How do I select a network detection and response solution for my business?

Network detection and response (NDR) solutions enable organizations to improve their threat response, they help protect against a variety of threats, and also provide visibility into what is actually on the network.

To select an appropriate network detection and response solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.

Mike Hamilton, CISO, CI Security

Network detection and response uses a spectrum of technology and humans, and the right mix for your organization is highly individual. Here are 3 different mixes to consider:

Managed – Managed detection and response combines technology to collect information from your network, detection analytics to identify aberrational activity, and analysts to investigate, confirm, and conduct response operations along a pre-defined playbooks – as a service.

Operated – In the middle, you’ll own the technology, the people to operate the technology, and the processes for response, recovery, and recordkeeping. This is how many organizations have evolved but are discovering that this is harder to sustain.

Automated – At the technology end of the spectrum is automation: SOAR and other methodologies leverage your preventive and detective controls and integrates them to take an action decided by technology.

To decide whether you will be best served by Managed, Operated, or Automated, ask:

• How fast/easy is deployment?
• Does the solution ingest and analyze all your data sources?
• For Operated – What are the resource costs, including how using resources for security may affect current projects as opportunity cost?
• For Managed – How does the provider source and retain threat hunters and Analysts?
• For Automated – What is the worst-case scenario for a false positive?

Rahul Kashyap, CEO, Awake Security

NDR solutions can protect against non-malware threats, including insider attacks, credential abuse, lateral movement, and data exfiltration. They give organizations greater visibility into what is actually on the network as well as the activity occurring. But not all NDR solutions are equal. To maximize value, it’s recommended buyers consider three key parameters:

• Data: Look for solutions that parse the whole packet rather than just NetFlow or IDS alerts. This provides far more depth of visibility, allowing the solution to identify more relevant threats.
• Machine Learning and AI: Avoid solutions that rely primarily on unsupervised machine learning and act as black boxes. These types of offerings generate significant operational overhead via false positives and negatives, and provide no explanation to the analyst on why something was flagged as an issue.
• Use cases: Reduce tool sprawl by replacing existing solutions for network forensics, threat hunting etc. This helps consolidate and modernize your security operations, making the team more efficient.

Like any other security solution, simply acquiring a new NDR tool does not improve security. In my experience, it is critical for buyers to think through operational impacts when deciding on a technology stack.

Igor Mezic, CTO, MixMode

There are some key questions on the underlying methodologies that should be asked when selecting an NDR solution:

Is the AI NDR system partially or entirely dependent on rules? If so, what is the overhead related to tuning and maintaining the rule set? Attack vectors are changing rapidly in a modern security environment, outpacing rule development efforts by a large margin. Rule-based information can be useful as a context, but not as a primary source of information. The core of the machine learning system should be adaptable to new network conditions and thus independent of static rules.

What is the false positive rate for the detections? What is the false negative rate? The reponse part of NDR is highly dependent on quality of detection. Shutting down a subnet over a false positive can disrupt normal network operation. False positives and negatives abound in rule-based systems and systems that use supervised learning methodology based on labeling. Unsupervised systems based on clustering and Bayesian methods also typically feature high rates of false positives.

What happens when we add a new subnet or a router to the network? Does the NDR system have to re-learn everything again? Learning in an off-the-shelf machine learning systems can take 6-24 months. If that cycle repeats every time a new element is added to the network, the methodology is of limited use. The AI system must adapt seemlessly to new conditions on the network, with no additional extensive learning period.

How easy is it to spoof the detection system? It is well known non-generative machine learning methodologies can be easily spoofed by injection of corrupted data, rendering the system incapable of recognizing a specific attack.

Steve Miller, Principal Applied Security Researcher, FireEye

A NDR solution must enable action in a variety of forms.

Detection events must be distinguished into varying buckets of things to care about. The goal of event priority or criticality is to ensure that important, qualified network detection events are at the top of the to-do list. Your security team can take detection events at the top and respond with more care and urgency with respect to the affected assets.

There must be historical recording for network activity. This may be full packet capture stored for a time period, or merely packet capture in a “time wrinkle,” 5 minutes before and after each network detection event. Solutions should include abstracted network logging, such as Netflow and HTTP event logging. The more logging, the easier an investigation becomes.

Solutions must enable alert-to-action automations. When examining alerts, analysts make routine movements to gather information that aids in validation and response options. Solutions must enable automated data collection associated with alerts in preparation for analyst review, thus reducing manual actions.

Functionally, this means solutions must easily integrate and gather contextual data from other technologies such as: DHCP leases; passive DNS resolutions; threat actor or malware associations; and network/asset “handling” systems that may inoculate or reduce the impact of a malicious event through quarantining, blocking, or manipulation of packets. Automatic provision of contextual data and “handling” options is foundational to taking action, which is often the most laborious part of the human workflow.

Jyothish Varma, Director of Product Management, Nuspire

As organizations look to invest in an MDR, they should consider investing in a solution that has the capability to detect attacks geared to bypass existing security controls. For those solutions with static detection mechanisms, if the exploits used by a hacker don’t trigger a pre-existing rule, no one will know an attack is happening.

For this reason, companies must rely on a solution that augments existing security controls with advanced threat detection and response solutions and dedicated security analysts who are trained to proactively uncover evidence of threats.

Organizations should also consider a solution that detects attacks in real time with experts working around the clock to investigate and respond to alerts technology might have missed. A service that can provide a 24/7/365 security operations center staffed with security analysts ensures you will have full access to experts that can detect attacks as they happen and coordinate incident response plans as necessary. By working with providers that have 24/7 security operations centers, existing security teams will be much more productive and reduce time wasted responding to false positives.

The right MDR solution will not only help you remain secure from cyber threats, but will include these key features and outcomes that will benefit your organization.