Network Detection and Response Tools for Remote Working
Remote workforces need network detection and response tools (NDR), but deploying an NDR that works with remote and hybrid environments is another story. Most NDRs are designed for on-premises networks. Unfortunately, that couldn’t be further from what the typical modern environment looks like.
Instead of a network that resembles a solar system with endpoints circling a central server system, many companies now operate on networks that are more like beehives with thousands of interconnected cells. On-premise servers connect to cloud workloads that connect to remote endpoints, and so on. The network perimeter that used to separate within from without is gone.
User behaviour is more varied too. Employees are logging in at irregular times and from more irregular (compared to past eras) places, including co-working hubs and even their friends and relatives' houses. Meanwhile, with cybersecurity staff in short supply, few organisations have the capacity to account for the disruption caused by false positives this complex reality creates.
To work in a dynamic environment, NDRs need to overcome a central problem - data. Here's why that problem exists and how SenseOn's advanced NDR solution overcomes it.
What NDR Does
Your firewall will stop many of the cybercriminals that target your network, but not all of them. The reason why is that it's increasingly difficult to know what connections to trust. A recent report shows that over 91% of malware arrives through encrypted https traffic.
The continued emergence of evasive malware and threat technologies like Cobalt Strike as well as the rise of insider threats, mean that more malware is bypassing the firewall altogether.
Even in the most optimal circumstances, a certain percentage of threats will always bypass perimeter controls.
This is why organisations deploy NDR - to detect and respond to these cyber threats.
Threat detection
At its core, NDR is a network traffic analysis tool. NDRs look at the traffic patterns that come through a network. Not just the "north-south" traffic that a firewall analyses but also intra-network traffic, i.e., the "east-west" movement that happens between servers, endpoints and other assets. NDRs analyse this traffic and look for anomalies within it.
Some NDR solutions work by modelling normal user behaviour. For example, noting that a marketing manager will probably not try to gain root access as part of their job and flagging behaviours that deviate from this norm. Advanced NDRs also leverage machine learning and artificial intelligence (AI) to spot threat behaviours.
These kinds of advanced analytical technologies mean that NDR solutions can spot advanced threats beyond just hooking malware based on its signatures. For example, an NDR can notice if someone is conducting a slow brute-force attack and is trying to guess your password. It can also see threats that entered the network before NDR was deployed.
Another critical threat detection role of NDR is its ability to find and protect unmanaged assets such as unpatched servers. Particularly important for remote teams, NDR can also detect attacks from virtual private networks (VPNs) and ghost virtual machines that remain connected to your network.
Response
The second benefit of NDR tools is their response capabilities. They’re able to take automated action, like blocking known attackers and automating threat hunting.
NDRs can find hidden threats (such as a trojan installed by an insider threat actor) before they become a problem and show security teams attack pathways that need remediation.
NDRs can also help incident response by giving security teams context into a server or workstation compromise, making it easier for them to determine what is happening and how to respond.
NDRs Biggest Challenge
NDRs’ biggest problem is data. NDR solutions fail to meet expectations because they cannot connect their data to data from different sources. Context suffers as a result.
When deployed alongside security solutions like security information and event management (SIEM) or endpoint detection and response (EDR) in a security operations centre (SOC), NDRs cannot see the precise interactions between processes on endpoints and the network. This is because the data each layer of the solution stack collects is disparate and not natively connected.
Traditional NDR solutions also cannot see the cloud environments that make up an increasingly large part of an organisation’s digital estate. As a result, traditional NDRs leave security teams with high false positive rates, insufficient context, and expensive maintenance and fine-tuning requirements.
Remote working makes this an even more significant challenge by adding another layer of complexity to networks and their users.
SenseOn’s Advanced NDR
Traditional NDRs are costly, noisy and fail to give security teams real context into what's happening across their attack surface, which can lead to critical blind spots. SenseOn is the opposite.
SenseOn's universal sensor natively collects detailed process information from east-west and north-south traffic, endpoint data, and traffic flowing in the cloud.
This solves the data disconnect problem that stops traditional NDRs from functioning efficiently. SenseOn conducts granular network telemetry via deep packet inspection (DPI) at source and, as a result, can detect a wider range of sophisticated tactics, techniques, and procedures (TTPs) in real-time, including unknown threats and covert cyber attacks like Cobalt Strike and living off the land (LOTL) techniques.
By collecting correlated telemetry via a single piece of software, SenseOn also removes guesswork and manual pattern matching, significantly reducing noise and accelerating mean time to resolve (MTTR).
The end result is value.
With over 600 out-of-the-box detections, SenseOn achieves rapid time-to-value, requiring minimal resources and no reboot.
Instant network security capability without additional data ingestion engineering or tuning.
SenseOn provides contextualised cases by automatically sequencing individual "Observations" (alerts about malicious activity) into context-rich cases, presenting an overarching timeline of an attack with all necessary context to quickly determine the impact, severity, and root cause. This allows for efficient response to threats, even in large-scale deployments.
Through automation, SenseOn can also respond to network threats like ransomware without any human input.