Crucial Functions of an Effective Network Detection and Response Platform

Network detection and response (NDR) is an important component of an organization’s security strategies. As IBM Security Product Marketing Manager Stephanie Torto notes, “Today’s threats call for deep network visibility and actionable insights that help security teams respond faster. NDR solutions can provide both.”

However, not every NDR platform or comprehensive cybersecurity product that includes an NDR component is capable of delivering the full advantage of this cybersecurity technology described by Gartner as the use of “non-signature-based techniques to detect suspicious traffic on enterprise networks.” Some are just better than others, and there are those that do not bear any semblance of being an effective NDR at all.

To find the best option, it helps to know the features or functions that make NDR the viable solution it is touted to be. Here’s a look at some of the most crucial features to look out for.

A component of a comprehensive platform

Before discussing the various network detection and response platform functions, it is important to clarify the concept of an NDR platform here. Some may think of it as a standalone solution, but in many cases, NDR may just be a part of a comprehensive cybersecurity platform. A security product marketed as a network detection and response platform may just be a component of an even bigger and more comprehensive security solution.

This does not mean that NDR has been relegated to lower importance. It only reflects the realities of threats at present and how security solutions have been set up and streamlined in response to the cunning attacks relentless threat actors undertake. NDR is not the only security solution organizations need. It may be the centerpiece, but it has to work with other controls to address emerging threats.

1. Comprehensive data analysis

Network detection and response platforms are often associated with full security visibility mostly because they are expected to come with the ability to undertake comprehensive data gathering. It is designed to analyze metadata from raw packets, various logs from next-gen firewalls and intrusion detection systems, and system monitor data from OSes and network protocol systems. It is also designed to be capable of looking into potential threats lurking in both physical and virtual networks, on-prem and cloud servers, as well as containers.

Alongside comprehensive data analysis, it also helps to have a multi-modal threat detection system, which can automatically detect and block threats based on threat signatures, heuristics, and other techniques. Additionally, it is important to have consistent telemetry and detection methods in different environments to facilitate smooth and expeditious data analysis.

2. Compatibility with Big Data architecture

NDR processes massive amounts of data. The volumes expand as the organization expands. For this, it is crucial to make use of big data architecture to make sure that there is not just adequate storage but also efficient data handling and scalability.

Conventional online storage is unlikely to be suitable as massive amounts of data tend to get in the way of advanced NDR operations. Data search and retrieval, for example, can significantly be slowed down by inferior data architecture. When this happens, it becomes difficult to undertake rapid analyses and take advantage of advanced technologies such as AI to expedite processes.

Also, scalability is significant, and it is not something ordinary proprietary data storage solutions can address. Switching to a new online storage provider every time additional storage needs arise is too unwieldy to facilitate effective NDR operations.

3. Data normalization and enrichment

Since NDR collects data from various sources, it is inevitable for the data to be incohesive or expressed in terms and presented in formats that are not compatible with what other security controls, apps, or network services are using. Thus, there is a need to normalize data.

Simply put, data normalization is the process of making data consistent and compatible across all records and fields. It entails the conversion of data into units or forms that are coherent or compatible with each other to aid further processing or seamless utilization, especially when it comes to machine learning or artificial intelligence.

Data enrichment or augmentation, on the other hand, refers to the enhancement of existing data or the addition of missing or incomplete data to clarify scenarios or depict a clear picture of what the system is trying to perceive.

Both data normalization and enrichment should be undertaken before the data is sent to the data lake, unlike what tends to happen in conventional SIEM. This preparatory process is important to enable contextualization (discussed below) and make sense of all the data collected.

4. Data contextualization

Contextualization is one of the biggest issues in conventional security information and event management. NDR can gather security data from a multitude of sources, but it has difficulties taking full advantage of the data collected, because of the lack of context.

This lack of context makes it difficult to identify and prioritize the most urgent alerts or security events. It allows essential security data to be buried deep under less significant information, false alarms, alerts for innocuous events, and other irrelevant details.

Contextualization reduces the amount of data the security team has to deal with. More importantly, it makes it easy to identify crucial security notifications and events that should be addressed with urgency.

5. AI-powered security analysis

Artificial intelligence is vital to NDR. It is what powers efficient automated data contextualization and the automation of processes. Without AI or machine learning, it would be impossible to achieve accurate, real-time, adaptive, and actionable security analyses. Preferably, an AI engine should come out of the box with an NDR platform, to enable rapid deployment and the quick detection, and investigation of threats and responses thereto.

The use of AI in cybersecurity analysis, however, does not fully supplant manual analysis. It may take several decades or generations for AI to be fully capable of taking over humans involved in security information and event management. However, AI definitely plays an important role in accelerating processes and reducing mistakes in repetitive processes.

Hence, both human and AI security analysis should be expected in effective and efficient network detection and response solution. Automated responses are great, but human involvement will still be needed to some extent.

6. Integration with other tools and functions

As mentioned earlier, an NDR platform is not everything an organization needs to address various threats. It may be a highlight feature, but it is not a do-it-all solution. Hence, it is critical for it to be capable of integrating with other tools.

Integration is fundamental in achieving full security visibility, as it allows a cybersecurity platform to make use of the output of other security controls. These security controls or tools include those used to protect endpoints, analyze network traffic, track users across all apps to spot risks, utilize cloud telemetry, correlate vulnerabilities, secure emails, and gain visibility into SaaS applications.

In conclusion

NDR should not be a mere cybersecurity buzzword or a marketing ploy. It has to offer palpable benefits. As such, it should include the accurate and comprehensive collection of data from all relevant sources, a scalable data architecture designed for handling Big Data, as well as the ability to normalize, enrich, and contextualize data. Moreover, artificial intelligence should be included as a supplement, not to replace or remove human involvement.