Network Detection and Response – The Building Blocks

In a previous article on this topic, I introduced NDR as a technology, and the key requirements for an NDR product or solution. In this article, I will explain the core technological building blocks of NDR.

The Building Blocks of an NDR Solution

A complete NDR solution should include end to end traffic monitoring, packet capture, traffic analysis, traffic visibility and incident response capabilities. Specifically, they should include the following common components:

  • Traffic Collection & Storage
  • Incoming raw traffic data is monitored and collected; traffic pre-processing applies filters or rules flush out unwanted traffic and focuses on traffic of interest. Traffic metadata can be extracted and parsed.

    Traffic meta data can be stored on local disk while more raw traffic log data can be saved on different servers or data lakes for later threat hunting and forensic evidencing.

  • Traffic Analytics
  • Traffic analytics is the centerpiece of NDR. There are many different analytical techniques. Traditional statistical based analysis is still valid and widely used. Additionally, behavioral traffic analysis using ML based data mining and modeling techniques have help to improve efficiency and accuracy.

    ML based analytics, either supervised or unsupervised ML algorithms, are especially helpful to:

    • Extract common features among extremely large amounts of traffic data collected
    • Train and build models and conduct live classifications and predictions over the live traffic patterns in order to detect abnormalities or threats

    Traffic analytics can be streaming, real time; it can also be conducted offline, in the background, in batching mode. To improve detection accuracy and reduce false positives, traffic analysis needs to converge with other threat detection techniques such as threat intelligence. Threat intelligence helps provide more contextual information such as reputation score, DNS registration data, whitelist or blocklist information, etc., related to specific source or destination IP address, domain name, application or process or file hashes, machine name or username.

  • Traffic Visibility
  • It is crucial to provide comprehensive traffic visibility to security admins, especially the east-west traffic between physical entities in the corporate intranet or virtual machines or cloud workloads.

    Traffic visibility needs to provide both what is called the point and the surface views.

    • Point views help security admins to drill down a particular threat event alert to gain more insights on the detected anomalies and attacks
    • The surface view is basically a 2D relational topology that helps craft the relationships between the suspicious or attacking source and the rest. This will help to correlate and connect the dots to possibly form or reconstruct the behavior tracks or attacking path. This helps security admins draw a clear picture of normal traffic versus suspicious traffic and normal activities versus potential threats and attacks
  • Incident Response
  • Incident response is a process that helps an organization address and mitigate breaches and security attacks. It usually involves a collection of forensic evidence; incorporates threat intelligence to enrich the findings; generating, notifying and managing security alerts; and managing mitigation and remedy ticketing etc. This is to ensure that threat attacks are mitigated in time and vulnerabilities and security holes are patched and resolved.

    This can be done either manually or automatically, and usually in conjunction with other security devices including firewall, endpoint and network access controls. Today, companies are adopting Security Orchestrations Automation and Response (SOAR), a platform that integrates additional threat detection techniques and threat intelligence. These tools then orchestrate and automate the threat hunting incident response process using static or dynamic playbooks.

Hillstone NDR Delivers these Building Blocks

The NDR product from Hillstone Networks, Server Breach Detection System (sBDS) includes of all the above building blocks. It is capable of storing traffic metadata locally and conducts traffic analysis either on local devices or in remote traffic analysis centers. It can also integrate with other security devices such as NGFW, EDR, network access controls to further mitigate threat attacks.

Hillstone Networks Recognized in Gartner 2020 Market Guide for Network Detection and Response* for its sBDS Solution. Learn more about Hillstone Server Breach Detection System (sBDS) , please download whitepaper or watch our on-demand webinar now.


*: Gartner, Market Guide for Network Detection and Response, Lawrence Orans, Jeremy D’Hoinne, Josh Chessman, June 11, 2020