Why Network Detection and Response (NDR) Is Essential for Modern Cybersecurity in Hybrid and Cloud Environments

Years ago, when Extended Detection & Response (XDR) solutions began to emerge in the market, there was a significant hype around their potential to solve all cybersecurity challenges. Many believed that XDR would lead to the extinction of Security Information and Event Management (SIEM) and NDR solutions, as the correlation of various log sources (Endpoint Detection & Response (EDR), applications, communications, etc.) could substitute the data collected from network or "legacy log sources."

To some extent, they were right. XDR systems have greatly improved the ability to correlate data, making the lives of SOC analysts easier by reducing false positives and providing meaningful incidents. However, many professionals at the time did not consider all data collection points of XDR systems. While XDR systems excel at protecting cloud applications, communication channels, and enterprise endpoint systems through APIs or endpoint agents, they lack the ability to efficiently protect systems that cannot be integrated into an XDR or do not support agent installation. These systems often carry the crown jewels of organizations and are frequently overlooked when planning an enterprise defense architecture.

In the past, threat actors primarily targeted endpoint devices such as computers and servers, enabling them to easily pivot into the environment. However, with the spread of XDR systems, the focus has shifted to unprotected devices such as network devices, firewalls, connection breakers, IoT devices, and hypervisor servers. These devices cannot have an agent installed and therefore do not integrate well into an XDR system. By examining significant past cyberattacks, we can identify that initial zero-day vulnerabilities in devices from Palo Alto Networks, Fortinet, and Citrix provided threat actors with direct pivot access into the environment. Lateral movement activities originating from these appliances can be more efficiently detected using solutions such as Network Detection and Response (NDR) or a properly configured Security Information and Event Management (SIEM) system.

Another technique threat actors use to avoid detection by XDR is leveraging legitimate tools built within the operating system, known as LOLBINs. Using these tools, threat actors can elevate privileges and move laterally across the environment undetected. Such advanced techniques can often be detected using only threat hunting scenarios or NDR solutions.

What are NDR Solutions and How They Operate

NDR solutions are essentially sensors on the network that collect and analyze traffic. They can operate based on detection signatures or machine learning and artificial intelligence algorithms, with some supporting a combination of both. NDR systems that leverage both options can effectively detect known threats as well as unknown ones through behavior analysis, although this requires more hardware resources.

Importance of NDR in Cloud Environments

With the widespread availability and practicality of cloud solutions, many organizations are exploring how to leverage cloud to extend or substitute their on-premises workloads. This often results in a hybrid environment where workloads exist both in the cloud and on-premises, making the cloud an extension of the on-premises data center.

Cloud environments offer various solutions such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), each necessitating its own security approach. For Network Detection and Response (NDR) systems, it is essential to collect network traffic from these resources. This is typically feasible for workloads like virtual machines (VMs) or containers. To capture network traffic from these workloads, a virtual TAP (vTAP) is installed on the workload's interface, which then forwards the traffic to the monitoring solution. However, capturing traffic from other workloads requires routing adjustments to pass through a device capable of traffic forwarding, which can lead to inefficiencies and latency. Consequently, most other cloud workloads currently do not support efficient monitoring with NDR systems.

Deploying NDR in Cloud

Capturing network traffic in cloud environments presents significant challenges, both in terms of complexity and cost, as many cloud providers lack native, affordable solutions.

AWS offers VPC Traffic Monitoring, which mirrors network traffic from Elastic Network Interfaces (ENIs). At $11 per ENI per month, organizations with 200 ENIs might face costs of $2,200 per month, with limited support for all EC2 instance types.

Google Cloud provides Packet Mirroring, priced based on inbound data processed by load balancers and traffic passing between zones, costing businesses with 200 workloads approximately $2,500 per month depending on the traffic amount. This variable pricing complicates budgeting for long-term monitoring.

Azure’s Virtual TAP solution is still in private preview, available only in select regions, and doesn’t support all cloud workloads, restricting its scalability and usability.

Capturing network traffic within cloud environments poses considerable challenges, often necessitating the adoption of third-party solutions such as Gigamon. Gigamon enables organizations to deploy its agents on virtual machines (VMs) and gather traffic from containerized environments, subsequently forwarding it to the NDR sensor for analysis. Notably, certain NDR providers, such as Vectra.ai, incorporate Gigamon licensing into their service packages, streamlining the deployment process and reducing complexity for enterprises.

Correlating NDR Events with XDR

Correlating data between NDR detections and XDR telemetry can significantly enhance an organization’s ability to identify sophisticated threats, particularly in hybrid environments. By leveraging the strengths of both systems, enterprises can gain deeper visibility into Advanced Persistent Threats (APTs), lateral movement attacks, privilege abuse, and data exfiltration. This integration is best achieved through a Security Information and Event Management (SIEM) solution or an XDR platform equipped with data lake capabilities, such as Microsoft Defender. Such setups enable organizations to unify diverse data sources, providing a more robust and comprehensive security framework.

For businesses seeking to optimize their cybersecurity strategies, deploying NDR systems and effectively managing SIEM solutions are crucial steps. Our team of experts is available to assist with the implementation of NDR systems, correlation of data across platforms, and development of tailored detection use cases, empowering your enterprise with improved threat intelligence and response capabilities. Let us guide you in fortifying your defenses and enhancing your security posture in today’s complex threat landscape.