As part of the Gartner SOC Visibility Triad, network detection and response (NDR) has received a huge amount of interest. But there remains confusion about the impact of the approach. Technology and security leaders are getting to grips with this rapidly and have realised that NDR is not only a key piece of the puzzle alongside SIEM or EDR, but it has also led an evolution of cybercrime response times and deeper insight intelligence into the threat severity.

The consideration of the network perimeter in a cloud-enabled world has combined with an awareness of evermore sophisticated threats (be they criminal gangs, national state or other bad actors) to elevate cybersecurity professionals' appreciation of how advanced these attacks can become. It is no longer a case of a single, simple instance attack being seen and dealt with. It is a consideration of what that attack means throughout the entire technology infrastructure, what it was meant to do and how comprehensive the response has been.

There is an effective, seven-point framework for this NDR-based approach:

• When did the attack occur?
  This is a consideration of the possible difference between the time the attack first took place and the subsequent time it was detected. This 'dwell time' is an important consideration, as advanced threats will favour stealth over immediate impact. A sophisticated bad actor will take the time to move quietly onto a network, explore options and perhaps either remove or copy lesser amounts of data, multiple times. Immediate, 'smash and grab' operations are rarely cost effective for the bad guys. Payloads are delivered slowly across multiple unlikely methods and protocols to secure an effective outcome.

• How did it occur?
  This can be best understood as assessing how existing defences were breached: specifically, was the attack spotted and, if not, why? The idea is to track the attack back to the initial breach and then assess how it got past the existing defences. In the face of increasingly sophisticated bad actors, businesses must go beyond the immediately obvious security profile of just protecting the front doors of an infrastructure - the back doors, windows and any other access points must also be secured; this may seem obvious, but it remains a challenge for organisations.
• Where did the attack go?
  Once a business understands how long a malicious element has been in play and where it has been across a network, the business can map where that threat has been. Which systems has it explored and how much access has it been given? The growth and blending of OT into the traditional IT network present new challenges. The only way to 'discover what you don't know' with confidence is to analyse the whole estate 'from the ground up,' dynamically, to identify and hunt the initial attack incident, then view the chain as it progressed over time.
• What damage did it do?
  For businesses, the next step is the most sobering, as they assess the impact of the attack, which suggests not only the potential cost or risks being faced, but also the motivation of the attackers. Typically, this centres on the theft of value, such as money or IP, but a business must at this point also become sceptical of its remaining data. There is nothing to stop a bad actor altering or doctoring applications, data or access for later exploitation. This can extend far beyond the immediate short term and leave the business open to further incursion.

• How was the attack discovered?
  At this point, the business must also engage in a frank and honest assessment of how it discovered the attack. Was it accidental or proactively detected? Would the business have seen the attack, if a given event had not happened? This very quickly develops into a library of the lessons of past attacks - cyber threat intelligence - and, of course, should inform the cybersecurity strategy going forward. This can quickly become very refined - after an initial consideration of the main attack, was there a Trojan attack; was the noise created blinding the target company to a more subtle, hidden attack elsewhere? Alternatively, has there been multiple attacks and is the business looking at the latest one in an extensive list?
• What has been done to fix the impacted systems?
  Moving towards remediation, a business must be on guard against the dangers of vertical thinking, such as an antivirus engine scanning, detecting and deleting a virus, then assuming that the problem is solved. Businesses need to take a far more holistic view of what else has been done or started. This extends to then assessing how the remediation process itself is conducted - for example, advanced malevolent operators bank on the AV-fixing process to insert payloads.
• Was everything impacted, fixed?
  This then leads to the obvious question of assessing if everything has been fixed properly - has the organisation found the potentially multiple payloads hiding elsewhere on the network? This is sadly the realm of 'unknown unknowns' and there is always the risk that a business will miss something. As such, security team needs to be clear that they are offering mitigation, rather than elimination to the business. The watchwords should be a constant iterative process, based on intelligent information, not just reviewing reams of data and spending time hunting down a myriad of false positives.
• Can this all be proven?
  The last stage is to be able to fully demonstrate the attack in all its facets and the remediation. This is vital for risk and regulation compliance certification, as well as communication to shareholders and business leaders. There may well be specific areas of core reputational risk that need to be addressed here.

PROTECTING THE CASTLE
Pulling the above together is a process of 'defining the citadel' - the limits of what a business can protect, and the subsequent strategy and level of security offered. It is all but impossible to cover every threat - and the rise of alert fatigue has shown that, even if a business could detect every threat, a response to each of those threats may be lacking.

Once this framework has been defined, our response to this is to employ supervised learning AI engines AND specific rules-based processes to overcome the threat noise that creates this fatigue.

The original Gartner report that identified the SOC Visibility Triad showed that a network-centric approach was critical to combat the 'escalating sophistication of threats' and that 'network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents'. This is the reality of cybersecurity today - a need to see it all, then continually refine and update that which is protected and remediated.