Find out more
Gartner Market Guide for Network Detection and Response
Share this article
Gartner research report “Applying Network-Centric Approaches for Threat Detection and Response” published March 18, 2019 (ID: G00373460), Augusto Barros, Anton Chuvakin, and Anna Belak
“The escalating sophistication of threats requires organizations to use multiple sources of data for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.”
A security alert raises dozens of questions that an analyst must answer to verify if the alert is legitimate and determine its priority.
This process impacts the total time to detect and contain. Network detection should consider the process of detection, triage and prioritization in the core of its design.
The function
of a security operation’s detection capability is to develop and implement appropriate activities to identify the occurrence of cybersecurity events and to prioritize threat incidents that represent
a high risk.
– NIST
The detect function enables the timely discovery of cybersecurity events. Examples of the NIST outcome categories within this function include anomalies and events, continuous security monitoring, and detection processes.
NDR provides the broadest visibility into activities on the internal network by monitoring users, devices and their traffic.
SIEM requires several log types to be enabled, collected and correlated to form a coherent picture. EDR needs agents nearly everywhere for decent visibility. Traditional IDS can provide broad visibility if it is widely deployed at the gateway and internally, but its reliance on signatures and reputations lists limit it to exposing only known attacks.
– NIST
For this reason, the network will continue to be a critical part of any detection and response capability. It provides the richest and most useful point for organization-wide visibility to any kind of device that communicates with any other device, from cloud workloads to IoT devices.
The network will continue to connect everything even as the definition of computing evolves and changes with ever more advanced technology.
The basic concept of networking will change as it manifests in different formats – from intercommunication using APIs within a specific cloud architecture to the expanding network of devices on the connected smart grid using 5G technology. But what will remain the same is the communication between devices and the behaviors this communication represents. This will drive future innovation in cloud, data center and enterprise network.
The network offers the single biggest gain in visibility in the IT environment.
Jojo Maalouf
IT Security Manager
Hydro Ottawa
Some of vendors are decades old while others are new. Some provide security analytics as their core business while others are pivoting from the network performance monitoring space into network detection and response (NDR).
NDR Goal: Empower security analysts to receive alerts quickly and be able to discern what is critical versus what is benign. It also focuses on lowering the time from compromise to incident detection and containment.
The network security market has seen a resurgence in activity by vendors looking at the challenges of detection and response inside the network, but these vendors have been addressing the use cases from different angles.
What is Network Detection and Response?
Network Detection and Response
EDUCation Guide
Detection and response are security operations capabilities and practices that enable the timely discovery of security events and support the ability to contain the impact of a potential cyberattack.
– NIST
When looking at response capabilities, there are two broad categories of action that can occur for an incident:
Response APIs can be used for automated responses or to integrate with security automation and orchestration and SIEMs for customized actions.
Some types of alerts are good candidates for automated response. If the detection tool has a high degree of confidence that an endpoint has been compromised, that endpoint can be automatically isolated from the network.
Responding to more complex and targeted attacks involves investigations and threat hunting. These activities require network data that is searchable with the right context enabling incident responders to quickly mitigate attacks and investigate threats.
Every security platform should enable analysts to choose and trigger the correct response based on policy and human analysis. The design of network response capabilities should consider the following principles:
Automating response actions is
not a one-size-fits all proposition.
Response involves developing and implementing appropriate activities to act on a detected cybersecurity incident. The respond function supports the ability to contain the impact of a potential cybersecurity incident. Examples of the NIST outcome categories within this function include response planning, communications, analysis, mitigation, and improvements.
– NIST
Another critically important action is the ability to pivot through data. Analysts must draw fast investigative conclusions, which requires them to have immediate access to data from multiple, disparate sources.
The network
Response
1. automated response
2. manual response
There are several response actions between block and allow, depending on severity, data sensitivity or involved users.
Human searchable data
Speed of response depends on the analyst’s ability to quickly search and interpret data to gain context about an incident. Network packets were not designed for human interpretation and are difficult to search, especially when storing costly terabytes of network traffic.
Sufficient data with context about environmental variables.
Analysis works best when data is enriched with helpful contextual information and supports data visualization to identify links between data sets.
Analysts are more effective when they can look past individual alerts to identify patterns and abnormalities. Security analytics and machine learning make this possible.
The ability to correlate events to a single incident enables threat hunters to identify an adversary’s larger effort inside the organization against a backdrop of network noise.
Knowing where to investigate
Analysts should always be creating hypotheses about attacks and it is advantageous to know where to begin hunting and investigating with some degree of certainty.
Guidance from intelligence feeds that are channeled into a primary source of threat data can revolutionize the way analysts hunt and investigate. Advanced machine learning can also improve the fidelity of findings.
Collectively, they help analysts confirm with greater certainty where they should start looking and whether they have found something.
Investigation and hunting require correlation.
Integrates with other incident response tools for timely and thorough attack containment.
Not every attack is the same and not every response should be the same. The ability to share intelligence across the existing security infrastructure will reduce the time to respond.
The integration of response capabilities should be simple and straightforward. It can occur through APIs, outbound events or automation platforms that provide standardization between different products.
The design of network detection and prioritization capabilities should consider the following principles:
Include
post-compromise
detection
Post-compromise detection capabilities are necessary when a threat bypasses established defenses or uses new means to enter a network.
Focus on attacker behaviors.
Attacker behaviors provide context about what has occurred and leads to the ability to define an actionable response. Detection techniques should also incorporate detecting and learning from post-compromise adversary behaviors.
