What is Managed Network Detection and Response and How is it Different from NDR?

As the threat landscape becomes more complex, it helps to have a guide who knows the terrain. Cybersecurity experts in any field are difficult to attain and retain, as the ongoing cyber talent crisis continues to teach us. Having a team of specialists who know the landscape, can maximize the tools to their full potential, and can hit the ground running will prove invaluable to organizations still progressing toward cybersecurity maturity.

The Security Paradox

Threat actors are increasing in sophistication and aren’t making exceptions for the small or underprepared. The same threats that target Fortune 500s also come after SMBs and organizations just growing into their digital maturity. Therefore, there is often a disparity between the capability of criminals to attack and the ability of smaller organizations to defend. 

Where to start? Strategies and guides (like the CIS Controls) abound, but overhauling your entire stack is simply not an option. And yet, the small medical groups, municipal water plants, and county school systems of the world still need to be protected. With the upward trend of supply chain attacks, bad actors often begin with smaller organizations that serve as vendors to larger enterprise targets (think Target in 2013). These smaller organizations now need to be protected more than ever, especially as their traditionally low level of cyber maturity makes them an even easier target. Thus, the security paradox: Those who need security the most are often the least likely to attain it.

In recent years, managed services have stepped in to solve this paradox in various novel ways.

What is MNDR, and how is it different from NDR?

Before we can discuss the “M” in MNDR, it first helps to understand and define the role that Network Detection and Response (NDR) plays in a security stack. NDR is a security methodology that uses baselining and behavioral analytics to detect anomalies in network traffic data.  It monitors across an organization’s internal and public-facing traffic, and alerts to off-baseline patterns. For that reason, an NDR solution is as good as its intelligence and capability to determine what’s “normal”, and leverages threat intelligence and other data enrichment to spot and alert on traffic anomalies. 

Not only should NDR do all the valuable work of blocking known exploits, but it can also spot these malicious patterns that precipitate them. Even though sophisticated exploits obfuscate code, hide behind newly spun-up domains, and leverage file-less malware to hide from endpoint-based security solutions, attackers must traverse the network to accomplish anything meaningful. Mature NDR uses ML/AI-driven threat detection to sift through high-volumes of data and identify patterns in that network traffic it doesn’t recognize – traffic that might be related to malicious activity.

Now, what does the “M” add to the conversation? The “M” stands for “Managed” … An NDR solution run by an outsourced team of experts, MNDR provides the advantage of a team of seasoned cybersecurity specialists who can help you get the most out of a proactive platform. That includes:

  • Prevention | Combined with traditional IPS, MNDR provides another layer of threat prevention and detection. IPS checks IDs at the door, and MNDR finds the ones that sneak inside.
  • Automated Triage | It’s a numbers game, and every alert or event identified and classified autonomously is one less that your team (or ours) needs to address. Effective automation is key to reducing false positives and improving the efficiency of any security team.
  • Incident analysis |An incident is more than an alert. Combing through alerts, actions, flows, and detailed passive logs, a managed solution provides the expertise to help correlate disparate data and give your team the full story.
  • ML/AI-driven analytics | Applying data science to network visibility gives organizations a new perspective on network health and cyber hygiene, beyond known threats and traditional anomaly detection.
  • Retrospective visibility | An effective MNDR tool must include the capability to go back in time and review traffic – good or bad – related to a specific incident, preferably without needing to lean on clunky SIEM search tools.
  • Proactive defense | Besides autonomously blocking malicious traffic, an MNDR solution gives you the granular visibility you need for investigation, assessing network risks, revealing weak spots, and planning future defenses for your organization.

Since NDR technology is network-based, it can see traffic from devices that cannot have endpoint software installed, like IoT, OT, and so-called “Shadow IT”. Gaining visibility between endpoints is a key contributing factor in NDR adoption.

A quick overview of Traditional IPS

On the surface, NDR may sound very much like an Intrusion Prevention System (IPS). While they do share many similarities, they can best be realized in tandem rather than as competing parts. Think of MNDR as an evolution beyond IPS.

IPS is designed to detect and block known threats from entering the network. It developed from its predecessor, Intrusion Detection Systems (IDS), which acted as a passive observer. Initially in tandem but eventually built into next-generation firewalls, IDS solutions evolved from threat-watching to threat-blocking solutions, or IPS. An effective tool that is still a must-have in any cybersecurity stack, but limited to known threats and prone to annoying false positives.

