"Keep your perspective with NDR
in their network security!"
“Keep your perspective with NDR
in their network security!”
Network Detection & Response (NDR)
Network Detection and Response (NDR) is a network-based security approach that continuously monitors and analyzes all of an organization’s traffic based on static rules, machine learning, and threat intelligence. The solution includes all internal data traffic as well as external communication and thus takes into account sources such as client and server systems, network components, but also IoT sensors or OT devices. In addition, NDR tools automatically respond to detected threats by activating security measures such as blocking network connections or domains. In addition, historical network information enables a comprehensive review of known Indicators of Compromise, which supports rapid resolution of known threats.
When combined with other security solutions such as XDR (Extended Detection and Response) and SIEM (Security Information and Event Management), NDR unleashes its full power and makes a significant contribution to enterprise security.
NDR makes threats visible and enables targeted and rapid defense against identified threats.
The most important FAQ from the NDR area
IT security teams face the challenge of providing active, rapid, and comprehensive threat detection and mitigation for enterprises in the face of numerous and increasingly complex cyber threats. This calls for a wide range of threat detection and response tools that aim to detect and report attack activities in a timely manner and thus sustainably increase the level of IT security.
Network Detection & Response forms the building block of network security and ensures the visibility of threats within the company’s own network infrastructure. In addition, NDR enables targeted and rapid defense against detected threats.
SECUINFRA is working with Corelight Inc. to implement Network Detection & Response. together, supplying various sensors with an installation from Suricata and Zeek. The combination of the two systems enables comprehensive detection of known attack vectors via signatures, as well as a wealth of other information for analysis. In addition, Corelight provides numerous extension scripts for Zeek to detect attacks based on anomaly or behavioral analysis. This includes, for example, the detection of command & control communication or the evaluation of metadata within encrypted communication to draw conclusions about the use of an SSH or VPN connection.
NDR tools enable detection of attack patterns that would go undetected on endpoints. These include, for example, lateral movement detection, command & control communication or data exfiltration. To do this, NDR tools continuously analyze network traffic and detect malicious behavior. In addition, signature detection can be used to identify known attack patterns.
The use of NDR tools leads to improved IT security levels – especially when existing SIEM and EDR solutions are complemented by NDR.
NDR and SIEM work together with the overall goal of detecting, verifying, and responding to threats by collecting and sharing information.
NDR collects and analyzes network information to identify attacks. Once an attack is identified, an NDR solution can automatically respond by isolating the affected devices to prevent the spread of the attack and clean up the affected areas. In addition, an NDR solution makes all collected information available to the SIEM system.
The SIEM uses this information along with other events from various security devices and applications in real time. It correlates this data to detect potential threats and generate alerts.
The information collected by NDR can in turn be used by cyber defense analysts to adjust detection rules in the SIEM to better detect and defend against future attacks.
In summary, NDR supports the SIEM by, among other things:
- Collection and analysis of connection data from network traffic
- Provision of an unchangeable data source
- Optimization of complete, comprehensive reports
- Protocol gap coverage
- Log analysis, aggregation, and behavioral threat detection
In order to use an NDR tool, the infrastructure must provide a way to analyze network communications. This can be done, for example, by a switch SPAN port or a dedicated Test Access Point (TAP).
It is also necessary to specify which network traffic is to be analyzed. Typically, a first point of analysis is the network interface between their organization and the public network. Here they have the possibility to analyze all accesses from their network. In addition, the transitions between the individual network segments within their organization can be monitored, e.g. to identify lateral movement activities.
SECUINFRA offers you the possibility to realize your individual NDR solution according to the modular principle. In the process, our experts work with you to plan the implementation and connection of the NDR tool to your existing security infrastructure.
Where supports NDR
The added value from their network information
Using the network information provided by the NDR tool, detection rules (use cases) can be developed for various threat scenarios. In particular, this includes the detection of lateral movement, command & control communication or data exfiltration, which cannot be detected by information on end devices.
Historical information about network connections enables fast and secure evaluation of existing security incidents. For example, information about the accessed domain names can be used to easily create an overview of the clients affected by an attack. Historical data also help in retrospective review of known Indicators of Compromise and provide a starting point for further investigation.
Network parameters such as IP addresses or domain names can be enriched with information from external sources and evaluated in terms of their trustworthiness – based on historical data even in retrospect. The NDR tool can then respond directly to detected threats and prevent access.
