Why NDR? See the Entire Elephant in the Room

By Aimei Wei, Chief Technical Officer (CTO) and Founder

Network detection and response (NDR) has a long history, evolving out of network security and network traffic analysis (NTA). The historical definition of network security is to use a perimeter firewall and Intrusion Prevention System (IPS) to screen traffic coming into the network, but as IT technology and security technology have evolved due to modern attacks leveraging more complex approaches, the definition is much broader now.

Today, network security is everything a company does to ensure the security of its networks, and everything connected to them. This includes the network, the cloud (or clouds), endpoints, servers, users and applications. Traffic from all of these systems must pass over the network, so the network is the logical source of true information about security exploits.

Analyzing endpoint data and security tool logs is not enough to thwart today’s attacks. If there is one important thing to know about the network, it’s that it doesn’t lie. That’s why NDR completes an organization’s attack detection and response journey to XDR / Open XDR alongside EDR for endpoint data and SIEM for security tool logs. Specifically, NDR sees what the endpoints and other logs don’t see (the entire network; devices, SaaS applications, user behavior), acts as the true  data set and enables real-time response.

As Zero Trust continues to be adopted, the network will undergo different segmentations improving security fundamentals. As with any complex system, a “trust but verify” approach must be taken. NDR perfectly complements Zero Trust as its verification counterpart. NDR enables organizations to adopt Zero Trust with confidence and verify its enforcement.

How Does NDR Work?

NDR solutions use non-signature-based techniques (for example, machine learning or other analytical techniques) for unknown attacks alongside quality signature-based techniques (for example threat intel fused in-line for alerts) for known attacks to detect suspicious traffic or activities. NDR can ingest data from dedicated sensors, existing firewalls, IPS/IDS, metadata like NetFlow, or any other network data source, assuming strategic placement of sensors and/or other network telemetry. Both north/south traffic and east/west traffic should be monitored and traffic in both physical and virtual environments should be monitored. All data is collected and stored in a centralized data lake with an advanced  AI Engine to detect suspicious traffic patterns and raise alerts.

Response is the critical counterpart to detections to enable a performant network-based approach to security operations, and is fundamental to NDR.  Automatic responses such sending commands to a firewall in order to drop suspicious traffic or to an EDR tool in order to quarantine an affected endpoint, or manual responses such as providing threat hunting or incident investigation tools are common elements of NDR.

NDR is a critical component of every modern cybersecurity infrastructure. It allows you to “see the entire elephant” – the whole network – rather than viewing only certain endpoints, users or devices tied to it.

About the Author

Aimei has over 20+ years of experience building successful products and leading teams in data networking and telecommunications. She has extensive working experience for both early stage startups including Nuera, SS8 Networks and Kineto Wireless as well as well-established companies like Nortel, Ciena and Cisco. Prior to founding Stellar Cyber, she was actively developing Software Defined Networks solutions at Cisco. Aimei enjoys building a product from its initial design to its final launch. Aimei has an M.S. in Computer Science from the Queen’s University in Kingston, Canada and an Undergraduate degree in Computer Science from the Tsinghua University of China.