Why We Fuss About Network Detection and Response

cPacket Networks talks a lot about Network Detection and Response (NDR). We also talk a lot about Network Visibility, which is what drives NDR. There is a very simple reason we talk about both – because NDR is an essential element of a multi-layered security strategy.

There are many reports from market analysts and cybersecurity solution vendors who all confirm that cyberattacks and their consequences are increasing. The regrettable reality is that breaches happen and are happening at an increasing pace. Therefore it is an absolute necessity to maximize resilience to cyber risks. so reliably detecting and efficiently responding to intrusions, intruders, nefarious activity, Indicators of Compromise (IoC), and suspicious activity, in general. The ability to detect and respond is the role and value of integrating NDR into your security defenses.

NDR works by ingesting and analyzing network packet data; the latter is our forte. In the same way that every car requires tires, every NDR deployment requires network packets. Continuing with this analogy, every car manufactured must be equipped with tires. Network packet data is “where the rubber meets the road.” The garbage-in, garbage-out principle applies to NDR just like all types of data processing. This means that results are directly related to the quality and trustworthiness of the data. The strength of your security posture depends on the quality of the network packet data. The more the data can be trusted, the more the results can be trusted, and hence the more those results will be used to drive favorable outcomes.

The Connection Between Network Packet Data and Network Visibility

Network packet data is a primary method of gaining network visibility, here is why. Visibility is the foundational element that enables security analysts and their tools to do their job effectively. When an unplanned event occurs, the first action is always to understand what happened, is happening, and why. You cannot physically see what is happening in a digital network and within an IT environment to gain those understandings. You must instead use visibility that is attained by acquiring, analyzing, and visualizing data that characterizes traffic, performance, and other indicators of performance and compromise. In other words – visibility and data are synonymous.

Network Visibility is especially rich and helpful because it gives an understanding of what happened and is happening with the network. It also gives an understanding of what happened and is happening with the connectivity between services, applications, end-users, and IoT devices. So, the network and network packet data are a proxy for what happened and is happening with the IT infrastructure and the operational benefits it facilitates.

Trustworthy Network Visibility

Let’s look at some key characteristics that constitute trustworthy network packet data for NDR use:

  • Continuous and Lossless Packet Acquisition – Network packets must be acquired under all conditions and at all data rates, all the time, without fail, otherwise the resultant blind spots will become security vulnerabilities
  • Scalability to Acquire Packets from all Strategic Vantage Points – Network packets must be acquired for specific and strategic locations such as North-South links
  • Seamlessly Acquire and Aggregate Packets from Distributed Hybrid Networks– Network packets must be acquired and aggregated across an entire network, inclusive of all combinations of physical data centers and cloud infrastructure
  • Network packet data is an Immutable of What Happened and is Happening – This is why network packet data is referred to as a “source of truth” about what happened and is happening in the network. Beyond just the network, the data also provides insights about the infrastructure, access to it, and the performance of the workloads it hosts

How NDR Uses Network Packet Data

Now that we understand what drives NDR and why the quality and trustworthiness of network packet data is paramount, here is an overview of how NDR uses network packet data. Several vendors provide Network Detection and Response solutions, and each has unique features and capabilities. They all detect Indicators of Compromise (IoC) using the methods listed below that signal breaches, malware infections, or other malicious threats within a network and, more broadly within the IT infrastructure.

  • Inspection – Inspecting and understanding IoC signals that are fundamental to detection and response. Common IoCs include activity to and from suspicious source and destination URLs and IP addresses, unusual activity by end-users, especially those with administration and other privileged access, use of non standard ports, unusual DNS requests, and HTTP, DNS, ICMP patterns that use tunneling to hide malicious activity.
  • Analytics – Having a clear understanding of normal baseline activity is necessary to also understand when there is abnormal activity and other anomalous activity that warrant action up to and including containment
  • Heuristics – Is a specific analytical method of detecting suspicious properties such as dubious, probing, and brute force login attempts that indicate a high potential of unknown threats (i.e., the unknown unknowns)
  • Machine Learning (ML) Models – Constantly evolving malware and threats successfully evade rules and signatures, so ML models that also continuously learn and evolve creating cybersecurity-focused Artificial Intelligence (AI) are necessary to help security measures keep up

Wrap Up

NDR is a necessary method of mitigating cyberattacks and their far-reaching consequences. Its ability to strengthen your organization’s security posture depends on continuously receiving high-quality and trustworthy network packet data. Security Analysts and tools such as NDR are only as good as the network packet data they receive. That is why we at cPacket Networks fuss about NDR and Network Visibility. We know the importance of both.

Any questions? If so, or you just want to learn more about Network Visibility and NDR then check out these resources: