The widespread adoption of digital transformation and other related technologies such as cloud computing, BYOD, and IoT have significantly broadened the enterprise network attack surface and opened the door for new security risks and vulnerabilities.
One common misconception is the belief that tools such as Security Information & Event Management (SIEM), Endpoint Detection and Response (EDR) solutions, and similar technologies can sufficiently protect the enterprise. But unfortunately, SIEMs have blind spots, and EDR tools provide only a ground-level view of suspicious processes and interactions within hosts on a network. EDR tools can be evaded or disabled by a determined attacker. Moreover, devices like IoT simply do not have the ability to run endpoint security software or analytics.
But in recent times, organizations are embracing a concept known as Network Detection and Response (NDR) as a security strategy to address modern network security challenges. NDR is a new category of security solutions that complement and even go beyond the capabilities of log analysis tools such as SIEM and endpoint detection and response (EDR) products to provide an aerial view of the suspicious activities and interactions between all devices on the network. NDR enables organizations to protect their networks by analyzing their network activity without the headache of having to manage individual device software. It is rapidly emerging as a must-have capability in modern security operations.
NDR solutions primarily use non-signature-based techniques such as machine learning, deep learning, statistical and heuristic analysis, and other techniques to detect suspicious traffic on a network. When the NDR tools detect suspicious traffic patterns, they raise alarms and where necessary provide an automatic response.
To select an appropriate network detection and response solution for your business, you need to consider a variety of factors. Firstly, you need to decide whether you will be best served by supervised or unsupervised machine learning. You also need to decide whether you will be best served by a managed, operated, or automated NDR solution. Other key questions to consider include: which response strategy will best meet your security goals, manual or automated? Does the solution enable alert-to-action automations? What is the false positive and false negative rate for the detections? Is the AI function of the NDR system wholly or partially dependent on rules? Is vendor support available in your region, and to what extent? What is the total cost of ownership?
The Best Network Detection and Response Software
With a variety of NDR solutions out there, choosing the right one for your business and budget can be challenging. In this article, we’re going to review the five best NDR solutions in the market. Hopefully, this will guide you in the process of choosing an appropriate solution for your business.
1. ExtraHop Reveal(x)
ExtraHop Reveal(x) is a detailed and flexible NDR solution ideal for any security operations teams that need better visibility into network behavior in their environment. It helps organizations identify threats, automate data gathering, and correlation, as well as response investigation. This in turn helps to improve overall cybersecurity hygiene and meet regulatory requirements.
ExtraHop Reveal(x) NDR software is able to detect suspicious network behaviors, prioritize investigations according to the risk score, and automate response efforts. It automatically discovers and classifies every transaction, session, device, and asset in your enterprise up to 100Gbps. One advantage of Reveal(x) is its out-of-band deployment model, which makes the operation covert so that attackers won’t know they’re being monitored. ExtraHop Reveal(x) NDR solution comes in two flavors:
- ExtraHop Reveal(x) Enterprise This is a self-managed deployment option that can be deployed on-premises or in the cloud, providing complete east-west visibility, real-time threat detection, and response inside your network perimeter.
- ExtraHop Reveal(x) 360 This is a SaaS-based deployment option that completely eliminates the installation and management overhead of the self-managed option. With Reveal(x) 360, you can unify security controls across on-premises, cloud, and IoT environments. It leverages native integrations with cloud service provider packet mirroring features to provide agentless visibility, detection, and response.
Some of the key features and capabilities of Reveal(x) include:
- Reveal(x) can be configured to monitor and passively decrypt encrypted traffic, including traffic protected by Perfect Forward Secrecy such as SSL and TLS
- Machine learning using 5000+ features
- Automated detection, investigation, and response via integration with third-party security tools such as Crowdstrike and Phantom
- Automated inventory—discovering and classifying network devices
- Peer group detection—sort devices into behavioral groups
ExtraHop Reveal(x) NDR licensing can be either subscription-based or perpetual. The subscription-based option offers time-based access to ExtraHop NDR software that is installed on purchased hardware or on a virtual machine. For the perpetual licensing option, you purchase ExtraHop hardware and software.
The ExtraHop Reveal(x) is a powerful NDR tool that can help your organization detect and respond to anomalous network traffic patterns. However, in order to get the best value out of this product, you must be prepared to go through a high learning curve and gain a good technical understanding of key protocols and application components.
