- Step 1: Prevention and detection
- Step 2: Investigation and determining root cause
- Step 3: Response time and mitigation
As cyber crime grows, IT professionals look around the market for solutions that can tackle the ever-growing threat. Network detection and response (NDR) is an essential component for protecting a company’s network against cyber attacks. IT professionals look for solutions against cyber threats wanting a comprehensive solution that provides prevention, detection, investigation, quick identification of root cause, faster response times and mitigation.
Step 1: Prevention and detection
The first steps to protecting against cyber crime are detection and prevention. This requires entire network visibility, according to a head of information security at a large insurance company who uses . “The solution provides visibility into behaviors across the full lifecycle of an attack in our network, beyond just the internet gateway, because we do east-west traffic. So, it looks at the entire chain across there.”
Visibility helps with prevention. It is also important to have detection built-in to your NDR solution. A CEO & founder at a tech services company discusses how RSA NetWitness Network helps with detection issues, “The most valuable feature is the way it captures the traffic, and it contains every detail of the communication.”
Step 2: Investigation and determining root cause
An NDR solution’s ability to quickly recognize threats and alert a company to them is the first step. The second step is investigating those threats and determining what actually happened. How it investigates and determines root cause makes each NDR solution unique, whether it uses AI, machine learning, or another proprietary algorithmic method.
John C., a chief security officer, uses Awake Security Platform’s modeling value when investigating threats, “The way their algorithm works, they have a threat model that brings up the most concerning activities, pretty much like an analyst who is very knowledgeable. On a tier level, a Tier 4 analyst would recognize the suspicious activity. Their algorithm takes somebody who is a Tier 1 or Tier 2 and gives them that clarity at a glance.”
An application & security specialist at a large financial services firm discusses how determines root cause at their company: “This solution has some good features for customization in terms of how you're tagging your network, which basically makes it easier to identify what is actually happening. You can see where the traffic is going, where it is coming from, and that sort of thing.”
Step 3: Response time and mitigation
The last step in NDR is its response to threats and mitigating them.
Increasing threat detection rates and reducing incident response times can provide savings for a company by improving time to resolution. “ has definitely increased our threat detection rate. I would say on average probably close to 100 percent,” says Travis B., senior director of architecture and engineering at a large tech services company.
“Stealthwatch helps us save time, money and administrative work. If you talk about a simple security event that a customer has to react to if they don't have the visibility, then you don't find out about it until something even worse happens. For example, somebody worked to get into your financial systems and they were somehow siphoning money out, not only did they get in and you didn't detect that, but now money is disappearing out of your account. So the ability to detect that threat immediately and remediate it is the true value of that reliance.”
Time is a critical part of an NDR solution’s success when mitigating threats. Kristofer L., director of information security at a software R&D company, who uses , notes this about using the solution, “The time from finding threats to remediation is almost instantaneous. For example, I found a threat this morning and remediated it in less than five minutes. The issue that I encountered today was definitely data exfiltration. It was a malware that was hitting domain generated algorithms and also attempting to use Tor to obfuscate the data exfiltration. I found that within three minutes, and then the next following two minutes, we interjected, did the remediation, and had the node off the network.”
Manageability of network detection and response systems
A common theme among is the need to make the reporting and overall user experience easier. When dealing with a solution that relies on visibility and detection, ease of use is an important factor to consider. To reach a broader enterprise audience, IT Central Station users of NDR solutions would like the vendors to make the solutions easier for the average user to utilize, not just someone with in-depth knowledge.
Download the free PDF report to see how IT security professionals ranked the top NDR solutions.
IT Central Station’s “Buyer's Guide for Network Detection and Response (NDR)” report compares enterprise-level NDR vendors. Its goal is to provide first-hand experiences on how each performs in real-world environments based on reviews and features collected from a community of enterprise technology professionals.