How could Network Detection and Response augment your current capabilities?

If you believe your organisation is fully protected because your endpoints are covered and/or you have a SIEM, think again. SIEMs have their own blind spots, and endpoints’ detection capabilities can be evaded or disabled by a determined adversary. Both the SIEM and endpoint struggle with detecting adversaries that are not specifically malware based, such as lateral movement using stolen credentials. Full protection can only come with expanding your coverage and reducing risk by closing off those gaps. Network behaviour analysis is critical to threat detection for a number of reasons. One, by its very nature, a network is the fundamental communication mechanism on which an attacker must operate and it’s very difficult for attackers to hide their tracks (as compared to logs in a SIEM or endpoint agents on a device, which can be targeted and disabled or simply doctored to erase an attacker’s tracks). Two, it is massive and pervasive: the sheer amount of network metadata, protocol logs, and network artefacts make it extremely difficult, if not nearly impossible, for an adversary to hide their activities across or disable an entire network. Behavioural models, ranging from simple statistical analysis to more advanced behavioural models used by expert Network Detection and Response solutions, help catch what signature-based tools miss.