Monitoring network traffic is not a new practice. In the beginning, network metadata was captured to analyze network performance characteristics. Is our network running okay? But as data volumes soared, many organizations were unable to harness network activity, leaving it as an untapped resource for cyber defense.
Eventually, computing power caught up, giving companies network traffic visibility and behavioral analysis detection methods for computer security – technology first called network traffic analysis (NTA). And while NTA remains a fixture in enterprise security operations centers (SOCs), the market category has evolved and broadened to network detection and response. Organizations increasingly value the response capabilities in NDR solutions to address threats detected by network traffic analysis tools, which focus mainly on detection-only threats and mostly around basic variations of known threats.
Today, increasingly sophisticated behavioral analytics; machine learning; and artificial intelligence (AI) of cloud, virtual, and on-premise networks form the backbone of NDR solutions. By harnessing these technologies, NDR vendors have enabled organizations to improve detection capabilities, determine the confidence and risk level of a threat, and increasingly automate tasks manual tasks performed by analysts such as the acquisition of relevant third-party contextual telemetry information and the application of standardized investigative playbooks to further prioritize threats by risk, thereby enabling them to focus strategically on triage and rapid response. By analyzing network behavior using machine learning models, advanced NDR tools can detect sophisticated evasion methods or “known unknown” cyber threats to brand new zero-day threats or “unknown unknowns.”
See our response to Gartner's shift to Network Detection and Response
Network detection and response tools can detect threats that slip past endpoint detection tools and firewalls.
Each NDR solution is unique. But here’s a quick look at common tools and techniques.
Machine learning leverages machine computing power to analyze large sets of data in order to make more accurate predictions. With NDR solutions, machine learning models can detect “unknown unknown” threats to your network using behavioral analytics. Machine learning algorithms can see cyber threats coming around the corner (e.g., ports suddenly being used that have never been used before), in turn enabling more rapid triage and mitigation. Machine learning models are also used to continually reweigh prioritization of potential threats based on real-world outcomes.
Deep learning is a powerful form of machine learning that uses artificial neural networks to enhance NDR capabilities. At IronNet, we use deep learning but constrain its use to only the NDR applications that are well-suited to the training data requirements and interpretability challenges of deep learning models.
Statistical analysis is a useful behavioral technique that is sometimes marketed as “AI” by a handful of NDR providers. These can range from simple outlier analysis (e.g., which URL has not be seen in this group of devices) to basic Bayesian analysis of network traffic pattern to other statistical methods. Commonly there is an element of sample to determine a baseline that is then used to identify which activity deviates from normal traffic usage, allowing SOCs to model normal network traffic and highlight suspicious traffic that falls outside the normal range.
Heuristic analysis detects threats by analyzing data for suspicious properties. In NDR solutions, heuristics extend the power of signature-based detection methods to look beyond known threats and spot suspicious characteristics found in unknown threats and modified versions of existing threats. Some network sandbox vendors position analysis of file-based malwares as a variation of network behavioral analysis.
Threat intelligence feeds are data streams containing information on previously identified cyber threats. Threat intelligence, if timely and actionable, can assist NDR solutions in identifying known threats or providing additional contextualization for prioritization of a detected network anomaly by risk. The limitation of threat intel feeds is the need to actively procure, manage, and curate threat intel so that the information is relevant and timely to the enterprise, which can be beyond the scope of all but the most security mature enterprises.
Signature-based detection methods use a unique indicator of compromise (IOC) identifier about a known threat to identify that threat in the future. Signatures were effective a generation ago, but the process of using unique identifiers to guard against known threats has become increasingly ineffective in a world where custom malware, malware toolkits, and non-malware based attacks such as credential replay are the norm. Furthermore nearly three quarters of all network traffic today is encrypted, part of an upward trend that’s rendering signature-based tools ineffective by preventing the content inspection required to match certain categories of IOCs.
As with any cutting-edge security tool, NDR solutions are not deployed in isolation and often complement existing solutions already in place. Here’s how NDR solutions integrate with common systems.
NDR solutions are engineered to introduce minimal friction into SOCs while still providing network threat detection. NDRs leverage sensors that are deployed off a SPAN or TAP port to passively monitor network traffic.
Integrations with SIEMs allows SOCs to seamlessly add NDR solutions to existing workflows. Why is this useful? Most organizations leverage their SIEMs as the central aggregation point for alerts related to malicious activity. Native integrations as a downloadable app for their preferred SIEM is often the preferred method for SOC teams to investigate, confirm and respond to those alerts. This allows the full visibility of the NDR to work within your SOC team’s workflow while allowing them to pivot into the NDR as needed for deeper analysis.
Many NDR integrations occur within large enterprises with mature SOCs who prefer to leverage their own playbooks and workflows for response. Consequently the focus of NDR vendors is to provide integrations with market leaders in SOAR tools such as Splunk, Palo Alto XSOAR (Demisto), and Swimlane.
As organizations move data and workloads to the cloud, NDR vendors are integrating with public cloud providers like Google and Amazon Web Services to enable NDR capabilities across cloud and hybrid cloud environments. Cloud integrations or private cloud environments should include the ability to monitor network traffic in their respective domain and not just deploy in a particular cloud or virtual network provider.
.png)