Nomic Networks – then known as Sentinel IPS - grew up at the forefront of the IPS space, and we’ve always done things a little differently. We placed our sensor in front of the firewall, as the furthest forward-facing device on the public network. This allowed the device to inspect all traffic going to and from our protected network, which included not only the edge firewall but any public-facing devices outside of the firewall’s purview – think DMZs, public web servers, etc. The benefits of this strategy are still evident today, even in a world dominated by “next-gen” firewalls.

With The Outpost, we’ve built upon our initial IPS offering with a Threat Intelligence Gateway and other methodologies to do more than it had ever done before. But that was only half of the solution.

Benefits of MNDR vs IPS

Security has evolved past the “known bad”, and an acknowledgement that threats can come from anywhere, inside and out.

That’s the main difference between IPS and MNDR: IPS catches the known bad and MNDR focuses on the unknown. By leveraging ML and AI, MNDR relies on behavioral heuristics to identify and potential indicators of attack, even when the attack itself may be hidden. Still, no one is throwing away their IDS/IPS tools, since identification and mitigation of known exploits is still an important piece of the puzzle.

Finding the Network Blind Spots

It’s not just the traffic anomalies that are “unknown” … A similar struggle is identifying unknown or unprotected devices on the network: Defending devices that cannot utilize endpoint protection, such as many of the IoT, OT, and network infrastructure that now populate all industries.  Since NDR and MNDR are network-based solutions, they can be an effective tool in monitoring traffic to and from these unmanaged devices.

What does MNDR do for your organization’s security?

There are several practical advantages that come with adopting MNDR. As we cited on our blog:

  • A managed NDR solution saves you from having to hire a team of security experts and rely on them to learn yet another tool in their ever-growing toolbox. The “Managed” in MNDR gives you not only the technical NDR solution, but access to a team of ready-trained, boots on the ground, nothing-but-NDR nerds.
  • A managed NDR solution offers more stability than hiring in-house. Cybersecurity is a highly competitive, lucrative, fast-changing, and innovative field, which is arguably a draw. However, it also lends itself to a high turnover rate, and you don’t want to see your investment walk out the door with the bulk of your NDR know-how. 
  • An NDR provider is obviously in a better position to upgrade their own NDR technology as it evolves, and they have a vested interest in updating their capabilities in the interest of earning your business. An SMB will have a hard time on its own getting approval on similar security spend year after year. Considering the cost alternatives, managed NDR might be one of the most reasonable ways SMBs can have access to the technology, expertise and overall benefits of network detection and response.
  • MNDR is a compliment to a zero trust architecture, acting as another set of eyes to ensure zero trust policies are implemented properly.

MNDR provides one more salient benefit that is perhaps the most important: simplicity.

There is a lot going on technically behind the scenes, but to be effective, MNDR cannot be complex for the end-user. It must be quick to deploy, simple to manage, free of false positives, and easy to use. A Managed Network Detection and Response solution not only streamlines defense and risk management but supplies you with a team of experts that are plugged into the latest threats and know the tools. MNDR offloads the learning curve and lets you hit the ground running.

Insight – How we reimagined MNDR for SMEs

With Nomic Insight, it does even more than that. However, like most things Nomic, the approach is unique. 

Insight is an integral component of our multi-layered security methodology. While the Nomic Outpost utilizes Autonomous Threat Defense to block threats at the door, Insight provides visibility, security, and network health on the internal network with a three-part approach:

The Foundation: Insight Flows

Derived from passive traffic collection and sources like NetFlow or SFlow, Nomic’s Insight Flows contain the metadata around your network traffic, both North/South and East/West. There is a lot to be learned from a packet’s “envelope” without reading the whole “letter.”

By analyzing traffic metadata, Insight runs fast and lean, providing security, network health, and visibility, without creating network latency, complexity, or confusion.

Insight Flows not only independently document every conversation on your network; they fill in the gaps with additional enrichment. Combined with this enrichment data, Flows provide an enhanced perspective on the nature of your network’s traffic, beyond the simple IPs and Protocols. As the flows are being stitched together, they are infused with:

  • Country Geolocation to monitor where in the world your network traffic is going.
  • ASN (Autonomous System Number) to identify the organization that is responsible for the network in question. This can be much more powerful than geolocation, or even domain-based filtering, for identifying potentially malicious traffic or eliminating false positives.
  • PCR (Producer/Consumer Ratio) determines a device’s role as typically a ‘server’ or ‘client’. When a device’s role changes, that can be an indicator of C2 traffic or data exfiltration. 
  • Application Protocols like HTTPS, DNS, SSH, and TLS among others. Tagging flows with these protocols helps identify the typical nature of your network’s traffic. Flows can even provide specific application or organizational protocol tagging, e.g., Amazon TLS, for deeper granularity.
  • Threat Intelligence. External networks are enriched with threat intelligence feed information from multiple community sources, including our proprietary CINS Army threat intelligence feeds.

