Laura

19/12/2023

Going Beyond Network Detection and Response Tools

Are most network detection and response tools missing something? We think so.

Network detection and response (NDR) is an incredible technology. With it, you can analyse network packets for malicious behaviour, spot insider threats, and even find connected devices you don’t own. 

However, if you want to implement NDR in your environment, you typically need to install proprietary hardware or run your NDR on a dedicated server.

This can make NDR challenging to scale, incompatible with Zero Trust Architecture (ZTA), and more expensive than it needs to be. It also isolates network traffic information from other security data sources.

That is unless you use SenseOn. Unlike almost every other cybersecurity vendor, we can deliver full NDR capabilities from a software agent. SenseOn augments network data from the endpoint itself and combines it with other sources, including endpoint logs.

If you are looking for NDR to help you spot advanced and insider threats in complicated environments, this capability matters. Here are three reasons why.  

1. Remote Friendly NDR

It’s not 2020 anymore. Back then, the mass evacuation to remote working was the business world’s equivalent of Dunkirk in 1940. Companies were, understandably, scrambling to secure remote and hybrid working environments and leaving lots of gaps as they did so. 

Today, as we explain in another blog, remote and hybrid working is no excuse for a breach, and if you are enabling flexible working environments, you need NDR. 

However, NDR solutions are rarely built for remote work.

In a remote or hybrid world, the “norms” of corporate IT environments are gone. This means bandwidth is lower, connectivity is never guaranteed, and user behaviour is very different. Plus, the cloud, which is behind most remote workforces, is becoming a major source of traffic and a cause of breaches – 90% of which happen due to human error.

Traditional NDR solutions struggle as a result. With remote working, the firewalled network perimeter concept dies and traffic becomes much more fluid with users tunnelling in through VPNs to SaaS applications and cloud workloads. The risks here are not just siloed to your network traffic; they need to be understood in the context of endpoint and user activity, too.

2. Compatible with Zero Trust Architecture

The point of Zero Trust Architecture is to reduce visibility for anyone who is not supposed to have access to your network but finds themselves inside by trading perimeter security for internal micro-segmentation. Unfortunately, this also reduces visibility for centralised network security solutions.

To monitor east-west traffic in a ZTA environment, an NDR solution needs to be extremely granular and capable of doing deep packet inspection. To do this without reducing network latency, this process needs to happen at the traffic’s source before encryption. 

It also needs to be able to handle decentralised data from ZTA environments where you cannot rely on physical probes installed on servers.

Instead, you need an NDR solution that works in a decentralised environment and captures traffic in complicated environments.

Learn more: Why traditional solutions don’t work in ZTA environments

3. NDR Security Data Problem Solved

Data is both the solution to and the biggest obstacle to cybersecurity today. Specifically, there is too much siloed security data being collected and not enough being done to connect it.

This problem impacts NDR when solutions cannot connect data they collect from network packet analysis to data collected from endpoints and user behaviours.

For example, an NDR deployed alongside a SIEM or EDR solution typically becomes just another siloed data source. Most NDRs do not natively map the precise interactions between processes on endpoints and within networks.

The result is confusing false positives, increased remediation times and missed real threats. 

The solution is to collect NDR data in the same format as EDR, EPP and SIEM data. This is what SenseOn’s NDR capability does. 

SenseOn’s Advantage Over Network Detection and Response Tools

SenseOn is a cloud-native security platform that, unique among NDR-capable solutions, can do NDR from a software agent.

SenseOn’s NDR capability is not restricted to individual servers or particular network segments. 

Instead, SenseOn provides granular visibility into parts of the network NDR solutions are otherwise blind to, such as remote workers with intermittent network connections and traffic from cloud environments. 

SenseOn can pick up advanced threat activity like Cobalt Strike beacons that other solutions miss through deep pack inspection. All the NDR data SenseOn collects is combined with the information the SenseOn platform collects from endpoint activity and user behaviour in a single place (what we call a “Case”) to simplify threat investigation. 

SenseOn’s agent uses less than 1% of 1 CPU core and less than 200MB of memory for all the above.

This is the advantage you get if you use advanced NDR like SenseOn.

Try a demo to learn more.