Blog :: NDR

How to use NDR as a radar system for your network

jeffl

This is the first in a 4-part series of articles by Plixer’s CEO, Jeff Lindholm.

In the warmer months here in New England, you can often find me on my small boat cruising around Boston harbor and the outer islands. As a safety-focused boater, I rely on my radar system to detect the many objects around me—everything from other watercraft, buoys, landmasses, even uncharted hazards (the nautical version of zero-day threats). My radar is my best early detection system, alerting me to all possible threats.

The critical first step in Network Detection and Response (NDR) is that it needs to behave like radar for threats in your network. NDR detection should start with network-provided metadata. It’s a non-signature-based way of leveraging raw network traffic to detect suspicious traffic. Crucial to any effective NDR solution is the earliest possible detection.

That’s because the biggest challenge in network security is dwell time—the amount of time between your network being breached and you realizing it’s been breached. And as has become all too painfully obvious, the days of blocking all threats from entering your network are long gone. Today’s security game is all about finding the bad guys as quickly as possible, which is why early detection is so important.

But to find things early, you need to have total visibility. It’s imperative to see across your entire network—not just the traditional network chokepoints—because that gives you the best chance of seeing that something’s amiss. Any blind corners in your network, such as cloud datacenters or branch offices, will obscure the early signs of a compromise. Sure, you’ll still figure out something’s wrong eventually. But without the early warning of pervasive visibility, you’re navigating without radar. And the cost of that delay is significant, averaging over a million dollars more for breaches where the dwell time exceeds 200 days versus those contained in under 200 days.

The best way to gain that pervasive visibility is through your network’s metadata. Tapping into the metadata collected by the hundreds (if not thousands) of behavior sensors already deployed across your network, from cloud to core to edge, is the best early warning system you can find. By relying on network metadata as part of your NDR solution, you’ll catch obvious signs of compromise such as command and control communication and data exfiltration, as well as harder-to-detect indicators like lateral movement, data collection and abnormal activity.

Many NDR solutions rely on metadata from packet capture to identify signs of compromise. And while PCAP is an important part of the analysis once a threat has been identified (more on this next week), it’s an ineffective solution for early detection. Because it relies on deploying packet capture sensors across the network, it’s prohibitively expensive to achieve the pervasive visibility we’re talking about. As a result, most enterprises only deploy packet capture sensors at network chokepoints and high-value servers.

Instead, Plixer’s NDR platform consumes the metadata already available from the network and security devices deployed throughout your network. In fact, we’ve spent years integrating with those devices, ensuring we understand what well-formed traffic looks like from your critical infrastructure and, more crucially, what’s an indication of compromise. It’s also why we’ve invested in host profiling and risk scoring to quickly identify what a device is, what normal behavior is expected, and when it is behaving suspiciously.

In both on-water navigation and network security, early detection of threats is critical. The earlier you spot a threat, the quicker you can address it, minimizing any damage. Like a good radar system, Plixer’s NDR platform provides the pervasive, intelligent visibility that ensures you’ll identify threats in your network quickly.

Come back after the Thanksgiving break when I discuss how Plixer can help with analysis once a threat has been detected.