Unique among MNDR solutions, Flows are easily accessible in our HQ interface. The ability to find what you’re looking for with user-friendly filtering and saved searches provides a frictionless solution to get in and get out quickly with the information you need.

The Next Step: Insight Automations

With Flows, we have an intuitive tool that gives you a complete overview of your network traffic, good and bad, infused with relevant, enriched data. What’s next?

Insight’s automated processes and algorithms analyze the flows in real-time using saved searches, Machine Learning (ML), and high-level statistical analysis. We call these “Automations.”

Flow-based Automations | You can turn interesting queries and filters specific to your environment into effective automations that monitor you network for you in real-time. No fancy AI here – just simple answers to repetitive but important questions, to make sure your network is performing as expected. Here are a few examples:

  • Has anyone established an outbound SSH connection to a foreign country?
  • Did a file larger than 10Gb leave my network?
  • Why is the internal development server scanning the Administrative building?
  • Did the “air-gapped” network just get gapped?

Flow-based Automations don’t rely on false-positive prone ML-based anomaly detection – they get right to the point, based on your knowledge of your own network. 

As privacy and GRC requirements continue to proliferate, simple Flow-based Automations help alleviate the burden of governance through specific searches designed to address the MITRE ATT&CK framework, NIST guidance, the CIS Controls, or any number of compliance requirements, such as HIPAA, PCI DSS, SOX, and FERC.

Advanced Automations Library | Flow-based Automations are effective and simple, but they don’t replace true anomaly detection. The Advance Automations Library leans on purpose-built packages which utilize machine learning and baselining to determine what’s normal and identify anomalous behavior. It’s our flavor of the M/AI-driven component that forms the crux of any modern NDR tool.

We strategically apply ML/AI in specific use cases that provide the most value and eliminate noisy false positives. A few examples:

  • Rare service communications
  • Internal reconnaissance activity
  • C2 communications
  • Data exfiltration

Another benefit we find from ML/AI extends beyond “security.” Since these automations are already being applied to the network traffic, it only makes sense to apply them to network health and diagnostics as well. Since most of the teams we serve are tasked with both network administration and security, Insight can also help them answer questions like this:

  • Why did latency spike on a network, and from what?
  • Why is our cloud service unreachable?
  • Will this large file transfer affect throughput?
  • Who is that new host in the Accounting department?

These ML/AI-driven automations silently search for anomalies across the enterprise, but our Nomic automations take things one step further. While other offerings deliver autonomous security, Insight provides autonomous health checks as well.

Filter out the Noise: Insight Signals

Insight Flows provide a network traffic archive, Automations enable you find useful information based on that traffic, and Signals provide the actionable insights required to assess and respond to potential threats.

Listed in Nomic HQ, Signals rest a layer above Automations and are archived and searchable. We deliver Signal notifications via email, Slack, and other client-driven integrations – whatever makes the most practical sense without adding cost. Signals are based on corresponding Automation packages, and each unique Signal contains information specific to the automation that created it.

The complete Insight platform - Flows, Automation, and Signals – creates a defense-in-depth approach that streamlines internal network security and health for over-worked, under-resourced customers. By strategically placing Insight and Outpost where they will be most effective, we’ve crafted a unified security approach that monitors and defends the entire network.

Support that comes with Nomic Networks

We could write an entire whitepaper on our support philosophy, but that is for another time. For now, we’ll just say customer relationships are a critical component to our mission to serve lean IT teams. We help you make sense of real-time security alerts for network issues or critical security events, and manage your devices, alerts, and more through Nomic HQ.

Whether it’s research or troubleshooting, having access to a team of experts available 24/7/365 to make sure you’re getting the most out of your MNDR solution will improve your security posture, while reducing risk.

What is The Outpost? 

Outpost was one of the first Intrusion Prevention Systems (IPS) to sit outside of the Firewall, all the way back in 2002.

Edge security has come a long way, and next-gen firewalls have become a critical component of any organization’s security stack. That said, we’ve seen first-hand across hundreds of customers the simple need to buffer the overwhelming amount of noise and malicious traffic that constantly strangles the internet. The Outpost acts as a buffer for your firewall, with real-time, globally connected threat feeds, proactive defense, and the ability to make your network invisible to outside attackers. 

