Network detection and response against network traffic analysis
Network Discovery and Response (NDR) is a new category of security solutions that complement and go beyond the capabilities of Log Analysis Tools (SIEM) and Endpoint Discovery and Response products ( EDR). NDR is a great first step towards a more proactive security posture because it offers immediate benefits and is generally easier to deploy and configure than SIEM and EDR.
NDR products monitor east-west traffic or communications within the network itself, and apply advanced behavioral analytics such as cloud-scale machine learning to quickly detect, investigate, and respond to issues. threats that would otherwise remain hidden. This is true whether the environment is on-premises, in the cloud, or in a hybrid environment spanning both premises and the cloud.
The recent release of cloud traffic mirroring for Azure and AWS customers has reinforced the central role NDR plays in modern security operations. By providing customers with real-time visibility into east-west cloud traffic, NDR products ultimately made Gartner’s SOC visibility triad (a security infrastructure framework designed to help organizations secure cloud environments and hybrids) a viable reality for hybrid environments.
NDR solutions are the foundation of the triad, providing complete visibility across the entire network with real-time threat detection while integrations with EDR and SIEM products enable seamless correlation of data. In this diagram, NDR solutions provide visibility into network or wired data, with EDR doing the same for endpoint data, and SIEM primarily aggregating log data.
What is Network Traffic Analysis (NTA)?
Gartner previously defined Network Traffic Analysis (NTA) as an emerging category of security products using network communications as the primary source of data for detecting and investigating threats within a network. Note the absence of an “answer” anywhere in this definition.
In February 2019, Gartner released a first Market Guide for Network Traffic Analysis, but soon after it became clear to the industry that this was just the start of a conversation about terminology in analyst space regarding NTA and NDR.
In June 2020, Gartner changed the category name and released its 2020 Market Guide for Network Discovery and Response.
NDR vs NTA: Why the change in terminology?
When it became clear that analyzing network traffic as a technological process would be a crucial factor in cloud and hybrid security, because without it, customers would have no fast and scalable way to see threats. infiltrate their increasingly permeable networks, or locate configuration errors in real time. time — NTA has received a lot of hype. And for good reason!
But as the industry has blessed the category and vendors have started to push the boundaries of their technology, especially advanced behavioral analysis that enables high-fidelity, real-time threat detection, we have also started to understand. that detection and investigation is the beginning, not the end, of what is possible with network-based security analysis. Network-based solutions must not only detect threats, but also enable reliable and rapid responses.
To this end, NDR is an attempt to make room for the broader, full spectrum potential of network traffic analysis. NDR products use NTA but add historical metadata for investigation and threat hunting and automated threat response through intelligent integrations with firewalls, EDR, NAC or SOAR platforms.
NDR use cases and examples
There are a number of areas where NDR products offer unique value, and you can explore a few below:
- Framework Support: Help security teams use frameworks such as MITER ATT & CK and CIS Top 20 Controls optimally by detecting a significant amount of subtle attack tactics and techniques that SIEM and EDR products cannot no see. Watch the SANS webinar on this topic.
- Insider Threat Detection: Detect (and assess) shadow IT so organizations can secure their assets, monitor the misuse of unauthorized applications, and empower employees to show them what technology they need to to succeed. Read more.
- Safety Health: Identify suspicious activity, sub-par encryption practices and “home calls” from third-party vendors and help maintain data security, privacy and compliance. Read more.
You can get a hands-on idea of the benefits and use cases of NDR by exploring the fully functional product demo of ExtraHop Reveal (x), our cloud-scale machine learning powered NDR solution. Check it out here.
Copyright © 2020 IDG Communications, Inc.