Recently, Gartner published its Market Guide for Network Detection and Response (NDR)*, previously named Network Traffic Analysis (NTA). This is the second year that Gartner has released the market report in this sector.
It’s also the second year that the NDR solution from Hillstone Networks has been on the recommended vendor list. This is definitely a great acknowledgement and recognition of Hillstone Network’s NDR solution and technology platform.
This is the first post of a blog series in which I will explore NDR technologies, (NDR and NTA are used interchangeably here). I will cover topics ranging from NDR basics, core techniques, components, deployment as well as future trends.
According to Gartner, NDR “uses a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks.” An effective NDR solution must include these key requirements, according to Gartner.
Using traffic mirroring or tapping tools, the NDR platform must be able to conduct online traffic analysis in real time, rather than offline. This is critical to ensure that anomalies or potential threat attacks are detected in real time.
An NDR platform must be able to monitor traffic between the corporate network gateway and the internet. It should have the ability to monitor lateral traffic movement within the corporate intranet. This is because nowadays, attackers are easily penetrating and bypassing the network security defense at the perimeters, using phishing, social media and other modified malwares, and post-breach detection is becoming increasingly critical (ransomware is a typical example here). On the other hand, damage can also be incurred, intentionally or unintentionally, through employees inside the corporation. As the result, the NDR solution has to monitor and analyze multi-directional traffic.
An NDR solution must establish normal operational baselines and alert suspicious traffic outside of those norms. It also should do this automatically, to release security admins from labor intensive manual investigation and analytical overhead.
In conjunction with traditional statistical and rule-based traffic monitoring and analysis, advanced traffic analytics techniques must be adopted to achieve high efficiency and accuracy. ML techniques are great tools that effectively extract common features among oceans of traffic data, train the mathematical models and predict the potential abnormalities automatically and effectively.
Once suspicious traffic or potential threat attacks are detected, the security admin should be alerted immediately. Although investigation and responses can be done manually, automation capabilities must be developed to help reduce false positives, reduce the workload and deliver efficiencies.
Another important aspect of NDR is traffic visibility. Security admins need full, intuitive visibility, both the normal baseline traffic and abnormal traffic patterns. When suspicious activity is detected and notified, admins will need deep insights corresponding to the source of the alerted events and other relevant information, to give them the full scope of the issue. This will help security admins and analysts navigate through the data efficiently and gain the confidence and understanding to resolve and mitigate the issues.
The NDR solution from Hillstone Networks, namely Server Breach Detection System (sBDS) provides functionalities that fit well into all the above criteria:
- It is deployed near critical servers and other protected assets.
- It taps into the existing network topology monitors and analyzes traffic in the protected zones in real time using advanced analytical mechanisms.
- It flags and highlights suspicious events to the security admins.
- It provides comprehensive traffic visibility and insights for the alerts in iCenter, its management console.
*: Gartner, Market Guide for Network Detection and Response, Lawrence Orans, Jeremy D’Hoinne, Josh Chessman, June 11, 2020