Outpost helps organizations of all sizes immediately level up their defenses, regardless of the maturity of their current security stack. For businesses at the limit of their resources, this is a security boon unlike any other available to them. For enterprises, Outpost gives them the space and time to breathe as they continue to move towards a complete zero-trust architecture. The Outpost leverages attainable tech to do what no one in the industry has thought to do before:

  • Stop opportunistic attacks early by blocking scans, probes, inbound exploits, and other basic attacks that account for the vast majority of inbound malicious traffic.
  • Cut down paralyzing network noise as Outpost intercepts malicious traffic at the edge – in some cases that is up to 90% of all traffic, relieving overwhelmed firewall CPUs and significantly reducing events logged by other tools like SIEM, EDR, and firewalls.
  • Catch the exploits firewalls leave behind due to misconfiguration, vendor vulnerabilities, and open, exposed ports. Outpost covers the gaps that arise when overworked firewalls compromise to balance network performance with security, and protects other devices in the open, whether by design (DMZ) or by accident (Shadow IT).

How Nomic Networks continuously monitors your traffic

At Nomic Networks, we believe in creative solutions to complex problems. In addition to traditional deep packet inspection and rules-based detections, our methods include:

  • Rogue Packet Detection | The Outpost itself acts as a simple deception tool, utilizing a unique ‘tripwire’ to detect inbound scanning and blocking malicious networks before they even get the chance to enumerate your public-facing network.
  • Active Threat Intelligence | Threat intelligence from our proprietary CINS feeds, community threat feeds, and Geo-, ASN-, and domain-based filtering combine to block suspicious traffic. No need for complex and resource-intensive traffic inspection - the bad actor is blocked by Outpost before they even reach the firewall.
  • Comprehensive Threat Feeds. Configurable feeds for allow, deny, alert-only, and more, to customize access to and from your network. Feeds include:
  • Collective Intelligence Network Security (CINS). Threat Intelligence built on data gathered from our own network of Outpost sensors, and constantly fed back out to each Outpost. Our proprietary algorithm assigns a CINS “Score” to each flagged IP, identifies its country of origin, and logs typical behavior.
  • Geo-filtering. Block traffic from specified countries and geographic regions based on known threat risk.
  • Community Threat Intelligence. Use shared threat intelligence lists from cybersecurity leaders across the industry to block known-bad networks.
  • Configuration Feeds. Customized IP, ASN, and Domain feeds for monitoring traffic at the network’s edge. Perfect for eyes-only threat intelligence from industry groups such as ISACs, or reducing false positives caused by common cloud resources and CDNs.

Autonomous Threat Defense

No one wants a flood of alerts to sift through, and the goal is to lean on automated processes to block malicious traffic without the need for human intervention. That’s why we leveraged brains over brawn to develop our own proprietary autonomous defense features.

  • Network Cloaking™ | With Nomic Networks’ Network Cloaking™, once a network is identified as malicious, the inquiry never receives a response, and the network is completely shut out. As far as the threat actor is concerned, the protected network doesn’t even exist. No more enumeration of the open ports and IPs on the public network – move along, nothing to see here, literally.
  • Autonomous Response | We don’t replace your firewall – we just make it stronger. Nomic Outpost can reduce the firewall’s workload up to 90% by preemptively dropping malicious traffic and stopping both inbound and outbound threats, and alerting you when critical events occur. Nomic plugs into your existing infrastructure, dramatically improving your security posture while still coexisting with your other devices.
  • Threat Intelligence Gateway | Outpost is an inline bridge device that continuously patrols the network edge to deflect inbound exploitation attempts and attacker reconnaissance before they ever get to your firewall or public infrastructure. Key to that strategy is a comprehensive Threat Intelligence Gateway (TIG) that knocks down known malicious networks and noise. Led by our proprietary CINS Threat Intelligence feeds, the Outpost’s TIG is supplemented by other community threat feeds, and enhanced by custom IP, ASN, and Domain configuration feeds.

Conclusion

Small businesses, local municipalities, and other small organizations all live with the David and Goliath mindset. In our experience, they are accustomed to thinking around problems and working smarter, not harder. We understand that, and we live by that. As a smaller niche cybersecurity vendor serving organizations just like us, we understand these challenges and have dedicated ourselves to inventing solutions that can fit the problems and priorities of these businesses. Our proprietary technology and threat defense approach – the Outpost’s Network Cloaking and CINS feeds, and Insight with its Flows, Automations, and Signals – are specifically tailored to helping SMEs do more with less.

SMEs need practical, realistic vendors who don’t sell them on wishful thinking, but meet them where they are and give them what they need to take down the vast majority of their threats. Nomic Networks is proud to be that partner through our innovative Managed Network Detection and Response (MNDR) solution.