Cyber Threats
Why NDR is Key to Cyber 'Pest Control'
Intruders are drawn to enterprise IT environments the way mice are attracted to houses. And once either kind of invader is inside, they can be hard to get out. Network detection and response (NDR) lets you trace intruders’ pathways to find out where they’re coming in—and seal the gaps.
If you’ve ever had a mouse problem, you know catching them is hard enough—but trying to find out how they’re getting in can drive you right around the bend. Cyber intrusions aren’t so different. Technologies like endpoint detection and response (EDR) may pinpoint attackers where they turn up, but knowing how they got there is a whole other thing. That’s why network detection and response (NDR) is a critical piece of the cybersecurity puzzle: it lets you rewind, replay, and retrace intruder pathways to close up gaps and keep more threats out.
Cybersecurity is one of those jobs where the work is never actually finished. Defenders keep building “better mousetraps”—trying to anticipate their adversaries’ next moves and catch them in the act—and intruders keep figuring out how to get around them.
It’s a vicious circle and not usually funny, though watching former NASA engineer Mark Rober attempt to stop squirrels from raiding his birdfeeders with wildly elaborate contraptions is a pretty amusing illustration of the extremes it can go to.
The truth is, mousetraps (or squirrel traps—both cruelty-free, of course!) can only do so much on their own. Even better than nabbing intruders on the spot would be to find out where and how they’re gaining access and plugging as many holes as you can.
Building on the mouse analogy, your house and property are basically like the enterprise attack surface, and traps provide a kind of endpoint detection and response (EDR). They have potential to stop intruders but can’t tell you much about how those intruders are getting in, and there are huge areas they don’t cover.
So what you need, then, is a way to identify intruders wherever they are—and to retrace how they’re breaching the perimeter. That, in a nutshell, is network detection and response (NDR).
Combining NDR with EDR gives you a much more complete handle on the environment. Attack surface management (ASM) can then help fill in the rest of the blanks by mapping out all the areas intruders might be hiding in or coming from. In the mouse analogy, these could be the garage, a back shed, cracks in the foundation, dryer vents—anywhere that’s not well secured and at risk of a breach or infestation.
Breaches can be minimized
Suggesting there are ways to shore up the enterprise perimeter against cyberthreats may seem to fly in the face of the whole “breaches are inevitable” mantra that’s been drummed into everyone’s head over the past five years or so.
For sure, the erosion of network boundaries, virtualization of hardware, and interdependence of business processes all make breaches more likely. As a message, “It’s going to happen—so be ready,” was meant to wake organizations up to the reality that perimeter defenses are no longer sufficient on their own. It doesn’t mean that nothing can be done. Even when a breach does occur, the result isn’t automatically a lockout or a ransom. There’s often time and space to act.
What’s needed is the right mix of capabilities: ASM for a clear and detailed picture of everything you need to protect; EDR to find potential threats and mitigate them; and NDR to let you see where threats are coming from and how they’re moving around inside the network.
How NDR works
Like mice in a house, all cyber intrusions leave a trace, even if they’re well masked. (Since mouse traces can be kind of gross, we’ll stay focused on cyber for the moment.)
The traces of cyber intrusions can’t be modified or eliminated. If something’s happened, it will be there in the network telemetry data. NDR records that data, making it easier for security teams to investigate and address root causes. It gives them the power to rewind, replay, and retrace.
This helps expose threats hiding in places that other security technologies don’t reach. Similar to a house where mice move around freely behind the walls, unmanaged assets in the enterprise environment provide excellent hiding places for intruders to lie low. As the name suggests, unmanaged assets aren’t protected by EDR and many can’t have security agents installed on them. They’re hard to see into and defend.
NDR lets you monitor hidden places and detect and respond to network anomalies in real time. Check out our recent blog on NDR for a more detailed breakdown of how this is done.
With NDR, security teams can combine signals from network and endpoint data that on their own might seem innocuous or inconclusive but taken together confirm the presence of a threat.
Identities are important clues
Whether you’re talking about a house or a corporate network, assets and intruders aren’t the only things you need to keep an eye on. There are also the people who live or work there. Knowing as much as you can about each of those people and their behaviors also yields valuable insights to help keep the environment secure.
Say, for example, you live in a home with four other people. If you know one of them has a habit of leaving food out in their bedroom or another leaves the back door open, you could expect to find more mouse activity in those places—and can act on that.
In the corporate context, the equivalent might be a user whose email has been compromised or someone who routinely logs onto the company network over public Wi-Fi.
Good information and careful management of identities makes it easier to correlate endpoint activity to breaches and trace back where those breaches originated. This is what identity threat detection and response (ITDR) does.
Managing identities well and knowing user behaviors also makes it easier to work with users (or restrict their privileges) to increase overall attack surface security.
Trace the paths, plug the gaps
Combining EDR with NDR, ITDR and a big-picture ASM approach gives you about as comprehensive a set of cybersecurity capabilities an enterprise could hope to have: in a nutshell, extended detection and response (XDR). It allows you to defend your endpoints, trace intruders, and understand fully what you need to protect, so that you’re not just scrambling around for better “mousetraps” but also taking steps to keep the bad guys out.
Further insights
For more on NDR and related topics, check out these additional resources:
- Network Detection & Response: the SOC stress reliever blog
- It’s Time to Up-Level Your EDR Solution
- See why Trend is a Leader in both Endpoint and Network security
(EDR + NDR) by Forrester in 2023