Network Detection & Response (NDR) is a new security technology that aims to fill the gaps left by traditional security solutions, which hackers use to gain access to target networks.

To protect their networks from cyber threats, businesses now use a variety of security solutions. Firewalls, IPS/IDS, SIEM, EDR, and XDR are the most common (which combines the functionality of EDR and SIEM). All of these solutions, however, have security flaws that prevent them from effectively stopping advanced cyber-attacks.

The NDR was created using the Intrusion Detection System as a foundation (IDS). On the network perimeter, an IDS solution is installed to monitor network traffic for suspicious activity.

IDS systems have a number of flaws that make them ineffective at preventing modern cyber-attacks: IDS rely on signature-based detection techniques to detect unusual activity, making them ineffective at detecting unknown attacks.

IDS systems also generate a large number of security alerts. As a result, security teams waste time and are unable to investigate all security alerts. Finally, because IDS was not designed to provide response or investigation capabilities, it is unable to effectively respond to ongoing cyberattacks.

To extract information from network traffic, use Network Detection & Response.

NDR was created to counteract the risks that IDS systems fail to protect against. To create a baseline of normal network activity, NDR systems go beyond signature-based detection and analyze all network traffic entering and exiting the network. Later, the baseline is used to compare current traffic to normal network activity in order to detect suspicious activity.

Machine Learning and Artificial Intelligence are among the advanced technologies used by NDR solutions to detect emerging and unknown threats (AI). NDR systems can convert information gathered from network traffic into actionable intelligence that can be used to detect and stop unknown cyber threats using these technologies.

An NDR solution can detect and respond to cyber threats automatically, without the need for human intervention. For enhanced detection and response, NDR can be integrated with existing security solutions such as SIEM and SOAR.

Traditional NDRs have flaws when it comes to dealing with encryption and the growing amount of data.

Until now, NDRs relied on traffic mirroring to extract data, which was typically combined with hardware sensors – very similar to how IDS used to do it. However, three game-changers are increasingly posing a threat to this strategy:

According to the Google Transparency Report, a large portion of internet traffic is encrypted, with 90 percent of traffic encrypted. As a result, traditional traffic mirroring is no longer able to extract information from the payload and thus is no longer effective.

As bandwidths grow and new networking technologies emerge, traffic mirroring becomes more expensive or even impossible.

A shift to highly distributed hybrid networks, where traffic analysis on one or two core switches is no longer sufficient. Because so many collection points must be monitored, traffic mirroring-based solutions are even more expensive to run. Mirroring networks is no longer a future-oriented solution for securing networks, given these developments.

ExeonTrace is a reliable NDR solution that is future-proof.

ExeonTrace does not require network traffic mirroring to detect threats or decrypt encrypted traffic; instead, it employs algorithms that operate on lightweight network log data exported via NetFlow from the existing network infrastructure.

This allows it to analyze metadata passing through the network at multiple collection points in order to uncover covert communication channels used by advanced threat actors like APT and ransomware attacks.

NetFlow is an open standard that allows networking devices (such as routers, switches, and firewalls) to export metadata from all connections that pass through them (physical network, virtualized environment, and private cloud environment – or north-south and east-west monitoring capability). As a result, this approach is ideal for distributed networks, including cloud environments.

ExeonTrace gives you complete visibility into your entire IT environment, including connected cloud services and shadow IT devices, and can even detect non-malware attacks like insider threats, credential abuse, and data exfiltration. It will be possible to inspect all network traffic entering and leaving your enterprise network with complete network visibility.

ExeonTrace will continue to monitor all internal interactions between all devices across your enterprise network in order to detect advanced threat actors such as APT and Ransomware hiding in your networks.

ExeonTrace detects non-malware threats such as insider threats, lateral movement, data leakage, and internal reconnaissance using supervised and unsupervised Machine Learning models. ExeonTrace also allows for the creation of network-based custom rulesets to ensure that all users are adhering to the security policies in place (e.g., stopping users from using particular protocols). To detect known threats, ExeonTrace can integrate with available threat feeds or use a customer-specific threat feed.