How does Network Detection and Response work?
Each NDR solution is unique. But here’s a quick look at common tools and techniques.<br/><br/>
Machine learning leverages machine computing power to analyze large sets of data in order to make more accurate predictions. With NDR solutions, machine learning models can detect “unknown unknown” threats to your network using behavioral analytics. Machine learning algorithms can see cyber threats coming around the corner (e.g., ports suddenly being used that have never been used before), in turn enabling more rapid triage and mitigation. Machine learning models are also used to continually reweigh prioritization of potential threats based on real-world outcomes.<br/><br/>
Deep learning is a powerful form of machine learning that uses artificial neural networks to enhance NDR capabilities. At IronNet, we use deep learning but constrain its use to only the NDR applications that are well-suited to the training data requirements and interpretability challenges of deep learning models.<br/><br/>
Statistical analysis is a useful behavioral technique that is sometimes marketed as “AI” by a handful of NDR providers. These can range from simple outlier analysis (e.g., which URL has not be seen in this group of devices) to basic Bayesian analysis of network traffic pattern to other statistical methods. Commonly there is an element of sample to determine a baseline that is then used to identify which activity deviates from normal traffic usage, allowing SOCs to model normal network traffic and highlight suspicious traffic that falls outside the normal range.<br/><br/>
Heuristic analysis detects threats by analyzing data for suspicious properties. In NDR solutions, heuristics extend the power of signature-based detection methods to look beyond known threats and spot suspicious characteristics found in unknown threats and modified versions of existing threats. Some network sandbox vendors position analysis of file-based malwares as a variation of network behavioral analysis.<br/><br/>
Threat Intelligence Feeds<br/><br/>
Threat intelligence feeds are data streams containing information on previously identified cyber threats. Threat intelligence, if timely and actionable, can assist NDR solutions in identifying known threats or providing additional contextualization for prioritization of a detected network anomaly by risk. The limitation of threat intel feeds is the need to actively procure, manage, and curate threat intel so that the information is relevant and timely to the enterprise, which can be beyond the scope of all but the most security mature enterprises.<br/><br/>
Signature-based detection methods use a unique indicator of compromise (IOC) identifier about a known threat to identify that threat in the future. Signatures were effective a generation ago, but the process of using unique identifiers to guard against known threats has become increasingly ineffective in a world where custom malware, malware toolkits, and non-malware based attacks such as credential replay are the norm. Furthermore nearly three quarters of all network traffic today is encrypted, part of an upward trend that’s rendering signature-based tools ineffective by preventing the content inspection required to match certain categories of IOCs.