By regularly checking various indicators such as TLS certificates used, domains visited or accesses to internal resources, suspicious behavior can be detected and prevented at an early stage.
What types of network monitoring are possible
The characteristics of different monitoring approaches
Connections between different internal network areas that record and process network traffic in real time. The data is usually provided via a network TAP (Test Access Point) or a SPAN (Switch Port Analyzer). The duplicated network traffic is thus passively processed and has no influence on the active data stream. The available network data from NDR Tools can be divided into three categories, with each type of processing offering different advantages and disadvantages. In addition, it is also possible to use information from DNS, proxy or firewall logs for network analysis.
Network Security Monitor
With full-packet capture solutions, all network traffic is recorded and then analyzed. As a result, all information is available to security analysts without loss, and they can accurately track what is happening on the network. However, this type of monitoring usually requires manual analysis and can be very time-consuming due to the mass of information. Any protective measures for suspected cases found must also be initiated manually. In addition, it must be taken into account that the storage period of the data is limited due to the required capacity.
In contrast, network intrusion detection/prevention systems (IDS/IPS) can detect suspicious network communications based on predefined rule sets. In doing so, the tools compare the data stream in real time with the implemented rules and issue an alarm message if necessary. In addition to static rules, behavioral analysis through machine learning is increasingly used in IDS/IPS. Intrusion prevention systems can automatically respond to alarms and initiate various protective measures. IDS, on the other hand, require manual further processing of corresponding alarms. It should be noted that security analysts have limited information about network connections after the initial alert, which can make it difficult to make a qualified assessment of the alert.
Another method of monitoring the internal network is the use of Network Security Monitors (NSM). An NSM extracts numerous connection- and protocol-specific information from the data stream and presents it in a structured manner. Subsequently, an analysis of the obtained information is performed by implemented analysis scripts. Both signature and behavior-based analysis can be performed to detect attacks. Responses to detected events can be initiated manually, automatically, or by downstream analysis systems such as SIEM/SOAR.
The information scope of an NSM is a middle ground between a full-packet capture and the alarms of an IDS/IPS. Extracting the information from the network traffic results in a manageable storage requirement that allows the data to be retained for a longer period of time. In addition, despite the reduced storage requirements, all safety-relevant information is retained for future analysis.
In addition to analyzing network information directly from the data stream, it is also possible to use application logs. In the network area, this includes log data from DNS servers, web proxies or firewalls, for example. However, compared to an NDR tool, these logs have limited information content and numerous drawbacks. This includes the need to collect and process logs from different sources. Different spellings, time stamps or designations also complicate the analysis work. In addition, once threats have been identified, appropriate protective measures must be implemented manually or via other systems.
NDR - One security component out of many
Only the combination of NDR, EDR and SIEM enables comprehensive threat detection and rapid response.
NDR collects and analyzes network information to identify attacks. Once an attack is identified, an NDR tool can automatically respond by isolating the affected devices to prevent the spread of the attack and clean up the affected areas. In addition, an NDR solution makes all collected information available to the SIEM system for further analysis.
In contrast, EDR tools focus on increasing the visibility of anomalies at the endpoint: protection takes place directly at the endpoint, not at the network boundary. For this purpose, the activities of the end devices are captured, logged and analyzed in real time.
The SIEM or SOAR uses this information along with other events from various security devices and applications in real time. It correlates this data to detect potential threats and generate alerts.
The information collected by XDR can in turn be used by security analysts to adjust detection rules to better detect and defend against future attacks.
Only by combining various security components is it possible to detect and quickly respond to threats and attacks at the application, network and endpoint levels.
That's why SECUINFRA
With us, you don’t just get an NDR product. We accompany you through the entire implementation process and, if desired, provide long-term support through our co-managed approach.
SECUINFRA has many years of experience in the development of use cases and the analysis of security incidents. This know-how flows into every new project.
- Customer orientation
Thanks to SECUINFRA’s many years of experience in consulting, our experts can respond specifically to your needs.
Through our partnerships with manufacturers, we have a direct communication channel and can respond to changes in a targeted manner.
SECUINFRA has been focusing on SIEM since 2010. A good database, such as that provided by NDR, is the basis for comprehensive attack detection.
At SECUINFRA, your needs are our focus. Together with you, we develop your individual NDR solution.