NDR – Network Detection & Response is now considered a security technology in IT security that should not be missing from any company network. But who evaluates all the data and leads the response? The magic word here is MDR – Managed Detection and Response Services. An interview with Michael Veit, security expert at Sophos.
Effective security solutions include technological components such as networked endpoint protection, a next generation firewall, both paired with artificial intelligence and human expertise in the form of security services.
While classic security solutions detect and ward off a large number of attacks and malicious anomalies, direct protection of the network has been somewhat neglected for a long time. However, once attackers have found access to the network, they are difficult to track down. Neither the endpoint protection nor the firewall reliably detect attackers who are already in the network. In this way, attackers can move unhindered and secretly laterally through the network for a long time (lateral movement) in order to prepare their actual attack or data theft.
NDR is good – MDR is better
Michael Veit, security expert at Sophos (Image: Sophos).
NDR (Network Detection and Response) is now indispensable for strong network security. Although NDR detection technologies provide a very good overview of the status and protection of the network, the harmless and the dangerous messages also need to be understood. Finally, it is also important to fulfill the “Response” point at NDR, i.e. taking the right actions following indications of an attack or incident.
Sophos addresses exactly this point in its solutions and offers companies managed detection and response as cybersecurity as a service around the clock, 24/7/365. Michael Veit, security expert at Sophos, answers us in an interview about how exactly MDR works with Sophos, what it can do and what the important points are.
The strengths of NDR in combination with MDR – Cybersecurity as a Service
B2B Cyber Security: What strengths does NDR have for companies?
Michael Veit, Sophos: “A modern NDR solution detects attacks even deep in the network. It monitors traffic and also detects activity from unmanaged systems, IoT devices, unauthorized users or assets, and any other sources of network traffic. It can even inspect encrypted packet data without putting personal data at risk.”
The new generation of NDR, such as from Sophos, is an advanced network monitoring solution designed to address the complex and constantly evolving threat landscape. It combines five proprietary detection engines with deep learning analytics to deliver real-time, actionable intelligence on a wide range of network threats. The detection engines classify network traffic based on over 330 protocols, 50 flow risks and thousands of IOCs. These engines also include multiple deep learning models that provide new levels of accuracy in threat detection while minimizing false positives.”
B2B Cyber Security: Why should companies rely on MDR in combination with NDR?
Michael Veit, Sophos: “Detecting an anomaly or attack pattern in the network is only the first step. An NDR system warns the company and also provides relevant information about the problem or attack. These must be interpreted correctly and then the “response” part must be fulfilled perfectly. And this is exactly where the problem lies for many companies, as they do not have experts available. Things work differently with MDR: Once they have been detected, the attackers have to be removed from the network and the loopholes have to be closed. This is done automatically via another crucial component in the security ecosystem: MDR (Managed Detection and Response Services). The MDR services are automatically informed by the NDR solution that a previously undetected attacker may be in the company network.
With this information, Sophos' MDR Security Operations Center team immediately takes action, investigates the NDR report and eliminates the attackers. At the same time, the forensic experts are researching the paths of the attack in order to discover residual malware or to detect and correct manipulations and changes in rights in the network. Only the precise processing of such a chain of incidents is a perfect response to an attack.”
B2B Cyber Security: What are the special features of an NDR?
Michael Veit, Sophos: “The NDR technologies bring a company a lot of light into an otherwise dark network. This helps identify unknown or unprotected network devices, including legitimate IoT or OT devices that cannot be fully managed with an endpoint sensor. These include, for example, IoT devices, printers or outdated systems that are on the network. Network devices that have been forgotten and are therefore not taken into account and protected by IT security are also popular with hackers. NDR identifies and monitors such devices for suspicious or malicious behavior that could indicate an attack.
In addition, unauthorized assets introduced into the network that may already be compromised or used to launch an attack can be easily detected and monitored by Sophos NDR.”
B2B Cyber Security: Does Sophos NDR also detect the most modern attacks?
Michael Veit, Sophos: “That is a very interesting point. The solution also detects never-before-seen Command and Control (C2) activities. Because many attacks and security breaches are controlled remotely. At first glance, some communications between the attacker and his remote processes within the network appear legitimate. NDR can detect new zero-day C2 activities and thus detect targeted, highly specialized attacks at an early stage.
Another special feature of the solution is the early detection of suspicious network traffic flows. Sophos is able to even identify unusual traffic patterns and thus detect harmful traffic generated by known malware. An example: Sophos analyzed the traffic pattern of QBot or Qakbot and compared it with suspicious network traffic flows. This is also how an attack by QBot was identified. The technology behind it: The Sophos NDR EPA (Encrypted Payload Analytics) model converts packet streams into images and uses a neural network to determine whether the image matches what we expect from a Qakbot data stream or another malware family (e.g. Bumblebee, Cobalt Strike, Emotet, Dridex).”
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.