Cyber threats are growing in number and becoming increasingly sophisticated. Organisations need advanced security measures to protect their networks, because traditional security systems often fall short, leaving gaps that cyberattackers can exploit.

This article explores how Network Detection and Response (NDR) can bridge these gaps, leveraging modern technologies like Machine Learning (ML) to enhance network security. We will introduce the concept of NDR, discuss the critical role of Machine Learning in this domain, and outline best practices for deploying an NDR solution.

Why traditional security solutions fall short

Traditional security solutions – like endpoint solutions, proxies, or Intrusion Detection Systems (IDS) – often fail to provide adequate protection against some types of attacks, which means they can leave some blind spots that sophisticated attackers can exploit.

Here are the key reasons why these solutions often fall short:

• Limited visibilityMost of the security solutions fail to monitor unmanaged devices as they work on endpoints, thus leaving potential entry points for attackers. Also, the majority of these solutions primarily focus on external traffic, ignoring internal traffic moving within the network. There is indeed a lot of irrelevant traffic going through companies’ internal network, which makes the analysis more difficult.
• Outdated technologySecurity solutions like IDS rely on signature-based methods that miss modern attack techniques. They also do not scale well as they often require to be monitoring unencrypted traffic.
• Lack of contextTraditional network security solutions tend to only provide basic connection data without detailed insights into the nature of the connections. They often miss the contextual information needed to accurately identify and respond to threats.

These limitations result in blind spots, slow response times, and inadequate protection against sophisticated attacks.

What does NDR bring to the table?

The NDR is a network probe that is placed similarly to an IDS in the network. It tries to address the gaps identified above by basing its recognition on the metadata of the packets going through the network instead of their content. This allows this technology to process higher bandwidth and to work on encrypted traffic (which makes most of the traffic nowadays).

This means that the probe can analyse a lot of superficial information, which is the perfect spot to leverage advanced technologies like Machine Learning to analyse network traffic patterns and detect anomalies in real-time, offering high fidelity and relevance.

This capability allows for faster and more accurate identification of threats, ensuring that organisations can respond promptly and efficiently to security incidents.

Its location in the network also makes it a great tool to correlate the bits of information that it can get from various sources.

The role of Machine Learning in NDR

ML algorithms analyse vast amounts of network data to establish a baseline of normal behaviour. Once this baseline is established, the system can identify deviations that may indicate potential threats. The key advantages of ML in NDR include:

• Anomaly detectionML models excel at detecting unusual patterns in network traffic, such as unexpected data transfers or abnormal login attempts.
• Behavioural analysisBy understanding the typical behaviour of users and devices, ML can spot deviations that suggest compromised accounts or insider threats, such as an employee suddenly working in the middle of the night.
• Threat Intelligence integrationML can integrate diverse types of threat intelligence information, enhancing the system’s ability to recognise well-known and emerging threats.
• Continuous improvementML models use supervised and unsupervised training to learn and adapt over time to the reality of your network, improving their accuracy and reducing false positives as they process more data.

Attack detection and response workflow

To better understand the workflow of detection and response with an NDR, let’s consider the example below.

Scenario

A large organisation becomes the target of a sophisticated attacker who has managed to get into the network of the company and to compromise the credentials of a privileged user. Instead of launching a direct attack, the attacker moves laterally within the network, accessing and gathering sensitive data from various servers over multiple weeks. The goal is to avoid detection by blending in with normal network traffic and eventually to exfiltrate data without triggering any immediate alarm.

Detection

The NDR system, monitoring all internal network traffic, detects subtle anomalies that traditional security tools would likely miss. For example, the system notices that the compromised account begins accessing servers that the user typically does not interact with, and at odd hours. Additionally, the NDR detects unusual patterns in the volume and frequency of data transfers between internal systems, which do not match the baseline behaviour established for that user or those systems.
Unlike endpoint solutions, which focus only on endpoint activity, or proxies that monitor web traffic, the NDR system has visibility across the entire network, including traffic between devices within the network. This broad visibility allows the NDR to identify lateral movement and data staging activities that would otherwise appear as legitimate internal traffic.

Response

Upon detecting these anomalies, the NDR system correlates the suspicious activities across various parts of the network, recognising them as part of a coordinated attack. The system automatically raises the alert level and notifies the Security Operations Center (SOC), providing detailed insights into the suspicious lateral movement and potential data staging areas.

Note: The “response” part in the term NDR can also be taken literally by blocking a user or an endpoint from the network, which is done by resetting the connections it tries to establish, for example. However, this is a dangerous feature that could backfire in case of false positives and that should be used with caution.

Best practices for deploying an NDR solution

To maximise the effectiveness of an NDR solution, organisations should consider the following practices:

• Comprehensive network visibilityThe key to get the best of your NDR deployment is to have the maximum visibility of your network, ensuring that the NDR solution has access to all relevant network segments, including cloud environments. So, you need to choose its positioning with care.
• Integration with existing toolsIntegrate the NDR with existing EDR (Endpoint Detection and Response), SIEM (Security Information and Event Management), and other security tools to create a cohesive security ecosystem. It also allows you to correlate more information in the SIEM, from endpoints to network, to provide an even more complete view of your infrastructure.
• Regular updates and tuningKeep the NDR solution updated with the latest threat intelligence feeds and regularly tune the ML models to maintain high detection accuracy.
• Incident Response planningDevelop and regularly update incident response plans to ensure swift action when the NDR system detects threats.
• Training and awarenessTrain security staff on how to use the NDR system effectively and keep them informed about the latest cyber threats and trends.

Conclusion

NDR represents a significant advancement in cybersecurity, addressing the limitations of legacy systems and providing real-time, comprehensive threat detection and response capabilities.

By integrating advanced ML technologies, NDR platforms offer a robust solution to the evolving challenges of network security, ensuring organisations can protect their critical assets against a wide range of cyber threats.

Nevertheless, NDR requires a good security maturity in your organisation to get the best of this tool by combining it with other resources such as EDR, SIEM and response playbooks.