Network Detection

and Response
Belongs in
the Security
Operations Center
www.securonix.com
The Event Data Management Problem
Detecting cybersecurity threats has become a big data management challenge. Threat actors
employ advanced strategies to hide in hard to find places on your network. In order to detect
these threats, you must consolidate data from your entire IT environment and analyze it. Many
organizations already collect data from multiple sources but still have blind spots in their
environment they don’t have visibility into.

For example, network detection and response (NDR) covers gaps found in many security
information and event management (SIEM) and endpoint detection and response (EDR) solutions.
For example, a SIEM commonly utilizes logging mechanisms (either over syslog daemons or API
calls) to keep track of security events. However, system exploits and vulnerabilities might not show
up on logs, and log collection may not be possible for certain systems and technologies (such as
operational technology systems). NDR complements a SIEM solution’s log analysis, aggregation,
and behavioral threat detection capabilities by correlating detected threats with network activity
(thus covering for any logging gaps).

Likewise, EDR solutions are dependent on agents for monitoring, which may not always be
supported, add processing overhead, and organizations may be limited in their authority to install
the agents on all systems in their environment. These agents can also be disabled by attackers
using the right exploits. NDR helps close any EDR agent gaps and detect exploit-aware malware
that is attempting to circumvent EDR monitoring.

This white paper discusses the role modern network detection and response solutions play within
the security operations center (SOC), and the benefits it provides to your organization.

Why Network Detection and Response?

The goal of a successful SOC is straightforward – to reduce mean time to detection (MTTD) and
mean time to respond (MTTR) to cyberthreats. The capabilities provided by an NDR solution
work towards reducing these key indicators by providing network and contextual data to aid in
investigations.

NDR reduces your MTTD by adding additional context to network event information. Robust
correlation rules and a strong machine learning (ML) and artificial intelligence (AI) engine can put
events together that constitute threats based on supervised/unsupervised learning (from past
analyst actions, for example). Network packet sensors again provide more data for event context.

2 w w w. s ecu ro n i x. co m
NDR also reduces your MTTR by speeding investigation (network metadata provides more
data on network events, related devices, and other information that can help isolate threats) and
response (identify which devices to act on, compare certs, and replace malicious certs or files
with original ones). API integration with security platforms provide response orchestration and
playbooks.

Challenges with Traditional Network Security Solutions

Feasibility and Cost to Scale for Data Capture, Analysis, and Storage Resources
The resources and architectural capabilities required to monitor high demand networks in real
time is not feasible with traditional network security solutions. The limitations of traditional event
storage technologies – which rely on relational databases – and the processing bottlenecks
created when analyzing event information can cause massive delays in threat detection, even
causing events to be dropped when data pipelines are jammed.

Limited Visibility Due to Encrypted Traffic and Ability to Passively Monitor

Many traditional network security solutions are unable to monitor encrypted connections. This
limits these solution’s visibility into the network since over 90% of web traffic is encrypted.1
Especially with cloud-based networks, traffic mirroring capabilities can make an NDR solution a
lot more effective. If your network security solutions aren’t able to mirror traffic in order to passively
listen or analyze your network, your network security visibility is impaired.

Cost of Infrastructure Required to Perform Full Packet Capture From 10 Gbps Connections
Even in cases where the network forensics solution is capable of handling massive amounts of
data, the cost of the infrastructure required to do so can be prohibitive.

Difficult to Apply ML and Analytics To Network Traffic Data

Network traffic data typically consists of millions, even billions of events. This volume of event data
can be notoriously difficult for ML to handle. Analyzing individual events in isolation can make ML-
driven analytics slow and inaccurate, making it more cumbersome than useful.

Increased Response Times Based on Disparate Tools and Ticketing Systems

Once a suspicious event is detected, your security team needs a solution that can help them
quickly and efficiently respond to the possible threat. Many traditional network security solutions
do not provide an incident response workflow, which slows down response times.

1
https://transparencyreport.google.com/https/overview 3
Fill In Your Blind Spots with Securonix Network Detection and Response
Securonix NDR collects and aggerates network data with other data in your IT environment, using
machine learning-based anomaly detection techniques to detect unusual activities. The solution
track users, accounts, and system behavior across your network to proactively detect, categorize,
and prioritize threats as they appear. Then the solution prioritizes those threats so that your
security team can investigate and remediate them, lowering your organization’s risk.

