Network Detection and Response Tools Fill Gaps in Traditional Cyberdefenses

What Is Network Detection and Response?

According to Jon Stanford, global security specialist at Cisco and a member of the ISACA Emerging Trends Working Group, “Network detection and response is a portfolio of advanced security functions that developed over time to fill gaps in traditional network perimeter defenses.”

For example, NDR solutions provide increased network visibility through the use of advanced analytics and machine learning techniques. The functions also are capable of performing deep traffic analysis to detect security threats in real time.

“NDR helps security respond to and remediate threats more quickly before significant disruptions occur, providing critical contextual information that might be missed by other solutions and leave organizations blind and exposed to further exploitation,” Stanford says.

To thwart cyberattacks, NDR solutions generally follow the MITRE ATT&CK framework.

REVIEW: How states are making use of federal funding for cybersecurity.

What Is the MITRE ATT&CK Framework?

The MITRE ATT&CK framework was developed by MITRE, a not-for-profit research organization, as a federally funded research project to create a cybersecurity matrix of known tactics, techniques and procedures (TTPs) used by adversaries.

“The framework helps organizations understand cyberthreats based on TTPs to recognize cyberattacker behavior as it occurs in different stages of an attack, which range from reconnaissance, the initial phase, all the way to data exfiltration, the final phase,” Stanford says. “Many organizations use the framework to inform and guide their deployment of security solutions and to help communicate security functions to nontechnical staff to support risk mitigation and investment decision-making.”

As part of a larger NDR effort, the MITRE ATT&CK framework helps organizations pinpoint likely threat vectors and detect the common compromise characteristics associated with these threats. For example, the MITRE ATT&CK matrix details various techniques that attackers may use to move laterally within a network. These include remote desktop protocols, shared webroots and third-party software, along with pass-the-hash and pass-the-ticket operations.  

What NDR Tools Are Available for State and Local Governments?

As security becomes a top priority for organizations — both on the front line and in the boardroom — the number of available NDR tools is increasing exponentially. This leaves state and local governments with a wealth of choices but also a potential challenge: How do they find tools that align with specific agency needs?

State and local governments can turn to Gartner’s Magic Quadrant for Network Detection and Response to evaluate leading solution vendors in the NDR marketplace, Stanford says. “This industry report includes Gartner’s assessment of each evaluated vendor’s strengths and weaknesses based on a variety of evolving criteria. Because NDR is an established market category, there are numerous industry trade publications and vendor websites that public sector entities can use to help them evaluate potential NDR solutions,” he adds.

Stanford also highlights the rapidly changing nature of solutions in the NDR space. He points to recent advances in machine learning, such as deep reinforcement learning algorithms trained to recognize and adapt to adversarial tactics based on the MITRE framework.

“This new AI approach, which will undoubtedly find its way into commercially available NDR solutions, demonstrates the ability of an AI system to effectively respond to attacks just as highly skilled human responders would. Such advances will not only open up new business models but also allow organizations to reassess their security investments and address the ongoing security headcount and skill gaps,” Stanford says.

As a result, agencies would be wise to regularly test tools currently in use to ensure they’re working as intended, and explore new market options to help improve detection and response.

LEARN ABOUT: Collective cybersecurity measures utilized by state and local governments.

How Does NDR Relate to SIEM and SOAR?

Security information and event management allows the collection and analysis of various data sources within an organization’s network to provide incident and anomaly detection. These sources may include logs from servers, firewalls, endpoints and intrusion detection systems, along with any custom sources defined by agencies. SIEM solutions are used by security operations center teams to both monitor for alerts and initiate incident responses where appropriate.

Security orchestration, automation and response solutions can extend the efficacy of SIEM tools by streamlining threat response frameworks and executing specific actions in response to identified threats.

NDR tools assist both, Stanford says. “NDR technology can be an enabler of, and an integral element of, both SIEM and SOAR by providing unique context and advanced, operational insights into security events.”

EXPLORE: How State and Local Governments Are Automating Cybersecurity

What Challenges Do State and Local Governments Face in NDR Implementation?

When it comes to implementing NDR solutions, Stanford points to several potential challenges, including:

1. Limited cybersecurity budgets: Stanford says that limited budget resources can make it a challenge for agencies to invest in NDR and other advanced security solutions. He notes that decision-making and budget cycles in the public sector tend to be slower than in the private sector. This makes it more difficult for organizations to keep up with both the latest technologies and the latest threats.
2. Lack of NDR expertise: Staffing remains a challenge for all industries, and while government agencies may be able to offer the benefit of job security, they’re hard-pressed to compete on salary and benefits. “NDR requires expertise to do well. Public entities have to compete with commercial enterprises for the same scarce talent pool of workers who have the skills and expertise needed to deploy and sustain NDR solutions. Recruiting and retention of cybersecurity staff in the public sector can be a challenge,” Stanford says.
3. Legacy systems: The use of legacy systems remains commonplace among private enterprises and is even more prevalent in budget-strapped government agencies. This creates a challenge for NDR deployment and integration. If outdated systems and networks aren’t compatible with advanced NDR features and functions, adoption suffers. Staff familiarity with existing systems also plays a role; if agencies can’t clearly demonstrate the benefit of NDR solutions — and provide staff the opportunity to evaluate these systems firsthand — uptake of the technology may not match C-suite expectations.
4. Compliance concerns: Compliance is also a concern, especially for government organizations. Stanford says agencies are often tasked with meeting “compliance with security standards and complex regulatory requirements, which can include specific risk management and security control frameworks, as well as data protection and privacy requirements.” As a result, organizations must carefully evaluate both NDR vendors and solutions to ensure they’re aligned with current regulatory requirements and can scale to meet emerging compliance obligations.

For state and local agencies, NDR offers a roadmap for risk reduction, but this journey isn’t simple. To make the most of network detection and response, organizations must find the right tools, effectively integrate them with SIEM and SOAR solutions, and address potential challenges in NDR adoption.