4 key aspects of choosing an NDR solution
From capturing data to generating meaningful metadata, the right NDR solution can make all the difference in proactively detecting and responding quickly to cyber threats. Here we look at how different aspects address network data capture and analysis, as well as their ability to provide real-time and historical visibility.
- Network Visibility: Strengthen your security organisation or replace it?
Not all Network Discovery and Response (NDR) solutions capture raw network packets. Some, such as NetFlow, analyse summary data based on statistics defined by the switch or router, providing a high-level summary of traffic activity. Other systems, while briefly classifying traffic flows to train unsupervised machine learning models, discard information not relevant to data science, resulting in behaviour-based detections. This highlights the importance of a solution like redborder, which offers a holistic view by generating meaningful metadata and recording the raw packets on each connection or flow, regardless of initial detections or specific behaviours. By not restricting access to data for a detection algorithm or process, redborder allows organisations to quickly empower staff with access to real-time and historical visibility from the network.
- Detection: Is it just about behaviour or should you look for more?
Networks can generate a wide variety of alerts, from the more commonly ‘known’ indicators (such as network signatures) to behavioural analysis capabilities that look for outliers that cross thresholds (or baselines) and generate alarms. Regardless of the technique, you should ask yourself, “What am I trying to achieve?”
For some, having any form of “surveillance” may be the right solution, as something is better than nothing and they have limited resources, skills or capital to work with. In this case, solutions specifically designed to replace the analyst and limit interaction and visibility into the underlying data are probably the right approach.
Those organisations with more established security operations (probably a defined security team) where investments in people and processes have already been made, are more likely to look beyond a detection layer (e.g. automated behavioural analysis) and focus on empowering existing analysts and systems. That means leveraging proven and trusted known indicators that are frequently updated every day, along with other advanced techniques, such as advanced malware detection (which requires the NDR platform to extract and analyse files) and behavioural or pattern-based detection capabilities, all on the same detection platform. Any detection must be directly linked to the underlying network metadata and allow the operator to act quickly.
The redborder solution provides a wide range of network detection and response (NDR) capabilities that align with the needs of both organisations seeking basic surveillance and those with more mature security operations. By offering advanced behavioural analysis capabilities along with the ability to empower existing analysts and systems, redborder is positioned as a versatile solution that can adapt to a variety of network security scenarios. In addition, by directly linking detections to underlying network metadata, redborder enables fast and efficient action on potential threats.
- Storage and retention: Here today, gone tomorrow?
A crucial aspect of network detection and response is access to real-time and historical information for investigation. Only a few NDR vendors offer PCAP storage, alerts or network metadata, which may require additional investments in infrastructure or integrations with SIEM.
Retention of data on the network presents challenges due to the massive volume of data generated, especially for security teams seeking weeks or months of historical data. Lack of access to critical information makes it difficult to effectively investigate alerts.
In evaluating an NDR solution as a redborder, it is important to consider metadata retention and PCAP. Does the solution offer this built-in functionality or are additional implementations needed? Is it SIEM compliant and how easy is integration? These questions are crucial to ensure effective threat investigation.
Network metadata retention (or PCAP) is essential for many organisations to quickly and effectively investigate alerts generated by NDR platforms such as redborder.
- Simplicity of implementation: Elimination of blind spots
When considering the implementation aspect of an NDR solution such as redborder, it is crucial to verify its suitability for the environment, whether SMB or Enterprise. redborder offers flexibility by supporting isolated on-premise environments or cloud deployments. Its NDR solution allows deployment in both on-premises and cloud environments, ensuring that the management console and sensors are easily deployable in a private cloud. This gives security analysts anywhere, anytime access to manage sensors and defend against threats in both on-premises and cloud environments.
An NDR solution available in both environments offers flexibility for enterprises migrating to the cloud or managing hybrid environments. redborder excels by offering solutions that work with the native capabilities of public cloud providers, eliminating the need to invest in additional tools to access traffic streams.
In addition, redborder provides flexible deployment options, as its solution can be software-based, avoiding the need for costly black boxes. This reduces complexity and deployment costs, allowing it to operate at scale within the customer’s environment using virtualisation or with trusted server OEMs such as Dell, CISCO or HPE. With redborder, obtaining full coverage is more affordable than initially expected.