What is Network Detection and Response (NDR) and why does it need to be managed?
Network Detection and Response (NDR) is a cybersecurity solution that goes beyond signature-based tools, using techniques like AI and machine learning to continuously monitor a network for suspicious activity and establish baselines of normal behavior. And it’s going to spell the difference between catching new and emerging threats and being caught by them.
NDR represents the most advanced generation of security technology on the market today, flush with AI and machine learning and the sort of technological prowess that can boast handling ALL the network traffic of large enterprises. Unfortunately, this also means it’s going to be hard for a lot of SMBs to get in their reach – unless it’s managed.
What makes NDR different, and why we all need it
NDR brings a different player to the game. Up to this point, security solutions have been given specs to look for when ferreting out malicious code at the endpoint, based on exploits that have been launched and caught in the past. At the highest levels you’ll have a system that maps to the MITRE ATT&CK framework, and that’s the best and most updated repository of bad exploits in the world. If you have one of those systems going, keep it.
However, there’s one Achilles heel. They can only catch what they’ve already caught. Sounds like a Catch-22, and it is. Because most of these solutions are signature-based, they can only go off the “signature” – or identifying factors like IP address, snippets of code, etc. – of a previous exploit, that was only identified after it struck. So, someone has to take the fall before the rest of the world can be warned. While the sacrifice is worth it (and what else can we do), it doesn’t cover new and emerging attacks – and the bad guys are getting smarter. Last year Gartner reported that the threat of new ransomware models was the top emerging risk facing organizations in Q3 of last year. And it’s no wonder, because that’s where our tools fall short. And that’s where the bad guys are getting in. Take SolarWinds, for example, and I’ll get into that in a moment.
Another challenge is that current solutions protect largely at the endpoint. This is great (and like we said, keep doing it), but you’re going to need something more to secure a perimeter-less ecosystem that is now made up of much more than endpoints. While EDR does secure the two laptops in the room, so to speak, what’s securing what goes on between them? SEIMs cover another large piece of the pie by scanning and monitoring logs, but there is still a large part that is left out. What about those IoT and shadow IT devices that don’t have agents installed or logs to collect? It is in those blind spots on the network that adversaries are taking liberties, and that’s where next-generation network detection and response comes in. Were there network monitoring tools before? Of course. But they weren’t enough, and I’ll use the SolarWinds attack to illustrate why.
SolarWinds: How NDR could have helped
SolarWinds happened because attackers did their job (and then some); they used previously compromised Office 365 accounts to gain access to the secure software development system, knew the security tooling and code commit procedures, what they required, and how to throw them off the scent. And, when the attack came, they did just that.
With the sophisticated RansomOps and APT attacks of today, hackers are finding ways to avoid being tagged as a previous offender, even if they are. According to an article in Forbes, “When truly advanced attackers go into an environment, they uniquely compile the code they bring with them to specifically not match anything they’ve used elsewhere or ever will again.” In one fell swoop, they undermine the thousands of dollars in software, training and maintenance we can spend on a single SIEM or EDR solution. And sometimes they don’t use even “malicious code” at all, opting instead to “live off the land” and launch Fileless Malware attacks, infiltrating innocently then using PowerShell, Office Scripting or your own files against you. NDR is needed because it sees through all of that.
Instead of looking for an ID tag, it finds clues. NDR solutions will leverage AI and machine learning to scan your entire network for anomalies, or Indicators of Behavior (IOBs), that can tell if a sneaky attack sequence is under foot. It doesn’t wait for old enemies, comparing mug shots (“have you seen this malware?”). It looks at the whole picture, uses AI and machine learning to gather a host of anomalies as evidence, analyzes those anomalies like a detective would a wall of clues in a whodunnit, and then says – I think I have enough to book this guy. It quarantines the threat before it strikes and takes it in for questioning, so to speak. If it comes out clean, any restrictions are released, but if it isn’t, the threat will be contained, and other computers on the network will be warned.
Meanwhile, the SMB next to you who’s just going off their typical EDR and antivirus won’t even catch the malicious code because it still doesn’t know what to look for. As it stands, it might be the first to find out.
The benefits of Managed NDR
I’ll talk directly to small businesses here. You know how hard it is to find the right security person, much less hire them, train them, pay for full benefits and then see them strapped and unable to fully attend to any of your tools with expertise. We all know security staff in small businesses wear many hats, and it’s hard to wear them all at an enterprise level – which is the level hackers are prepared to attack against.
What I will say is this: sometimes it’s better to hire out. First, a managed NDR solution saves you from having to hire a team of experts who can learn NDR like the backs of their hands and still run an SOC and every other tool you have in mind. Managed NDR gives you access to a team of ready-trained, boots on the ground, nothing-but-NDR nerds. Next, a managed NDR solution is often more stable. Cybersecurity is a highly competitive, lucrative, fast-changing and innovative field, which is arguably a draw.
However, it also lends itself to a high turnover rate, and you don’t want to see your investment walk out the door with the bulk of your NDR know-how. And, an NDR provider is in a better position to upgrade to the latest NDR technology as it comes out because they’ve got an interest in keeping their business. An SMB might have a hard time getting approval on similar security spend year after year. Considering the cost alternatives, managed NDR might be one of the most reasonable ways SMBs can have access to the technology, expertise and overall benefits of network detection and response.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.