Networks are the foundation of today’s connected world. They allow millions of people, devices, apps and systems to talk with one another every minute of the day. Without networks, modern communication as we know it would cease to exist. Today’s organizations depend on networks and their critical role in overall IT infrastructure. So, it’s no surprise that networks are a prime target of attackers looking to disrupt organizations and governments around the world.
To fully understand the importance of network security, consider the simple but potent fact that 99% of cyberattacks traverse the network in some way. As a result, networks contain important information about impending threats, which is why 43% of organizations use network traffic analysis (NTA) as the first line of defense for threat detection. Furthermore, networks don’t lie. The network data captured as part of the connections between devices and systems cannot be turned off by attackers the way logs can. As a result, any group looking to improve its overall threat detection and incident response needs to consider network detection and response (NDR) as a core part of their strategy.
Network Detection and Response: How Did We Get Here?
The market first appeared as network behavior anomaly detection (NBAD) products, which analyzed network traffic patterns to detect unusual trends. In the late 2010s, the market evolved to network traffic analysis. This helped address the challenge of detecting threats from network data, commonly referred to as network flows. NTA gained momentum with the growth in network traffic. Meanwhile, high-profile attacks and heavy marketing by emerging vendors also brought it into common parlance. However, it still referred to studying network traffic patterns but did not include response.
Fast forward to 2020 when Gartner defined the market formally as network detection and response. Gartner states that “applying machine learning and other analytical techniques to network traffic are helping enterprises detect suspicious traffic that other security tools are missing.” Thus, it helps security teams plug a critical gap while enhancing their overall threat detection and incident response posture.
In our view, the report describes NDR solutions as those that analyze network data using non-signature-based techniques like machine learning to baseline what is normal for the network. Network detection and response tools monitor traffic in real-time. From there, they create a baseline and raise alerts when they detect odd behavior. They track north/south traffic across the enterprise in addition to tracking east/west traffic by watching network sensors. NDR tools can provide manual or automatic actions that teams can take to remediate security incidents.
There has been a lot of hype about this emerging market. However, security teams clearly see the importance of NDR to their overall cybersecurity posture. According to 451 Research, network visibility detection and response was the second leading tech planned for deployment within the next 6 to 24 months. Likewise, per Forrester, 62% of respondents surveyed expect to increase their network security tech budgets in 2021.
Perfect Storm for Attackers
Front page news stories of the latest attacks are becoming all too common as organized, well-funded cyber attackers prey upon today’s infrastructure. Given the growth in the volume and refinement of attacks, current detection tools cannot keep pace. Detection of known indicators of compromise is no longer enough; security teams need tools that can detect abnormal behavior, which could signal an advanced attack before it’s too late. For teams with limited resources and time, finding the budget for yet another tool is hard to justify, not to mention the complexity it adds.
In addition, the high volume of data traveling across the network makes it easy for attackers to hide their tracks and avoid detection. By blending in with normal traffic patterns, threats can hide and attackers can increase their dwell time. Attackers are patient; they may move data in small and infrequent batches to avoid being noticed. Modern attacker tactics require that security teams are prepared with NDR solutions. These can constantly monitor their networks and find strange or suspicious behavior quickly. From there, they can raise actionable alerts that help contain a cyberattack.
Network Visibility is Essential
Network security brings with it a plethora of tools that are not for the faint at heart. It involves everything from handshakes to switches to firewalls to routers and so on. However, in its simplest form, network detection and response is about getting deep visibility into the network and having enough context to make quick decisions about how to respond. And it goes beyond just visibility — it is about getting the right visibility into insightful network data to fuel meaningful analytics.
Real-time visibility is essential for effective network detection and response. Without it, it is nearly impossible to understand what is happening on your network. For example, consider an iceberg. Seeing only the tip of an iceberg above the surface obscures the full view of what’s lying below. In network security, relying on logs alone to provide network visibility can be limiting. By going below the surface, you can start to get a better sense of how big the iceberg is. In terms of network data, this is like seeing the content within the network flow record. To get the complete picture requires combining logs and network data. With it, you can see the full depth of the iceberg and gain broader context.
NDR is a Key Component of Extended Detection and Response
NDR plays a critical role as part of a broader threat detection and response strategy by working together with other security operation center (SOC) solutions like SIEM, endpoint detection and response (EDR), and SOAR to provide a unified view of potential threats while using a zero trust approach. SIEM and NDR, for example, combine logs and network data. By doing so, they produce high-fidelity alerts that give analysts greater context during investigations. Doing so natively as part of a security intelligence solution helps security teams respond faster with more context while eliminating the need to pivot between tools.
Security teams are building more modern SOCs to keep pace with today’s evolving threat landscape and to make their teams more efficient. Extended detection and response (XDR) aims to help by bringing together threat detection and response solutions, including SIEM, NDR and EDR, under a single platform by taking advantage of open standards, automation and cross-correlated analytics. According to ESG, adding SIEM and NDR is a great place to start as part of a broader XDR strategy. Today’s threats call for deep network visibility and actionable insights that help security teams respond faster. NDR solutions can provide both.
Read the ESG report to learn more about NDR and SIEM.
Stephanie is a Product Marketing Manager for IBM Security, where she is responsible for messaging and positioning of the IBM Security Resilient platform. Pre...