What is Network 检测 和 响应? 

Network 检测 和 response (NDR) is the practice of 应用ing rules or signatures to network traffic in order to automatically trigger alerts for activity that could indicate malicious behavior.

The NDR solution category is emerging out of what was previously known as network traffic analysis (NTA), which also aimed to monitor network traffic. The broadening in scope was a response to the need for the category to include automated response actions in st和ard solutions.

这意味着 most modern solutions feature the ability to monitor, 检测, 和 respond to potential threats. 这意味着, after a threat has been 检测ed, security personnel can take immediate steps to contain or respond, quickly killing malicious processes or quarantining infected 端点.

According to Gartner®, organizations rely on NDR to 检测 和 contain postbreach activity such as ransomware, insider threats, or lateral movement. Core capabilities include:

  • Ability to gather activity from raw traffic 
  • Metadata enrichment at the time of collection or during event analysis 
  • Deployment from factors compatible with on-premises 和 cloud networks 
  • Machine learning (ML) techniques to baseline normal activity 和 检测 abnormal behaviors 
  • Alert aggregation into logical security incidents based on multiple factors, not only alert ID 和 repeated alerts
  • Automated responses, such as host containment (through integration) or traffic blocking

How does Network 检测 和 响应 Work? 

NDR works by bringing together a team of security professionals to input processes to monitor, 检测, 和 respond to alerts that could negatively affect the integrity of the network 和 business. Let's look more closely at those processes: 

Detecting Suspicious 和 Potentially Malicious Activity 

One of the most important aspects of this process is the ability to access real-time information about user activity, 应用程序活动, 网络活动. 另外, network data should be easily searchable so that analysts can accelerate investigations into alerts based on suspicious activity. It’s also important to be able to build custom alerts as well as access a library of attacker behavior analytics (ABA) so that the process is starting from a wealth of information about past suspicious activity.

Modeling Baseline Network Behavior 

It's extremely critical to establish a baseline of usual network behavior 和 actions so that automated systems know what is normal 和 what is suspicious. 例如, user-behavior analytics (UBA) are helpful for enabling your team to quickly determine whether a potential threat is an outside attacker impersonating an employee or an employee who presents some kind of risk, whether through negligence or malice. UBAs connect activity on the network to a specific user as opposed to an IP address or asset. That activity is then compared against a normal baseline of event activity for that user.

侦测网络事件

NDR solutions should have the ability to take automated actions when an incident is 检测ed. 来自检疫, 连接终止, to executing a series of predefined actions developed by security operations center (SOC) analysts, it should be possible these days to rapidly take down an attacker if a network perimeter is breached, whether on-prem or in the cloud. Actions taken during this process would include deep-dive analysis of incidents, reverse-engineering attack 方法 like malware, 创建入侵报告.

创建威胁源 

A 威胁情报 (TI) feed should be a continuous stream of data that informs automated threat prioritization 和 remediation efforts. A TI feed should help a security organization to compensate for its potential lack of context for certain threats. Threat feeds come in many forms, from open source community-driven lists to paid private feeds. The effectiveness of these feeds strongly depends on a number of factors:

  • Intel type (hash, IP, domain, contextual, strategic)
  • 实现 
  • 指标的年龄
  • 情报源

上下文ual intelligence feeds provide analysts not only with indicators of compromise (IOCs) but also a thorough explanation of the attacker's use of infrastructure 和 tools. Feeds containing contextual information are far more effective for successful threat 检测. 

What are the Benefits of Network 检测 和 响应? 

The benefits of NDR are vast. There is no limit to the amount of protection, 检测, 和 overall benefits that can come from closely monitoring your network for malicious activity 和 enacting quick responses – here are a few of those benefits:

  • 高保真警报: Alerts should include plenty of context so you can make better decisions, 纠正问题, 降低风险, 和 quickly contain the alert. 
  • 基于行为的检测: Enable attack 检测s with high-fidelity network data that helps identify novel variations of new attacker techniques. 
  • 不断变化的检测: Quality alerts should usually detail known, recent adversary groups using similar techniques in confirmed attacks. 这种方式, everything stays up-to-date 和 teams can be assured their 检测 techniques are ever-evolving.  
  • 上下文: Indicators of attack should surface on the visual timeline of a 检测和响应(D&R)解决方案, along with unusual behaviors. This combination makes it even easier for your team to perform investigations 和 have confidence in the results of the findings.

What are the Limitations of Network 检测 和 响应? 

NDR是必备的, but modern attacker methodologies extend beyond the network – 和 your security coverage should as well. NDR is great at examining network logs, but it doesn’t cover endpoint alerts 和 events 和 also doesn’t extend to the cloud.

For this reason, NDR products aren’t typically used as st和alone solutions. Rather, they’re part of a suite of solutions that offer comprehensive coverage for true extended 检测 和 response (XDR). 这包括:

User-endpoint遥测

User telemetry provides insights on file 和 network access, registry access or manipulation, 内存管理, 和 start-和-stop activity. Unusual behavior 检测ed can include processes that spawn comm和 shells, 内存注入次数, or accessing unusual file locations.

服务器端点遥测

Server telemetry provides information on extremely differentiated data. Since servers h和le so much crucial organizational functionality, XDR telemetry can help prioritize investigations 和 remediations of incidents on a more macro level.

网络遥测技术 

Network telemetry provides insights on traffic, particularly a sudden increase in volume, 新的网络协议, or anomalous privilege escalations. Advanced encryption methods can often hinder deeper network analysis that could otherwise thwart 威胁的演员. Combined with endpoint telemetry however, network traffic analysis can be a cornerstone of an XDR offense.

云遥测

Cloud telemetry provides insights on infrastructure. This can include 检测ing security anomalies for any cloud workloads or deployed components. Attackers specifically targeting an organization’s cloud can easily gain access with the proper credentials, so it’s important to leverage the advanced 检测 technology of XDR to hunt threats faster 和 fortify cloud environments.

Accelerated Defense-in-depth

By incorporating attacker behavior analytics as a 军事 方法, teams can quickly develop new rules for emerging attacker behavior 和 push 检测s out within minutes of discovering a new technique or trend. UBAs are adept at identifying breaches in the “lateral movement” phase of the attack chain. ABAs enable 检测 of attacker activities in all other phases of the attack lifecycle.

Gartner, Market Guide for Network 检测 和 响应, 杰里米·D 'Hoinne, Nat史密斯, 托马斯Lintemuth, 12月14日.