3 Criteria for Evaluating Network Detection and Response (NDR) Vendors
While the majority of cybersecurity efforts seem focused on the endpoint and the user these days (and deservedly so), the network is an invaluable place to gain critical insight and context that can help decipher alerts or launch investigations. As threats get sneakier and noise from security tools increases, analysts require data they can see, trust, and use to their advantage.
Not all Network Detection and Response (NDR) vendors provide that level of insight or autonomy. When done right, NDR offers an amazing amount of utility. However, it is important to know what you’re getting as not all NDR vendors are created equal; not all will allow you to visualize fully, customize creatively, or learn from past mistakes.
Here are three necessary criteria for a truly effective NDR solution.
#1: The Perspective of Network Detection and Response
First, NDR providers need to provide you with the right information.
Good Endpoint Detection and Response (EDR) tools can give you a comprehensive view of what’s happening on an endpoint. SIEMs rely on device logs, and can infer behavior based on a collection of system information. While both are useful, they are incomplete.
EDR can’t be installed on every device (Think IoT, or old, fragile operating systems), and both EDR and SIEM log collection don’t tell the story of what’s actually happening on the network. As today’s attackers evade endpoint defenses, use clever social engineering techniques, and lean on sophisticated malware, they often infiltrate unseen. The only way to track them down is by gaining full visibility of the network – and knowing what it is you’re seeing.
Every NDR solution comes with the ability to detect anomalous behavior, going far beyond known threats and instead catching exploits in the act based on deviations from normal network activity. As our CTO, Chris, likes to say, “Packets don’t lie.” The ability to see what’s happening in the traffic between your devices is the unique hallmark of Network Detection and Response and is a critical, frankly definable capability of an NDR provider.
#2: Looking Back In Time
Typical NDR solutions provide anomaly detection, signature-based detection, and response capabilities. That’s inherent in the name and expected in the outcomes. You could stop there, but that would be an incomplete realization of what NDR can do. Look for an NDR provider that uses its unique visibility into your network to scrupulously collect data, save it for a rainy day, and bring it out when you need to investigate something, create context, or answer questions. This kind of data is priceless, and its data you could miss if you don’t vet your providers properly.
We all remember the Solar Winds software supply chain attack; it was literally months before the tainted code was discovered. Once Indicators of Compromise (IOCs) came out, affected organizations scrambled to see if there Solar Winds instance had communicated with a handful of specific malicious IP addresses. Most of them simply didn’t have an easy way to answer the question, “Have we ever talked to those IPs?” because any firewall logs or SIEM data was either difficult to access or didn’t exist anymore. An NDR solution that saves these flow logs and makes it easy to answer these questions could have saved the day.
Another common example would be a policy decision to block a certain country. Geo-blocking is very common but can lead to unexpected headaches. I’m sure some of you have tried to block everything but US-based traffic on your firewall, only to learn quickly that Microsoft hosts critical services in Ireland and the Netherlands. The ability to interrogate these flow logs before making a decision like this can help avoid inevitable business interruptions.
The takeaway? NDR, without the ability to “look back” is only giving you half its value. Find an NDR provider that saves your network’s metadata and makes it available for you to look back upon and analyze for threat diagnostics, analysis, and incident response.
#3: Customizations specific to your network
As I stated above, anomaly detection and alerts are table stakes for NDR offerings. But what if there is something specific on your network that you want to zero in on?
If you simply wanted to get alerted when a specific network flow pattern occurs, a typical NDR tool might struggle. They lean on ML-based anomaly detection or signature-based rules, and while that catches a lot, there’s a lot it can miss. Simple customizations may not be so simple.
Nomic’s Insight NDR allows you to create a custom signal for specific network traffic, so you can be alerted and take action on unique situations that might only apply to your network. Forget about sophisticated ML/AI detections: What if you just want to know, unequivocally, if a specific secure subnet on your network ever talks outbound to a foreign IP address?
Nomic HQ lets you pivot off Insight’s enriched Network Flows, and create signals based on metrics that go way above and beyond the basic “five-tuple”, including geolocation, flow size, application protocol, Autonomous System Number (ASN), and more.
Don’t Leave Basic NDR Capabilities on the Table
Investing in the right network detection and response provider takes time and intentionality. Make sure you get the most NDR has to offer by choosing an NDR vendor that, at the very least, doesn’t leave any basic benefits on the table:
- Full network visibility and anomaly detection capability
- Access to previous threat events and network flows for analysis, investigation, and context.
- Customizable network-specific searches and signals that fit your organization’s strategy, not just general NDR specs.
To learn more about Nomic’s NDR and Managed Network Detection and Response (MNDR) solutions, contact us.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.