At the forefront of protecting your company

Why do even large companies with significant investments in information security regularly become victims of hacking? The most common answer is an outdated approach to security. Defenders use dozens of tools, but they cannot see fully enough what is happening inside their network – which now most often includes not only the usual physical, but also protecting cloud segments. Hackers actively use stolen accounts, act through hacked contractors of the organization and try to use a minimum of obviously malicious software, preferring completely legal software and “dual-use tools”. In such a situation, tools that simply protect the company’s computers from malware may not be effective enough to detect well-thought-out cyberattacks.

According to a recent survey

It is the detailed analysis of all traffic of the organization, including internal, that significantly increases the capabilities of defenders, and it can be implemented using promising Network Detection and Response (NDR) systems. In the Kaspersky Lab product line, NDR functionality is implemented within the Kaspersky Anti Targeted Attack Platform (KATA).

Old information security tools are not enough

If there was one word to describe the priorities of modern attackers, it would be stealth. Whether it’s an espionage APT, a ransomware gang, or any other threat targeting a specific organization, they go to great lengths to avoid detection and make it difficult to analyze their actions after the fact. Our incident response report demonstrates this in all its glory protecting : attackers use the accounts of real employees or contractors, attack only with IT tools that are already on the system and used by the organization’s sysadmins (Living off the Land), and exploit vulnerabilities that allow them to perform desired tasks on behalf of privileged users, processes, and devices. Edge devices such as a proxy server or firewall are increasingly used as one of the points of support in attacks.

How does the information security service respond

If the approach to detecting threats in the company was designed several years ago, perhaps the defenders simply do not have the tools to detect such activity in time.

Firewalls – in their traditional form, they only protect the organization’s perimeter and do not help detect suspicious network activity within the perimeter (for example, the seizure of new computers by attackers).
Intrusion detection and prevention systems (IDS/IPS) have very limited capabilities of classic IDS for detecting activity on encrypted channels, and their typical location at the interface of network segments makes detection of lateral movement difficult.
Antiviruses and endpoint protection bolivia whatsapp data systems are difficult to use to detect activity that is carried out entirely manually by legitimate tools. Moreover, an organization always has routers, IoT devices, or network peripherals that cannot have this protection system in principle.

bolivia whatsapp data

What is Network Detection and Response

NDR systems provide detailed monitoring of an organization’s traffic and the application of various rules and algorithms to it to detect abnormal activity. NDR also includes tools for rapid response to incidents.

The key difference from firewalls is monitoring of all types of traffic flowing in different directions. Thus, the analysis of communications is carried out not only between the network and the big Internet (North-South, “north-south”), but also hosts protecting within the network (East-West, “east-west”). Communications between systems in external networks and corporate cloud resources, as well as communication of cloud resources with each other, are not ignored. Due to this, NDR is effective in different infrastructures: on-premise, cloud and hybrid.

The key difference from classic

IDS/IPS is the use of behavioral analysis mechanisms along with signature analysis.

In addition to analyzing connections, the NDR solution stores traffic in its raw form. They offer a whole range of technologies to analyze such “snapshots” of information exchange. NDR can analyze traffic by a whole set of parameters (including metadata), not limited to simple “address-host-protocol” dependencies. For example, using JAx fingerprints, you can identify the nature of even encrypted SSL/TLS connections and detect dangerous traffic without decrypting it.

Benefits of NDR in IT and IS work

Detection of threats at early stages. Even the first steps of attackers, whether it is brute-forcing passwords or exploiting vulnerabilities in publicly available applications, leave traces that are detected by NDR.

Accelerate incident investigations

NDR tools allow you to look at suspicious activity both more broadly and deeply. Network interaction diagrams show where attackers have moved. Where protecting they started their activity. Access to raw traffic allows you to reconstruct the actions of the attacker and write detection rules for further searches.

Detection of internal threats

The behavioral approach to traffic allows NDR to solve preventive tasks. Various violations of information security policies, including the use of unauthorized applications on personal devices. Connecting additional devices to the company’s infrastructure; sharing passwords; access to information that the employee does not need for work; use of outdated software versions; launching server software without adequately configured encryption and authentication can be identified at an early stage and stopped.

Automated response. Of course, the R in NDR stands for actions such as isolating hosts with suspicious activity. Tightening the network zone interaction policy, blocking high-risk protocols or malicious external hosts. Depending on the circumstances. The response can be either manual or automatic (if the “if-then” conditions are met).

NDR connection with EDR, XDR, NTA

NDR differs, first of all, in its response capabilities, including automated ones.

EDR (Endpoint Detection & Response) are systems that analyze cyber threats on specific devices in the network (endpoints). If NDR allows for a deep analysis of the connections and communication of devices in an organization. Then EDR provides the same detailed picture of what is happening on each device. These systems complement each other. Only together they provide a complete picture of what is happening in the organization. Provide sufficient tools for detection and response.

XDR (Extended Detection & Response) is a system that provides a holistic approach to threat detection. Response by aggregating and correlating data from multiple sources. Including endpoints, physical and cloud infrastructures, network devices, and more. This allows defenders to see the full picture of what is happening on the network. Combine events protecting from different sources into single alerts. Apply advanced analytics to them – and simplify the response. While for others it may only support integration with these external functions.

Kaspersky Lab’s approach: integrating NDR into the security ecosystem

Uses tools that ensure the exchange of information between different systems. Ensuring the correlation and enrichment of information from various data sources. That is why in the Kaspersky Lab product line. The NDR module has expanded the capabilities of Kaspersky Anti Targeted Attack Platform (KATA).

The top-of-the-line KATA Ultra combines expert EDR capabilities and full NDR functionality into a complete single-vendor XDR solution.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top