• Eyal Elyashiv

Network data should be a foundational component of your security plan, and it’s worth considering.

2020 brought with it a series of changes (with very little notice) and left even less time for planning. The proliferation of remote access and accelerated cloud adoption will only continue in 2021, but this time we’ll have a bit more time to prepare. It’s time to think critically about what’s working in your security strategy and what could stand to be improved. The addition of network detection and response (NDR) to your toolset may be the critical missing link.

What is Network Detection and Response?

Network detection and response is one of the fastest-growing cybersecurity categories in the market today. NDR solutions complement and enhance the current capabilities of log aggregation and analysis tools (SIEM) and endpoint detection and response (EDR) products.

NDR solutions passively ingest and analyze Layer 2 to Layer 7 network data and monitor north-south and east-west traffic. This solution category generally applies advanced behavioral analytics and cloud-scale machine learning to rapidly detect, investigate and respond to threats that might otherwise remain hidden.

Why Network Data First?

Network data is a foundational source of information. Maybe it’s tautological, but looking at the network can tell you what’s on your network. Being able to see every transaction that spans the network offers an understanding of your attack surface without needing an agent on every device. It offers a logical starting place from which to build.

For example, network traffic can potentially identify every device that’s connecting. That comprehensive inventory can be used to ensure that endpoint agents are deployed on every device that can support them (and those devices which can’t support agents are still monitored).

There are many cases where network visibility can expose the blind spots that other tools miss. Those traditional security tools also have gaps in their cloud coverage, and with cloud adoption rapidly accelerating, there’s a strong case for NDR as a central tenet of security.

How Does XDR Compare?

A (very) simplified overview of extended detection and response (XDR) is that it ingests data from many different sources, applies machine learning for detections, and puts it all into a single UI. That probably sounds appealing to most network pros. There’s certain

ly the potential to simplify workflows if the alternative is three or more separate UIs, although integrations can arguably offer similar benefits.

One challenge to the XDR model goes back to that non-uniform data lake. Machine learning requires a consistent and well-understood set of normalized data. Every security product has developed its own data models and each model is inherently distinct due to the way different products function. As such, no single ML model would work for another product’s data set.

Processing and drawing meaningful conclusions from endpoint data is a completely different kettle of fish than understanding network data. The question is: how likely is it that the vendor best at understanding logs is also going to be the best at analyzing the network?

Most XDR solutions come with the risk of vendor lock-in, preventing security teams from seeking out best-of-breed solutions for network, endpoint, and logs. It risks limiting them to a single vendor’s options. Should you throw out your best-of-breed tools to go back to the UTM model of the early 2000s?