Advanced cybercrime technology that has been used in large companies for years is now within reach for smaller companies: Network Detection and Response.
Protecting yourself in the current cybercrime storm is a challenge for small and medium-sized businesses that often have limited budgets and resources. The threats are developing faster than the existing cyber security solutions, and small IT departments cannot keep up.
Ransomware can hit anyone
Ransomware attacks are ubiquitous, but the threat landscape doesn't stop there: Advanced persistent threats, insider threats and attacks on the supply chain are among the many everyday threats. The attackers use the same cutting-edge technologies as providers of cybersecurity solutions, such as artificial intelligence (AI), encryption and vulnerability scanning. You benefit from a mature black market for malware and ransomware as a service. You benefit from an ever-increasing attack surface, which is growing due to the rapid introduction of cloud solutions, IoT and identity federation. For example, recent supply chain attacks like those on Solarwinds and Kaseya seem perfectly legitimate to traditional security tools. IoT devices, unmanaged or private devices, and forgotten virtual machines or containers create blind spots in security.
Resources bundled on one dashboard
When small businesses are lucky enough to have security analysts, those resources need to consult multiple dashboards to detect and understand a complex threat or attack. These are the typical sentences that one hears from those responsible for IT security in smaller companies: "I am well aware that we have blind spots in the network and large gaps in our security architecture. We only see part of the network and devices”. With so many security tools out there, they don't know how to prioritize alerts: "What should I do first and what should I ignore?" And when responding to threats, they have to manually dig through different systems and logs to come up with a meaningful result. "It's so inefficient and takes too long to investigate the root cause of a security incident."
Detecting threats on the network
One thing has stayed the same over the years: every major security breach involves network traffic. For example, if hackers want to steal data, they need to take their loot to a specific location. Recent attacks, such as the "Sunburst" attack on the supply chain, can only be detected by (a) recognizing that something is wrong with network traffic and (b) being able to react immediately to that activity and stop it.
This requires detection and automated response at the network layer, which very few organizations, typically large enterprises, have implemented today. Gartner defines Network Detection and Response (NDR) as solutions that "primarily use non-signature-based techniques...to detect suspicious traffic on enterprise networks." According to the analysts, NDR tools "continuously analyze raw traffic and/or recordings of streams...to build models that reflect normal network behavior," and the system issues alerts "when it detects suspicious traffic patterns." Other key functions of NDR solutions are automatic or manual responses (see Gartner, “Market Guide for Network Detection and Response”, published on June 11, 2020).
NDR solution identifies assets on the network
In other words, an NDR solution identifies all assets on the network, including IoT devices and unmanaged devices. It analyzes the complete network metadata and network traffic - both east / west and north / south traffic (i.e. internal traffic and traffic that crosses the network perimeter). With the help of sensors placed in the network, it monitors the traffic, tracks all network metadata and integrates this data with protocols from other existing security solutions such as Endpoint Security, EDR, Firewall, SIEM and SOAR solutions. Because NDR works with copies of this data, no agents or other network changes are required.
360 degree view of the network
As a result, companies get a 360-degree view to get an idea of external or internal threats. You can see when data leaves your network to a suspicious location abroad. You notice when a PC is accessing malicious domains or URLs. They notice when malware makes encrypted copies of data on the network. They notify security analysts if the web server of the IP cam has a weak point. And you can stop and mitigate many of these threats instantly with automated responses.
Thomas Krause, Regional Director DACH-NL at ForeNova Technologies (Image: ForeNova).
NDR is not new and has already gone through some changes. It used to be called NTA (Network Traffic Analysis) or NTSA (Network Traffic Security Analysis). The approach has now matured and has a more sophisticated response element. Nevertheless, it is still a rather rare tool that is used almost exclusively in very large companies today. Why is that?
Large amounts of data can generate false positives
The key point is that these big companies know exactly what is at stake. Because they are aware of the existential risk their business faces and the endless surface area to be attacked, they are not only willing to pay any price for a solution that really helps. They also provide whatever labor necessary to have the experts to run them. One major challenge is that NDR tools tend to yield a lot of false positives due to the large amount of data they examine. So, up until now, it took a sizeable cybersecurity budget to fund a team dealing with the spate of false positives to take advantage of NDR. In addition, only large companies were willing and able to deal with this flood of false positives.
Make NDR manageable and affordable for SMEs
The latest developments make NDR more manageable for smaller companies. In a nutshell, the following seven NDR innovations change the game:
- Artificial intelligence: Traditional NDR tools have found many deviations from the modeled network behavior. But not all of them were real dangers. Rather, most of them were false positives. It took a lot of specialists to deal with these false positives. Using artificial intelligence, modern NDR tools can now work for SMBs by narrowing down the warnings to those events that really need to be automatically responded to or that need to be investigated by a human specialist.
- Machine Learning: Today's machine learning can model the normal behavior of network traffic much more accurately than previous generations. Different learning algorithms identify and correlate hundreds of factors in the network data, resulting in much more granular models.
- Strongly visualized user interface: Nothing saves security analysts more time than a clear and visualized user interface. It is much easier for you to get an overview of what is important and what needs to be done. Plus, it's much easier for them to explain what happened to management when they get clear, visualized reports.
- Automatic detection of all assets in the network: Blind spots in the network are the perfect entry point for hackers and malware. You can't protect what you can't see. With the help of automatic detection, modern NDR tools eliminate blind spots at an early stage and give security analysts a real-time insight into the network.
- Integration with endpoint protection, firewall, SIEM, EDR, and other tools: Integration works in two ways. On the one hand, the aggregation of log files from existing security technologies helps to model the normal state. On the other hand, it can accelerate the reaction. For example, predefined playbooks can automate an immediate quarantine for an infected endpoint or the interruption of outgoing data traffic at the firewall. If you are being hacked, time is of the essence to mitigate the effects. And integration with other security systems can save time.
- Automated incident investigation and correlation of events: A sophisticated attack always consists of a complex chain of attacks. If their system has been compromised or something looks suspicious, security analysts need to figure out where the danger is coming from while the clock is ticking. With modern correlation engines, they can easily trace every event back to the cause and close every weak point or gap.
- Standard Response Measures: Because IT security resources are limited, which is the case with almost all small and medium-sized businesses, organizations need to automate response to threats as much as possible. The use of predefined standard reactions, such as quarantining infected network resources, can ward off attacks in near real time. NDR tools can define playbooks that trigger multiple actions at once, from e-mails and SMS to team members to resetting passwords and updating firewall rules.
Thanks to recent NDR developments, many more small businesses are now able to spot the increasingly sophisticated threats on their growing attack surface. NDR solutions require fewer resources as they differentiate between real threats and false positives, prioritize action and automate the removal of threats. There's still the perfect storm out there, but with the help of NDR, SMBs are much better equipped to hold their own.
More at ForeNova.com
About ForeNova ForeNova is a US cybersecurity specialist who offers medium-sized companies inexpensive and comprehensive Network Detection and Response (NDR) to efficiently mitigate damage from cyber threats and minimize business risks. ForeNova operates the data center for European customers in Frankfurt a. M. and designs all solutions GDPR-compliant. The European headquarters are in Amsterdam.