Constantly on the hunt for better ways to keep their organisation’s IT infrastructure secure, growing numbers of security teams are making use of network detection and response (NDR) tools.
The trend is being driven by a number of factors. For example, many security teams believe they lack visibility of their entire infrastructure and are therefore vulnerable to attack. Others feel they are being overwhelmed by alerts and are often unable to spot real issues among the large number of false positives.
Senior management teams are also paying increasing attention to the value that can be delivered by NDR tools. Managers are concerned that the cyber-insurance cover they have in place will be insufficient to allow their organisation to recover from an attack or will simply become too expensive to maintain in the future.
The role of NDR
Once deployed, an NDR tool becomes a third element within an organisation’s security platform. It complements Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) capabilities.
Together, these elements provide overlapping fields of visibility and give security teams the ability to achieve what is known as ‘defence in depth’ across their entire infrastructure.
A key benefit of NDR is that it can be used as a passive method of monitoring network traffic and identifying malicious activity. This effectively makes it invisible to attackers and allows the security team to monitor their movements without their knowledge.
It’s common knowledge that many security teams are feeling increasingly stretched and needing to do more with limited resources. NDR can help to overcome this challenge by removing some of the monitoring workload and presenting teams with just the alerts they need to examine in depth.
NDR also helps to overcome challenges that arise as organisations increase their usage of cloud platforms. With the additional complexity that this brings for IT infrastructures, having full visibility of all activity at all times is vital.
It’s incorrect to assume that the security of a cloud platform is the responsibility of the cloud provider. While the provider does take are of security when it comes to the infrastructure, security of deployments running on that infrastructure are the responsibility of the using organisation.
NDR’s importance is also growing alongside the sheer volume of data traffic within many organisations. Spotting the signs of an intruder amid massive amounts of legitimate data is increasingly challenging.
Choosing an NDR platform
Once the decision is taken to deploy NDR within an infrastructure, there are four key features that should be offered by the chosen tool. They are:
- Forensic visibility: The NDR tool should be able to identify anomalous activity across various protocols, platforms, and geographic locations. It should be able to proactively prioritise threat hunting and therefore increase the productivity of the security team.
- Advanced analytics: NDR tools should also make use of sophisticated machine learning that makes use of both deterministic and un-deterministic detection techniques. This will ensure higher fidelity alarms across the network.
- Network monitoring: Effective tools should also be able to deliver a comprehensive view into all enterprise devices. They should monitor and analyse all traffic flows in real time. As well as traffic that enters and exits the environment the tool should also watch traffic that moves laterally across the network.
- Flexible architecture: A fourth important feature is flexibility. The architecture should be able to fit into an organisation’s existing environment without the need for widespread changes.
By taking the time to rigorously evaluate and test NDR tools prior to deployment, an organisation can be confident it is selecting the one that will best meet its needs. Visibility of the entire IT infrastructure will be enhanced and the ability to spot threats before they cause disruption or loss will be greatly improved.