Something you may have only heard once today: automation is the future. The more networks are able to detect and respond automatically, the better protected they are against the unpredictable. The role of the network manager is changing from that of the active defender to the vigilant guardian, responsible for maintaining a set of thresholds and breakpoints, and integrating solutions that feature NDR.
Network detection and response (or NDR) is the industry’s favourite topic, and for good reason. In a world of rising network threats, a network’s ability to independently respond is crucial to sustaining network health. Advancements breed advancements; whereas machine learning can be used by bad actors to dynamically attack networks, network solutions use it to create commensurately dynamic defence solutions.
More intelligent machines mean more attacks, with greater variation and quicker succession. Threats include non-malware threats such as data exfiltration, lateral movement and targeted user attacks. Solutions must learn and adapt to patterns in real-time. Sometimes, hindsight is not an option; what’s required is in-the-moment insight, and the automated responses that insight triggers.
This all becomes possible with Scrutinizer by Plixer. NDR, in a nutshell, uses techniques such as machine learning and AI-driven analysis to analyse raw traffic and flow records (including Network) to detect suspicious traffic and develop baseline, normal-network-behaviour models.
Detection of alerts
Naturally, learning from data requires the at-volume collection and analysis of data. This includes both the real-time analysis of network flows, and the retrospective analysis of data stored in a data lake. The strength of the network is proportionate to the quantity of the data analysed, in transit or at rest.
NDRs generate different alerts depending on where you look: north-to-south traffic across the enterprise perimeter is analysed with east-to-west communications through the use of strategically placed sensors. Monitoring has to be holistic. If you look at a single spot, lateral movements won’t be detected, no matter the quantity of data analysed.
Through its machine learning module, which we discuss in greater deal in this piece, Scrutinizer by Plixer allows network managers to monitor single hosts or entire subnets from multiple network levels. This ensures alarm data is accurate, and shows users only exactly what they need to see.
Responding to alerts
But detection is just the first step; the second is the response. This can be both automatic – for example, sending commands to a firewall so that it blocks suspicious traffic – or manual, which involves threat-hunting and incident-response tools. Naturally, a concern of network managers is that legitimate traffic will be inadvertently blocked, causing user or application disruption. Instead, managers opt for a lighter touch. This involves pushing alert-triggered data into existing solutions such as NAC or SIEM/SOAR tools. This allows teams to optimise and tune their alarm frequencies, thresholds and patterns, and allow the NDR solution to inform the orchestration tools.