Optimising NDR to enhance organisational cybersecurity

Cybersecurity is a never-ending arms race. Today, security teams face the task of overcoming challenges associated with legacy tools and solutions, including endpoint detection and response (EDR), security information and event management (SIEM), and next-generation antivirus (NGAV). Notably, threat actors are increasingly employing malware designs to shut down EDR endpoint agents or destroy crucial SIEM logs.

In response, leading security organisations are turning their attention to network detection and response (NDR). NDR solutions continuously monitor and analyse network traffic and data to uncover advanced security threats specifically designed to evade the latest defences. As the network remains the only component immune to compromise by attackers, it serves as an invaluable high-fidelity data source for early threat detection.

In addition, the network is where intruders initially penetrate, using it as a beachhead to move across the organisation and establish command and control communications. During the early stages of an attack cycle, all movements of threat actors occur within the network and can be effectively detected with NDR.

However, not all NDR solutions are the same. Here are a few key capabilities to look for to ensure you get the most out of NDR when enhancing your internal defences.

Strategic decryption for better intruder detection

Cybercriminals now employ encryption to make it more difficult to detect their activities once they have infiltrated an organisation’s network infrastructure and to impede forensic investigations. By encrypting their communications with the outside world, threats gain additional time to search for backdoors and vulnerabilities while continuing to move laterally.

As encryption is increasingly used for legitimate privacy purposes, some threats can remain concealed within a system without relying on specialised encryption tools. However, decrypting network traffic can be expensive and may require additional infrastructure, thereby expanding the attack surface of a system.

Rather than decrypting all network traffic, security teams can strategically employ decryption techniques. They should identify critical assets and services that are likely targets for attackers and ensure they can decrypt the associated traffic to achieve full visibility. By focusing decryption efforts on specific traffic vulnerabilities, such as insecure protocols and known exploits (e.g., decrypting Kerberos authentication traffic to detect attacks like Kerberos Golden Ticket attacks), teams can reduce costs and preserve the privacy of other types of traffic, such as employees accessing personal email accounts and online banking.

Moreover, deploying strategic decryption on protocols such as SSL/TLS, MS-RPC, WinRM, and SMBv3 enhances the chances of detecting threats that move laterally across the environment. Since lateral movement often occurs during the early stages of an attack cycle, early detection becomes more probable, allowing for timely response and mitigation to minimise long-term damage.

Extensive threat insights to support investigative workflows

With so many advanced attacks available to threat actors, the question is no longer if an organisation will be breached, but whether they can respond effectively. According to ExtraHop’s Asia-Pacific Cyber Confidence Index for 2022, 85% of security and IT leaders surveyed said they experienced at least one ransomware attack in the past five years, while 30% suffered at least six such attacks in the same time period.

Reducing an organisation’s mean time to respond (MTTR) is critical in preventing further damage when a breach occurs. The fact is, conducting a more detailed and conclusive investigation can be hampered by insufficient critical information and analysts having to go through multiple user interfaces (UIs) to triage.

An intuitive UI will greatly enhance the ability of security teams to better understand the data they are dealing with. More importantly, they must have enough high-fidelity data to determine the impact footprint of a threat accurately and enable a swift and decisive incident response.

Comprehensive threat briefing reports from an NDR solution can provide critical information for dealing with threats such as the highlighting of vulnerable devices in a network, other detections associated with the same threat, and recommended remedial actions based on similar incidents. The best solutions even enable security teams to look back into the past 90 days to assess the “blast radius” for critical CVEs, exploits, and zero-day vulnerabilities.

By combining a clean UI and high-fidelity network data, organisations can streamline their investigations and minimise the damage from breaches.

NDR is key to defending against today’s advanced threats

It is essential for organisations to monitor all network traffic; from the data centre to the rest of their network, as well as those between the servers of a single data centre. By deploying NDR solutions, security teams gain real-time visibility into every asset within a network and every communication transmitted through it.

NDR capabilities such as strategic decryption and extensive threat insights enhance organisations’ ability to investigate and respond to incidents before more damage is caused. Through multidimensional analysis, organisations can detect and identify indications of compromise to determine if they have been compromised. Organisations cannot safeguard their assets if they lack visibility into their networks. Simply put, a strong security posture starts from within.