What do you do when attackers can disable or otherwise circumvent the advanced security technologies your organization has been relying on to detect and prevent attacks?
That’s a question facing many organizations using endpoint detection and response (EDR), security information and event management (SIEM), next-generation anti-virus (NGAV) and other tools, as threat actors employ malware designed to shut down endpoint agents or destroy logs.
This question has led leading security organizations to turn to network detection and response (NDR). NDR solutions continually ingest, monitor and analyze network traffic and data to identify advanced cyber threats that have been designed to evade other security tools. The network is the highest fidelity data source for early threat detection because it can’t be compromised by attackers. Moreover, the network is where intruders land, expand their reach, establish command and control communications, move laterally and more.
Of course, not all NDR solutions are created equal. If you’re in the market for NDR, there are some key capabilities to look for that go beyond more traditional features to bolster internal traffic defenses.
Strategic Decryption
Today’s advanced threats use encryption to make themselves more difficult to track when inside an organization’s network infrastructure. It also reduces the effectiveness of forensic investigation, which allows them to confidently sneak off into the darkness. We’ve seen this in high-profile incidents like the PrintNightmare vulnerability, which included multiple Windows Print Spooler service vulnerabilities. This exploitation also could occur within encrypted protocols, which only makes detection and investigation all the more difficult.
So how can you gain visibility into encrypted traffic? While decryption may be the first thought that comes to mind, it’s not necessarily the easiest. Decrypting network traffic is expensive and could require additional infrastructure, which in turn creates additional security and privacy issues. However, some NDR solutions offer targeted decryption techniques for traffic that is more vulnerable—including insecure protocols and known exploits—which allows organizations to stay safe without increasing spend.
Investigative Workflows
The unfortunate truth about today’s advanced attacks is that breaches can and will happen. According to the 2022 ExtraHop Cyber Confidence Index, 85% of security and IT leaders at global organizations experienced at least one ransomware attack in the past five years. In that same group, 30% suffered six or more. It’s an expensive problem to have, and when analysts have to toggle between multiple user interfaces (UIs) to triage, it can bog down the investigation.
Reducing mean time to respond (MTTR) is critical to stem the damage from a breach. To conduct a more detailed and conclusive investigation, security teams want an intuitive UI that helps them better understand the data they’re looking at. Design makes all the difference when time is of the essence—and when you pair a clean UI with the high-fidelity data from an NDR solution, you’ll be able to streamline your investigation.
It Starts and Ends with the Network
In order to protect your organization, you need to have insight and visibility into what’s happening on your network. The most effective NDR solution should be able to give your IT security team peace of mind and simplify their workload so they can focus on the most important issues. Strategic decryption techniques and investigative workflows are two key capabilities that strengthen your security posture and enhance return on investment.