IT security teams face the challenge of providing active, rapid, and comprehensive threat detection and mitigation for enterprises in the face of numerous and increasingly complex cyber threats. This calls for a wide range of threat detection and response tools that aim to detect and report attack activities in a timely manner and thus sustainably increase the level of IT security.
Network Detection & Response forms the building block of network security and ensures the visibility of threats within the company’s own network infrastructure. In addition, NDR enables targeted and rapid defense against detected threats.

SECUINFRA is working with Corelight Inc. to implement Network Detection & Response. together, supplying various sensors with an installation from Suricata and Zeek. The combination of the two systems enables comprehensive detection of known attack vectors via signatures, as well as a wealth of other information for analysis. In addition, Corelight provides numerous extension scripts for Zeek to detect attacks based on anomaly or behavioral analysis. This includes, for example, the detection of command & control communication or the evaluation of metadata within encrypted communication to draw conclusions about the use of an SSH or VPN connection.

NDR tools enable detection of attack patterns that would go undetected on endpoints. These include, for example, lateral movement detection, command & control communication or data exfiltration. To do this, NDR tools continuously analyze network traffic and detect malicious behavior. In addition, signature detection can be used to identify known attack patterns.
The use of NDR tools leads to improved IT security levels – especially when existing SIEM and EDR solutions are complemented by NDR.

NDR and SIEM work together with the overall goal of detecting, verifying, and responding to threats by collecting and sharing information.
NDR collects and analyzes network information to identify attacks. Once an attack is identified, an NDR solution can automatically respond by isolating the affected devices to prevent the spread of the attack and clean up the affected areas. In addition, an NDR solution makes all collected information available to the SIEM system.
The SIEM uses this information along with other events from various security devices and applications in real time. It correlates this data to detect potential threats and generate alerts.
The information collected by NDR can in turn be used by cyber defense analysts to adjust detection rules in the SIEM to better detect and defend against future attacks.

In summary, NDR supports the SIEM by, among other things:

• Collection and analysis of connection data from network traffic
• Provision of an unchangeable data source
• Optimization of complete, comprehensive reports
• Protocol gap coverage
• Log analysis, aggregation, and behavioral threat detection

In order to use an NDR tool, the infrastructure must provide a way to analyze network communications. This can be done, for example, by a switch SPAN port or a dedicated Test Access Point (TAP).
It is also necessary to specify which network traffic is to be analyzed. Typically, a first point of analysis is the network interface between their organization and the public network. Here they have the possibility to analyze all accesses from their network. In addition, the transitions between the individual network segments within their organization can be monitored, e.g. to identify lateral movement activities.

SECUINFRA offers you the possibility to realize your individual NDR solution according to the modular principle. In the process, our experts work with you to plan the implementation and connection of the NDR tool to your existing security infrastructure.