What does a NDR solution detect?

March 13, 2023
Cyber threats - Cybersecurity - Artificial Intelligence - Security network

EDR, XDR, SIEM, NDR, … the cybersecurity sector is full of endless acronyms. Until recently, the market was mainly driven by EDR, SIEM, XDR solutions, but what about NDR? NDR stands for Network Detection and Response and has been recognised by Gartner as an essential component in securing the IT infrastructure.   

But what is NDR? What activity can it identify?  

Let’s take a look. 

What is NDR? 

NDR is a tool to detect threats on corporate networks, which is the nerve centre of the IT infrastructure. Wireless or wired devices, users, servers, applications, etc, are all connected to the network. Unlike traditional security solutions that base their defence on signature-based techniques, NDR goes one step further.   

 NDR solutions integrate historically used intrusion detection systems and combines this with artificial intelligence, behavioural analysis and threat intelligence. This dual approach makes it possible to detect malicious behaviour in a huge volume of data well beyond the capacity of hard set rules.  

Detection at key stages of an attack 

When a cyber-attack is revealed, in reality the initial intrusion takes place days, weeks or even months before the observable result. Worldwide, the official figure is 212 days from initial access to impact. During this period, the adversary explores the company’s network to recover its critical data. And to do this, they necessarily go through various stages.  

NDR is the only tool capable of detecting critical  stages of complex attacks. These critical stages take place just after the initial compromise and generally correspond to the adversary trying to propagate throughout the network:   

  • Use the “command & control” channel,   
  • Performing discovery phases of the network,  
  • Try to control other computers,   
  • Collecting information,   
  • Moving laterally to get closer to critical assets,  
  • Transferring data,   
  • Etc. 

And this is where an NDR tool comes into its own. It is specialised in detecting these different steps that a malicious actor will take to reach his final objective. 

How will Custocy detect these steps? 

Our Custocy cyber platform is an NDR based on a unique technology, developed in our laboratory by our teams, which consists of using the power of artificial intelligence (AI) over multiple time scales.  

To better understand this, we have an AI master, the METALEARNER, which orchestrates several AIs that inspect flows at different time scales and regularly consult each other to agree on the severity of a threat. This multi-temporal vision has a double advantage:   

  1. It will enable the accurate detection of varied, sophisticated and unknown attacks (Zero-Day), both short and persistent over time; 
  2. It will considerably reduce the number of false positives. (88 times less compared to a detection only on the flow)   

The thousands of events coming from the network will be collected and analysed by the METALEARNER, which will then give its final decision to the analyst. An alert will be triggered in the Custocy interface with a danger score defining the order of priority. In this way, analysts will no longer be subjected to an avalanche of alerts. They will be able to outwit the attacker and replay all the stages of the attack in the tool. They will finally be able to concentrate on the essentials. 

What types of behaviour will Custocy be able to identify? 

As you can see, the main interest of an NDR solution is to be able to identify the cyber-malware at the earliest stage in order to prevent it from doing any harm.  

By working on both short and long time scales, Custocy will be able to accurately detect several types of behaviour such as:

  • Malicious requests to the Active Directory,   
  • Network scans,  
  • Eavesdropping via a Man In The Middle,  
  • Malicious file uploads,  
  • Abnormal use of file exchange protocols (FTP, SMB, etc),  
  • Abnormal use of remote control protocols (SSH, telnet, etc),  
  • The opening of a “Command and Control” session,  
  • Data exfiltration,  
  • Suspicious connections,  
  • Distributed attacks (DoS and DDoS),  
  • DGA attacks,  
  • Exploits,  
  • And many more. 

Why should we have an NDR? 

NDR is an additional security brick that you should not do without. Attackers go to great lengths not to be discovered, but whatever they do, they will have to go through the network… An NDR solution will therefore detect what other tools do not see.   

So, in order to build up a complete and fully operational security perimeter, it is relevant to look at tools that complement your existing ones, so as to maximise your chances of thwarting a cyber attack. And NDR is now a security essential.  

Curious to discover Custocy? Book your demo slot in one click HERE, it’s 100% free.