Many organizations carry a burdensome responsibility to various regulatory bodies like the Securities and Exchange Commission or the US Department of Health and Human Services. These bodies can levy heavy fines on businesses that fall out of compliance or can’t demonstrate that they complied with industry security standards. Among the many tools and platforms available to organizations, network traffic analytics—and more specifically, network detection and response (NDR) technology—has become a go-to solution used to help businesses demonstrate compliance. 

But even with NDR, organizations still face other challenges unrelated to malicious activities. For example, what happens in the event of an NDR monitoring system failure or power outage? Failover systems are often in place, but they don’t always survive a major catastrophe—like a hurricane, for example. This is why organizations that consider the availability of these monitoring systems to be paramount to compliance deploy a multi-level approach.

The need for high availability to maintain compliance

Various compliance mandates, such as the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley Act (SOX), require that organizations “establish safeguards to establish timelines” (Section 302.3, SOX) and “ensure that safeguards are operational” (Section 302.4.C, SOX). Without high availability of the monitoring system for business-critical services, it would be nearly impossible to demonstrate compliance of such requirements—organizations wouldn’t have a complete, uninterrupted timeline showing when events took place. A multi-point, highly available monitoring deployment enables compliance with SOX, HIPAA, and other mandates by ensuring that data is always available and is safeguarded from being affected, either by a malicious attacks or natural disaster. 

Furthermore, the cost of an outage is astronomical compared to the cost of deploying highly available systems in the organization. In general, each hour of network downtime can cost a business anywhere from $100,000 to over $1,000,000 depending on the report. Gartner analyst Andrew Lerner once noted that downtime cost is usually cited as $5,600 per minute. What’s worse, downed systems come with the risk of other damages like data theft caused by security gaps during the outage. 

Fines for violations can also be expensive. HIPAA violations, for example, can be as much as $1,785,651 per year. 

The multi-level approach to high availability

Now that we’ve covered the importance of a high-availability NDR system for compliance monitoring, what would such an approach look like? To start, let’s break this down into four groups to show how each level is important and how it builds on the previous one. By stacking the levels, the highly available systems increase in efficiency. 


Level 1—Data mirroring

The first step in building a high-availability system is the easiest and doesn’t require much additional hardware or resources. By deploying the monitoring system with multiple disks configured as a mirror, you prevent a single disk failure from breaking down the whole system. This is a minimal step in the journey to high availability, but highly available disks on a single system obviously aren’t enough to ensure compliance. 

Level 2—Multi-point data replication 

To truly be a highly available NDR system, there must be multiple telemetry data collectors. By replicating the data from network devices to multiple collectors, data integrity can be maintained even when a single collector completely fails or is compromised. 

Level 3—Redundant replication and reporting

Unfortunately, having multiple collectors isn’t always enough. If a replicator sending network traffic data to multiple collectors fails, none of them will be collecting data, which means the organization becomes blind. To prevent this, deploy redundant replicators and additional reporting engines to ensure that you can both collect and report on the data. This prevents any single point of failure because each part of the system has a redundant instance. 

Level 4—Multi-site deployment

While not entirely necessary for all highly available NDR monitoring systems, having a multi-site disaster recovery deployment guarantees that the system doesn’t fail—even when an entire site fails. When a natural disaster or other catastrophe happens and the site loses power for days or even weeks, having a multi-site deployment means that while one site is down, another geographically separate deployment is up and running. This type of system is not always feasible, especially for single-location businesses, but should be the only way that businesses with a global presence deploy NDR monitoring solutions. 

A full, level-4, highly available deployment ensures that evidence of compliance is maintained by guaranteeing that monitoring systems are always operational, even in the most extreme conditions. If achieving and maintaining a high-availability NDR deployment is a security and compliance goal, reach out to us for more information. 

For further reading, download our Continuous monitoring for business-critical services solution brief. 


Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.