2. Cisco Stealthwatch Enterprise
Cisco Stealthwatch is an agentless Network Traffic Analysis (NTA) NDR solution that uses a combination of behavioral modeling, machine learning, security analytics, and global threat intelligence to detect and respond to threats such as ransomware, distributed-denial-of-service (DDoS) attacks, unknown malware, and insider threats. Stealthwatch can be deployed on-premises as a hardware appliance or a virtual machine called Stealthwatch Enterprise, or cloud-delivered as a SaaS solution called Stealthwatch Cloud.
Stealthwatch provides enterprise-wide visibility from the private network to the public cloud and applies security analytics to detect and respond to threats in real-time. It examines traffic metadata such as NetFlow or IPFIX (Internet Protocol Flow Information Export) to build a better picture of activities within the network, which in turn can be used for identifying behavior-based anomalies. Stealthwatch can perform analytics even on encrypted traffic without breaking the encryption; and it comes integrated with Cisco SecureX and Cisco ISE platform to provide additional contextual data and boost response capabilities respectively. Some of the primary use cases include:
- Real-time threat detection
- Incident response and forensics
- Network segmentation
- Network performance and capacity planning
There are three main components that make up the core of Stealthwatch Enterprise: the Flow Rate License, Flow Collector, and Management Console.
- Flow Rate License This is required for the collection, management, and analysis of network flows. It also defines the volume of flows that may be collected. The license is based on flows per second (fps) and may be combined in any permutation to achieve the desired level of flow capacity.
- Flow Collector The Flow Collector just as the name implies collects and leverages flow data such as NetFlow, IPFIX, and other types of flow data from switches, routers, firewalls, endpoint devices, and proxy data sources to provide comprehensive network visibility.
- Management Console The Stealthwatch Management Console aggregates, organizes, and presents analysis from up to 25 Flow Collectors, the Cisco ISE, and other sources. It uses graphical representations of network traffic, identity information, customized summary reports, and integrated security and network intelligence for comprehensive analysis.
Other optional licenses and components which can be added to enhance functionality include Cisco Stealthwatch Endpoint License—to extend visibility to end-user devices, Cisco Stealthwatch Cloud—to provide visibility and threat detection within the public cloud (AWS, Azure, Google), Cisco Stealthwatch Threat Intelligence License—provides an additional layer of protection against botnets and other attacks, Flow Sensor and the UDP Director components. Stealthwatch licenses are available as a one-, three-, and five-year term subscription, depending on your need and budget.
One unique thing about Stealthwatch is the fact that it is part of a broad security portfolio of security devices from Cisco, and has evolved and matured in capability and functionality over the last 20 years. However, the product is best suited for a Cisco infrastructure environment and covers areas beyond NDR function which some consider too broad and less deep. Furthermore, like most Cisco products, the setup process can be complicated. You need someone on your team with Cisco experience to maximize value from this product.
3. Darktrace Enterprise Immune System
The Immune System NDR solution from Darktrace combines real-time self-learning threat detection, automated investigation, autonomous response, and digital visualization capabilities in a single, unified system. It uses AI and unsupervised machine learning to autonomously detect and take action against cyber-threats across all diverse digital environments, including cloud, virtual environments, IoT, and industrial control systems.
The Enterprise Immune System is targeted at corporate and IT infrastructure networks, while the Industrial Immune System is targeted at industrial control systems, SCADA networks, and operations technology (OT) infrastructure. The Darktrace Immune System is made up of the following core components:
- Immune System Engine This is the core component that provides detection capabilities via unsupervised machine learning. The Enterprise Immune System works by gaining an understanding of what is ‘normal’ for your environment as it evolves. Instead of relying on signatures, the Enterprise Immune System establishes what is called a ‘pattern of life’ for the entities in your infrastructure—users, devices, clouds, and containers, and uses this knowledge to identify anomalous activity.
- Cyber AI Analyst This component is responsible for carrying out enterprise-wide automated investigations at machine speeds, stitching together disparate anomalies to provide triaged threat reports about the nature and root cause of security incidents.
- Darktrace Antigena This component is responsible for autonomous response efforts. Antigena allows networks to take autonomous action against on-going cyber-attacks. The response action can be in the form of neutralizing a threat by stopping a malicious connection or a compromised device, without impacting normal business operations.
