Sfruttamento vulnerabilità
Network detection & response: the SOC stress reliever
Cybersecurity teams are well-equipped to handle threats to technology assets that they manage. But with unmanaged devices providing ideal spots for attackers to lurk unseen, network detection and response capabilities have become vitally important.
Companies are spending billions on cybersecurity and still getting breached—partly because the attack surface keeps growing and partly because the network is full of unmanaged devices that are ideal targets for bad actors. To eliminate those hiding places, top analysts are advising organizations to add network detection and response (NDR) capabilities to their cybersecurity mix.
High-stress white-knuckle workplaces like nuclear plants and air traffic control towers have gotten the Hollywood treatment in countless movies about sweat-soaked technicians managing chaos and fighting the clock while the world outside carries on oblivious. The way things are going, enterprise security operations centers (SOCs) more than deserve the same kind of edge-of-your-seat recognition.
Today’s SOCs are under incredible pressure to fend off threats that most of an organization’s employees will never hear about—unless an attack succeeds. They’re supremely aware of the high cost of failure and in a constant scramble to prioritize the right risks and act fast.
Fortunately, SOCs have some smart and powerful tools to help them. Endpoint detection and response (EDR) technologies have proven highly effective at catching threats in devices under enterprise management. The problem is that more and more unmanaged devices are accessing corporate networks and creating openings for bad actors. Hence the need for the farther-reaching capabilities of network detection and response (NDR) solutions.
Why network detection and response tools are essential
Only a small percentage of connected devices will ever access a corporate network. But with the overall number of devices on the planet expected to reach 18.2 billion by 2025, even if a fraction of that “small percentage” is on the corporate network and unmanaged, it will mean huge security headaches for SOC staff.
Unmanaged assets are great places for attackers to lie low. They can take almost any form: previously managed devices with lapsed security agents; bring-your-own devices; routers and other network equipment; and smart devices like thermostats and connected medical equipment.
Because they’re unmanaged, these assets are hard to upgrade or patch and aren’t scanned for vulnerabilities. Some simply can’t be managed, either because they’re not sophisticated enough to host a security agent or because scanning or modifying them is prohibited by regulations, as is the case in Canada with some medical equipment.
These unmanaged assets are proliferating throughout the enterprise IT environment at the same time that networks themselves are becoming harder and harder to protect. Boundaries are dissolving, especially with the surge in remote and hybrid work. According to McKinsey, 58% of the U.S. workforce is already remote. The network has no perimeter.
Cybersecurity teams can no longer hope to simply “keep the bad guys out.” EDR can detect malicious activity in managed assets and observe anomalies moving between managed to unmanaged devices , but once a threat is hiding in the unmanaged weeds, it’s basically untraceable. On top of that, attackers excel at hiding in plain sight, using normal tools and applications to move around the network. Many lie low for weeks or months after a breach to avoid detection before unleashing their attacks.
SOC teams can monitor for suspicious lateral movements, but often they can’t know for sure what the network traffic contains because most of it—including 95% of web traffic according to Google—is encrypted.
NDR solutions help close the gaps by making unmanaged assets visible.
In search of lurking threats
As an approach, NDR focuses on monitoring, detecting, and responding to threats and anomalies in the network—in real time. It uses sophisticated technologies and methodologies to identify and deal with potential threats that traditional security measures might miss.
NDR approaches include continuous traffic monitoring and analysis with deep packet inspection, behavioral analytics, and machine learning informed by threat intelligence to identify anomalies and possible threats.
Industry analysts have weighed in on what NDR solutions need to fully and most effectively manage risk. Forrester has called for a few key additional capabilities: integrated decryption to see into network and web traffic, an ability to support zero-trust approaches, and—importantly—prioritization of the SOC analyst experience, with the aim of preventing SOC staff from being overwhelmed by data and alerts.
Gartner notes that while AI and machine learning are must-haves for any NDR solution, threat intelligence is also required to evaluate the data against real-world risks, and cross-layer correlation is needed to reduce the number of alerts overall and bring greater accuracy to threat detection.
A SOC stress reliever
By combining real-time monitoring and automated response capabilities, NDR empowers enterprises to defend more fully against sophisticated cyber threats and minimize the potential impact of security incidents.
Given the changes in the enterprise attack surface, NDR is a key part of managing attack surface risk—bringing XDR capabilities to network protection and making it easier for SOC teams to do their jobs well with less stress. With tools like these, maybe the SOC won’t end up being the subject of a Hollywood nailbiter after all.
Further insights
For more on NDR and related topics, check out these additional resources: