without the endpoint product being installed? Such rogue assets may exist on the network and pose a risk to the entire enterprise. Adversaries are persistent and will find these unprotected devices. Similar limitations are true of firewall products and the periodic threat intelligence that is fed to them, blocking certain traffic at the firewall. Adversaries easily can acquire this threat intelligence information to ensure their latest malware and infrastructure will stay a step ahead, avoiding being flagged by the firewall. 

Strengthening the table stakes 

Endpoint protection and firewalls are still essential because we need to block the known and we need to do so in the most effective way possible, at the firewall or at the host.

An NDR solution strengthens these table stakes by providing an ability to identify an unknown lurking in the network where endpoint detection is not possible and without hindering business by over blocking at the firewall.

Understanding the inner workings of a NDR product and being able to evade them is a tall order for even the most sophisticated cyber actor. IronNet focuses on behavior detection, the very behaviors malicious actors must leverage in order to be successful. For this reason, even if an adversary knew which behaviors were being extracted by IronNet to find malicious activity, they still would not be able to eliminate their usage entirely. The nature of IronNet’s NDR technology positions it to detect the unknown threats and make them known. Furthermore, Collective Defense through IronNet’s IronDome gives our customers the unique ability to collaborate in real time, driving more accurate prioritization, faster triage, and a proactive response.

I admit a little bias when it comes to IronNet’s capabilities and the case for a next-generation NDR solution in our products. That said, I am confident in our proven capabilities and passionate about our mission. Please let us know if you’d like to take the product for a test drive to see for yourself how NDR fills a gap in the traditional security ecosystem to arm the SOC with the ability to find the unknown proactively.

Learn more in IronNet's NDR eBook.