In the ongoing battle against the rising tide of cyber threats, security operations centres (SOCs) have traditionally relied on a portfolio of tools to boost security and ward off cyberattacks. Two of the most popular are endpoint detection and response (EDR) and security information and event management (SIEM).
While there is no question these tools have delivered significant benefits for many organisations, they can often prove difficult to deploy, operate, and manage. They also often lack some of the key features security teams need to detect and stop threats earlier in the attack cycle.
For this reason, increasing numbers of security teams are turning to network detection and response (NDR) platforms. NDR provides a team with complete visibility inside its organisation's network and covers north-south as well as east-west traffic. This is a capability that neither SIEM nor EDR tools were designed to provide.
Selecting the right NDR tool
When selecting an appropriate NDR solution, there are five key features that any SOC team should demand. Together, they will ensure the tool can deliver the best possible monitoring and protection capabilities. These features are:
1. Cloud-scale machine learning:
Having the ability to swiftly spot and respond to advanced threats and performance issues is critical for any SOC. NDR solutions that offer cloud-hosted and cloud-scale machine learning capabilities will ensure this ability is in place.
Cloud-hosted ML workloads are able to leverage sophisticated, compute-intensive predictive models and identify suspicious or malicious behaviour in real time. They can also scale much more readily and provide additional processing power when required.
Cloud-based tools also benefit from continual and rapid security updates, deployed whenever a new threat emerges. This removes a work burden from the SOC team.
2. On-demand Packet Capture (PCAP):
Network data is a vital resource for security teams and so it's important to have the ability to readily capture network packets. PCAP capabilities enable security and IT teams to understand exactly what is happening within their network.
Depending on the chosen NDR solution, the SOC team will be able to leverage continuous PCAP that's always on, precision PCAP that's triggered by events, or both. Because organisations can benefit from both continuous and on-demand PCAP when investigating breaches, it's important to look for an NDR tool that can offer both.
3. Decryption of internal traffic:
Once they achieve access to a target's network, attackers increasingly employ sophisticated techniques to evade detection. For example, they may encrypt any traffic they produce to access the outside world, such as command and control communications, to their external servers. They may also leverage the traffic that's already encrypted.
If an NDR tool can provide strategic decryption, it makes it possible to only decrypt the traffic for which the organisation created the encryption keys. This allows the SOC team to see into this traffic without compromising privacy.
4. Investigative workflows:
When evaluation of NDR tools is undertaken, one of the most important aspects is the function and user interface (UI) on offer. Unfortunately, the UI for some NDR workflows can be clunky and difficult to navigate.
For this reason, it is important to look for an NDR solution that provides clear, intuitive investigation workflows that can assist the security team in better identifying and containing advanced threats.
5. Comprehensive asset inventory:
It's a truism within security circles that it's not possible to secure an environment that is not fully understood. This means that having the capability to discover all the assets on an organisation's network is critical. This is especially the case in industries that are highly reliant on legacy systems or burdened with large numbers of unmanaged devices.
Having the ability to engage automated asset discovery capabilities is a crucial step in gaining an accurate inventory of what's on an organisation's network. Best-of-breed NDR tools can automatically discover new devices as soon as they communicate. Plus, these tools should also be able to auto-classify devices by their observed behavioural traits.
By selecting an NDR tool that offers these five important features, a SOC team can be confident it has made the right choice. Visibility of their organisation's entire IT infrastructure will be achievable, giving them the best chance of fending off or quickly responding to cyber threats.