Use a threat-based model
An accurate and well-scoped threat model is necessary to ensure that detection activities are effective against realistic and relevant adversary behaviors.
Support a combination of behavior models with custom models
Overlay a broader set of information on top of network traffic patterns. This enables correlation of suspicious internal traffic to specific known threats in the wild.
Track attacks in real-time
Show compromised workloads and devices. Inside the network, attackers perform internal reconnaissance and move laterally from host device to host device.
Detection
Why NDR?
• Collect, detect and prioritize high-fidelity threat
behaviors in real-time
Why NDR now?
Sophisticated cyberattackers constantly invent and reinvent more effective ways to mount their assaults. Their evasive behaviors and the invisible footprints they leave behind change with dizzying frequency. Traditional legacy security designed to keep out attackers are blind to these ever-changing threat behaviors, giving cybercriminals free rein to spy, spread and steal.
What’s needed is a reliable way to detect hidden attackers who get inside and respond instantly to stop in-progress threats from becoming a data breach. One that proactively hunts for evasive threats, augments your existing security investments, keeps up with the changing threat landscape, and offers exceptional scale across cloud, data center, IT and IoT networks.
Want to see the value of NDR ?
“With Vectra’s early-detection capabilities, we have more confidence in stopping cyberattackers before critical infrastructure is damaged or valuable data is stolen.”
Read the case study
“Vectra is important to our journey. We’re moving to cognitive security, where we can predict, prevent, detect and respond to cyberthreats faster – and continually improve our practices.”
Liam Fu
Head of Information Security
The Very Group
Read the case study
“Cognito filled a gap. We needed to know what we didn’t know, and Cognito showed us what was hidden.”
Brett Walmsley
CTO
NHS Bolton
Read the case study
• Respond with automated enforcement and share threat
data with IR tools
• Hunt efficiently for threats and conduct conclusive
incident investigations
• Feed security-enriched network metadata to SIEMs
and data lakes
Experience the value from anywhere.
No set-up or hardware required.
Even do red team testing!
Learn more
Incidents should not be handled on a first-come, first-served basis because of resource limitations. Instead, handling should be prioritized based on relevant factors.
Prioritizing the handling of the incident is the most critical decision point in the process.
The Vectra NDR platform is in 100% service of detecting and responding to attacks inside cloud, data center, IoT, and enterprise. Our job is to find those attacks early and with certainty.
It starts with having the data to make this happen. This is not about the volume of data. It is about the thoughtful collection of data from a variety of relevant sources and enriching it with security insights and context to solve customer use-cases.
Attack behaviors vary, so we continuously create unique algorithmic models for the widest range of new and current threat scenarios. Performing well beyond the abilities of humans, Vectra gives you a distinct advantage over adversaries by detecting, clustering, prioritizing and anticipating attacks.
By doing the thinking and reducing the security operations workload, you will spend more time on threat hunting and incident investigations. Now you know why Vectra is known as Security that thinks®.
Why Vectra
vectra.ai
EDUCation Guide
Network Detection and Response
What is Network Detection and Response?
The network security market has seen a resurgence in activity by vendors looking at the challenges of detection and response inside the network, but these vendors have been addressing the use cases from different angles.
Some of vendors are decades old while others are new. Some provide security analytics as their core business while others are pivoting from the network performance monitoring space into network detection and response (NDR).
NDR Goal: Empower security analysts to receive alerts quickly and be able to discern what is critical versus what is benign. It also focuses on lowering the time from compromise to incident detection and containment.
Gartner Market Guide for Network Detection and Response
Find out more
Jojo Maalouf
IT Security Manager
Hydro Ottawa
The network will continue to connect everything even as the definition of computing evolves and changes with ever more advanced technology.
The basic concept of networking will change as it manifests in different formats – from intercommunication using APIs within a specific cloud architecture to the expanding network of devices on the connected smart grid using 5G technology. But what will remain the same is the communication between devices and the behaviors this communication represents. This will drive future innovation in cloud, data center and enterprise network.
For this reason, the network will continue to be a critical part of any detection and response capability. It provides the richest and most useful point for organization-wide visibility to any kind of device that communicates with any other device, from cloud workloads to IoT devices.
NDR provides the broadest visibility into activities on the internal network by monitoring users, devices and their traffic.
SIEM requires several log types to be enabled, collected and correlated to form a coherent picture. EDR needs agents nearly everywhere for decent visibility. Traditional IDS can provide broad visibility if it is widely deployed at the gateway and internally, but its reliance on signatures and reputations lists limit it to exposing only known attacks.
– NIST
The detect function enables the timely discovery of cybersecurity events. Examples of the NIST outcome categories within this function include anomalies and events, continuous security monitoring, and detection processes.
The function
of a security operation’s detection capability is to develop and implement appropriate activities to identify the occurrence of cybersecurity events and to prioritize threat incidents that represent
a high risk.
– NIST
A security alert raises dozens of questions that an analyst must answer to verify if the alert is legitimate and determine its priority.
This process impacts the total time to detect and contain. Network detection should consider the process of detection, triage and prioritization in the core of its design.
“The escalating sophistication of threats requires organizations to use multiple sources of data for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.”
Gartner research report “Applying Network-Centric Approaches for Threat Detection and Response” published March 18, 2019 (ID: G00373460), Augusto Barros, Anton Chuvakin, and Anna Belak
Share this article