Affordable Scalability
Securonix provides scalable data capture, analysis, and storage by ensuring that network data
capture is performed remotely. Then, all data of forensic value is brought back to a centralized
platform so that security analytics can detect and respond to concerning events. This streamlined
approach eliminates bottlenecks and provides data in real time.

Increased Visibility and Context

Securonix employs a multipronged approach, deploying traffic capture and analysis. The platform
leverages network logs from appliances such as firewalls, along with cloud and on-premises
network flow event data.

Reduced Cost of Infrastructure

Securonix limits the use of full packet capture, which can be network and resource intensive. The
Securonix approach is to limit network data collection to network metadata while still collecting
and preserving forensically valuable artifacts such as certificates and files.

Unified Analytics Platform for all Data

Securonix provides effective NDR by combining comprehensive network data with other data
sources, such as application logs and cloud events, to use in advanced analytics. This allows
Securonix to extend complete security visibility across endpoints, network, applications, and the
cloud. Securonix applies threat models to tie together multiple anomalies and high-risk activities
over time in order to detect specific threat scenarios.

Securonix NDR is built on top of the Securonix platform and analyzes network traffic data from
a variety of internal and perimeter network sources in order to detect anomalous traffic patterns
and high-risk activity. It leverages many of the machine learning algorithms and data science
techniques that are built into the Securonix platform.

4 w w w. s ecu ro n i x. co m
Seamless Incident Response Workflow
Securonix offers security orchestration, automation, and response (SOAR) on the same platform
as their NDR solution in order to provide an investigation workflow for an organization’s SOC. The
benefit of having network data incorporated into the same platform as analytics and response is
decreased threat response times.

The Securonix Difference: Key Capabilities

Accurate Threat Context
Most NDR solutions, even with context enrichment capabilities or behavior analytics, are restricted
to network information. This is where the correlated view provided by Securonix Next-Gen
SIEM is needed. A next-generation SIEM is able to look at information from across your security
infrastructure, making a it the ideal tool for both context enrichment and threat identification.

Securonix NDR offers comprehensive mitigation to cyberthreats. It leverages the data from NDR,
as well as built-in response capabilities that allow for fast response to threats, to block the activity
of network-centric threats and prevent the spread of endpoint-centric ones.

Integrations Across Vendors and Platforms

Most pure-play NDR vendors only have limited cross-solution integration. The Securonix platform,
however, supports integrations with multiple traffic capture solutions. Coupled closely with the
Securonix Next-Gen SIEM platform, which integrates with a slew of security platforms, Securonix
NDR ensures comprehensive visibility, as well as effective threat detection.

Centralized Aggregation and Processing of Network Metadata

By bringing network metadata (and eliminating the need to pull massive amounts of data from
network device logs) to a centralized processing engine, NDR optimizes the analysis of network
traffic, delivering insights efficiently and rapidly.

Selective Storage of Forensically Valuable Data Reduces Costs

Through context enrichment, ML- and AI-based algorithms, and event correlation, Securonix NDR
ensures that events that are forensically valuable for investigation are stored, removing repetitive
and false positive events from the pipeline. This keeps storage costs down, while making threat
hunting and search faster.

5
Complementing Network Traffic Data With Other Network Data Sources
Network traffic data alone does not show the entire picture. By complementing network traffic
data with multiple other network data sources, Securonix NDR can identify threats that may
otherwise pass unseen. Also, by correlating various data sources, threat events can be predicted
with greater confidence, eliminating more false positives, and enabling the prioritization of actual,
high priority threats.

Conclusion
Securonix NDR effectively solves the challenges that traditional network security solutions have
in visibility and response, using ML and AI to connect related security events and create an
actionable list of anomalies to investigate. It also effectively leverages additional platforms and data
sources, through API integrations, to provide balanced visibility and comprehensive cybersecurity.

Ultimately, the Securonix NDR solution provides robust, scalable, and feature rich network
forensics that help enterprises effectively protect themselves from cyberthreats.

ABOUT SECURONIX
Securonix is redefining SIEM for today’s hybrid cloud, data-driven enterprise. Built on big data
architecture, Securonix delivers SIEM, UEBA, SOAR, Security Data Lake, NDR, and vertical-
specific applications as a pure SaaS solution with unlimited scalability and no infrastructure cost.
Securonix reduces noise, prioritizes high fidelity alerts, and detects and responds to advanced
insider and cyber threats with behavioral analytics technology that pioneered the UEBA category.

CONTACT SECURONIX
www.securonix.com
[email protected] | (310) 641-1000
1020

6 w w w. s ecu ro n i x. co m