In our third installment (Post 1: XDR technology and how it works, Post 2: XDR: How the Evolution of Endpoint Technology is Moving Beyond the Endpoint) of our blog, we explore the Network piece of the XDR pie. Mmmmmm… pie…
Why focus on the Network? As we work our way through a global pandemic with virtually everyone working from home and fully taking advantage of BYOD and hyper-expanded IoT-enabled everything – it’s immediately evident: businesses can’t rely on just endpoint or email detection to uncover threats anymore. We need something more sophisticated.
As more organizations opt for Digital Transformation and adopt cloud-based resources, employ encryption, and concurrently adapt to remote employees, it’s easy to see that nearly all cyber threats generate communications that are visible on the Network. Additionally, most EDR solutions are dependent on agents for monitoring, however, it may not always be possible to install the agents on all systems in an environment. NDR helps close potential EDR gaps and detect malware that attempts to circumvent EDR monitoring. This makes NDR a partner to EDR and wrapped into XDR indispensable as it provides perspective where others can’t.
Let’s take a little side trip and talk about attacker life cycles. In case you hadn’t noticed, the cybersecurity industry likes it when it can put things into a framework including the way cyber-attacks happen. Various versions of the attack lifecycle have been created to break down the structure of an attack to help determine where defenders can detect/prevent attacks. For our purposes, we will use the Cyber Attack Lifecycle from Mandiant:
Defending against each stage is a critical skill for organizations, and as you might suspect, one tool probably can’t do it all. Imagine this: exploits that can subvert EDR or malicious activity may not be reflected in logs and so are not prevented/detected in the initial compromise and establish a foothold, but, their activity is visible by network tools as soon as they interact with any system at the internal recon, move laterally and maintain presence stages – even if that system doesn’t have EDR. Need another example? A nation-state attacker has such sophisticated attacks they employ hidden HTTPS tunnels that mimic standard web traffic to launch command and control as part of their maintain presence and attempts to complete their mission. NDR ferrets out that activity and respond with alerts.
With effective AI and ML – bingo! – Network Detection and Response platforms will collect and store the “right” metadata and enrich it with security insights. The result is finding attackers in real-time and incident investigations launched in record response time.
And truly – can we afford anything less?