Learn how organizations monitor, 检测, 和 respond to suspicious network activity.
InsightIDR产品Network 检测 和 response (NDR) is the practice of 应用ing rules or signatures to network traffic in order to automatically trigger alerts for activity that could indicate malicious behavior.
The NDR solution category is emerging out of what was previously known as network traffic analysis (NTA), which also aimed to monitor network traffic. The broadening in scope was a response to the need for the category to include automated response actions in st和ard solutions.
这意味着 most modern solutions feature the ability to monitor, 检测, 和 respond to potential threats. 这意味着, after a threat has been 检测ed, security personnel can take immediate steps to contain or respond, quickly killing malicious processes or quarantining infected 端点.
According to Gartner®, organizations rely on NDR to 检测 和 contain postbreach activity such as ransomware, insider threats, or lateral movement. 核心功能包括:
NDR works by bringing together a team of security professionals to input processes to monitor, 检测, 和 respond to alerts that could negatively affect the integrity of the network 和 business. Let's look more closely at those processes:
One of the most important aspects of this process is the ability to access real-time information about user activity, 应用程序活动, 网络活动. 另外, network data should be easily searchable so that analysts can accelerate investigations into alerts based on suspicious activity. It’s also important to be able to build custom alerts as well as access a library of attacker behavior analytics (ABA) so that the process is starting from a wealth of information about past suspicious activity.
It's extremely critical to establish a baseline of usual network behavior 和 actions so that automated systems know what is normal 和 what is suspicious. 例如, user-behavior analytics (UBA) are helpful for enabling your team to quickly determine whether a potential threat is an outside attacker impersonating an employee or an employee who presents some kind of risk, whether through negligence or malice. UBAs connect activity on the network to a specific user as opposed to an IP address or asset. That activity is then compared against a normal baseline of event activity for that user.
NDR solutions should have the ability to take automated actions when an incident is 检测ed. 来自检疫, 连接终止, to executing a series of predefined actions developed by security operations center (SOC) analysts, it should be possible these days to rapidly take down an attacker if a network perimeter is breached, whether on-prem or in the cloud. Actions taken during this process would include deep-dive analysis of incidents, reverse-engineering attack 方法 like malware, 创建入侵报告.
A 威胁情报 (TI) feed should be a continuous stream of data that informs automated threat prioritization 和 remediation efforts. A TI feed should help a security organization to compensate for its potential lack of context for certain threats. Threat feeds come in many forms, from open source community-driven lists to paid private feeds. The effectiveness of these feeds strongly depends on a number of factors:
上下文ual intelligence feeds provide analysts not only with indicators of compromise (IOCs) but also a thorough explanation of the attacker's use of infrastructure 和 tools. Feeds containing contextual information are far more effective for successful threat 检测.
The benefits of NDR are vast. There is no limit to the amount of protection, 检测, 和 overall benefits that can come from closely monitoring your network for malicious activity 和 enacting quick responses – here are a few of those benefits:
NDR是必备的, but modern attacker methodologies extend beyond the network – 和 your security coverage should as well. NDR is great at examining network logs, but it doesn’t cover endpoint alerts 和 events 和 also doesn’t extend to the cloud.
For this reason, NDR products aren’t typically used as st和alone solutions. Rather, they’re part of a suite of solutions that offer comprehensive coverage for true extended 检测 和 response (XDR). 这包括:
User telemetry provides insights on file 和 network access, registry access or manipulation, 内存管理, 开始和停止活动. Unusual behavior 检测ed can include processes that spawn comm和 shells, 内存注入次数, or accessing unusual file locations.
Server telemetry provides information on extremely differentiated data. Since servers h和le so much crucial organizational functionality, XDR telemetry can help prioritize investigations 和 remediations of incidents on a more macro level.
Network telemetry provides insights on traffic, particularly a sudden increase in volume, 新的网络协议, or anomalous privilege escalations. Advanced encryption methods can often hinder deeper network analysis that could otherwise thwart threat actors. Combined with endpoint telemetry however, network traffic analysis can be a cornerstone of an XDR offense.
Cloud telemetry provides insights on infrastructure. This can include 检测ing security anomalies for any cloud workloads or deployed components. Attackers specifically targeting an organization’s cloud can easily gain access with the proper credentials, so it’s important to leverage the advanced 检测 technology of XDR to hunt threats faster 和 fortify cloud environments.
By incorporating attacker behavior analytics as a 军事 方法, teams can quickly develop new rules for emerging attacker behavior 和 push 检测s out within minutes of discovering a new technique or trend. UBAs are adept at identifying breaches in the “lateral movement” phase of the attack chain. ABAs enable 检测 of attacker activities in all other phases of the attack lifecycle.
Gartner, Market Guide for Network 检测 和 响应, 杰里米·D 'Hoinne, Nat史密斯, 托马斯Lintemuth, 12月14日.