- Threat Visualizer This is a GUI tool that provides real-time visibility of your entire digital infrastructure and network activity in a single pane of glass. Threat Visualizer helps security teams visualize every user, device, and controller in the network and identify threats in real-time. The detected anomalous events are fully searchable.
The product can be deployed as hardware or virtual appliance, and it’s simple enough to use because of its user-friendly GUI. The installation process is painless and takes only an hour to complete, and users can train on the system within three hours.
However, during the learning phase of the system, Antigena may sometimes require human interaction and can throw false positives from time to time. This product is ideal for large business entities and government agencies that are subject to frequent cyber-attacks. The technology is so advanced that it isn’t cost-effective for organizations that are less susceptible to web attacks as they may not derive much value or ROI from it.
4. Vectra Cognito Platform
The Vectra Cognito platform is an intelligent AI-driven NDR application that helps organizations detect, investigate, and respond to cyber-attacks or suspicious network activities across on-premises enterprise networks, cloud, and SaaS environments. The Cognito platform addresses network security challenges through three-component applications: Cognito Detect, Cognito Recall, and Cognito Stream.
- Cognito Detect is designed to find threats by looking for suspicious or malicious network activities, and/or devices and users that have already bypassed perimeter defenses. The detection effort is made possible by a combination of many detection algorithms and an AI engine. Every detection attempts to answer the question of what was discovered, why it should be a concern, and how to mitigate the problem.
- Cognito Recall collects and stores a huge amount of historical network traffic data, and uses it to assist in deeper investigations and threat hunting. With Recall, almost nothing needs to be manually correlated. Every incident in Detect has a link to launch Recall, which opens up a new dashboard where Recall pulls information related to activities that previously occurred within the network.
- Cognito Stream enriches network metadata with additional network and host information for further analysis. It does not have its own interface but works behind the scenes in tandem with Detect and Recall or other third-party security tools such as SIEM, to enhance their capabilities.
These products work together to analyze network data including metadata and provide a behavior-focused model of detection and response. Detect, Recall and Stream can be purchased individually and can operate independently of one another, but it’s much more likely that an organization may go for Detect and not Recall if they are only installing one component. However, the real power of Vectra’s Cognito platform lies in the integration of the three products to make threat hunting and detection more efficient and effective. But this comes at a cost that may be unbearable especially for SMBs.
5. Gigamon ThreatINSIGHT
The Gigamon ThreatInsight is a cloud-native NDR solution that enables organizations to gain network visibility, discover hidden threats even in encrypted communications, and automates security investigations and responses across both inbound, outbound (north/south), and internal (east/west) network communications. ThreatINSIGHT is an easy-to-install, cloud-based SaaS solution with fully managed sensors that can be easily deployed across a variety of environments. The signal-to-noise ratio is good enough, which means that the solution has a low false-positive rate.
Traffic is collected through physical or virtual sensors that perform packet inspection and aggregation of metadata generated from the inspection. Once useful information is extracted from network flows, the sensors pass the information into the INSIGHT Cloud Data Warehouse, where the metadata is indexed, enriched, and correlated with information from other external sources. Thereafter, ThreatINSIGHT leverages the machine learning algorithms and Gigamon Applied Threat Research (ATR) to provide insights into hidden threats within the network.
The resources required to deploy ThreatINSIGHT are minimal and the emphasis is placed on features that enable SOC teams to do their job effectively. The application is integrated with the Cisco SecureX platform to enable customers of Gigamon and Cisco exchange data and gain visibility across Cisco infrastructure and partner solutions.
Traffic is collected through physical or virtual sensors that perform packet inspection and aggregation of metadata generated from the inspection. Once relevant information is extracted from network flows, the sensors pass the information into the INSIGHT Cloud Data Warehouse, where the metadata is indexed, enriched, and correlated with information from other external sources. Thereafter, ThreatINSIGHT leverages the machine learning algorithms and Gigamon Applied Threat Research to provide insights into hidden threats within the network.
When you acquire ThreatINSIGHT subscription licenses, each subscription includes a designated technical account manager that ensures you get the most from the solution. The Gigamon ThreatINSIGHT is a powerful NDR solution despite the fact that the product is relatively young. The latest version, ThreatINSIGHT 3.0 comes with new features and functionalities. Nonetheless, to maximize value from this product, take the time to work through the training documentation and data set to gain mastery of the tool.