NDR solutions primarily use non-signature-based techniques (for example, machine learning or other analytical techniques) to detect suspicious traffic on enterprise networks. NDR tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NDR tools detect suspicious traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NDR solutions can also monitor east/west communications by analyzing traffic from strategically placed network sensors.
Response is also an important function of NDR solutions. Automatic responses (for example, sending commands to a firewall so that it drops suspicious traffic) or manual responses (for example, providing threat hunting and incident response tools) are common elements of NDR tools.
Typical NDR systems, running on closed detection engines, have two layers of functionality, one provides network traffic monitoring and the other offers automation and artificial intelligence capabilities. The main problem they face is the amount of data they have to deal with. The security teams need a way to more efficiently filter and isolate events, and other data, and correlate them with new modern threats.
For teams with less time or limited skill sets, the automation and Artificial Intelligence (AI) alghoritms automatically triages data and prioritizes events to reduce the amount of information provided to security teams.
Response is an important function of NDR solutions. Automatic responses (for example, sending commands to a firewall so that it drops suspicious traffic) or manual responses (for example, providing threat hunting and incident response tools) are common elements of NDR tools.
An NDR solution combines threat scanning capabilities with automated threat response and mitigation tasks. The purpose of these automated tasks is to attempt to stop the issue without needing an IT team member to address it. This reduces the time between finding and solving a security problem and allows your team to deal with other important matters.
Network Forensics is the technology used to capture, record and analize the network packets in order to determine the source of network security attacks.
The major goal of network forensics is to collect evidence.
It tries to analyze network traffic data, which is collected from different sites and different network equipment, such as firewalls and IDS.
In addition, it monitors on the network to detect attacks and analyze the nature of attackers.
Network forensics is also the process of detecting intrusion patterns, focusing on attacker activity.
NETWORK FORENSIC EXAMINATION INCLUDES THE FOLLOWING STEPS:
Recognizing and determining an incident based on network indicators.
Securing and isolating the state of physical and logical evidences from being altered, such as, for example, protection from electromagnetic damage or interference.
Recording the physical scene and duplicating digital evidence using standardized methods and procedures.
In-depth systematic search of evidence relating to the network attack. This focuses on identifying and discovering potential evidence and building detailed documentation for analysis.
Determine significance, reconstruct packets of network traffic data and draw conclusions based on evidence found.
Summarize and provide explanation of drawn conclusions.
The response to attack or intrusion detected is initiated based on the information gathered to validate and assess the incident.
Compared to computer forensics, where evidence is usually preserved on disk, network data is more volatile and unpredictable. Investigators often only have material to examine if packet filters, firewalls, and intrusion detection systems were set up to anticipate breaches of security.
A network forensics solution records network traffic, stores it in a searchable repository, and provides IT engineers with filters for mining stored data to discover and analyze network anomalies. Using network forensics, IT engineers can discover both the cause of an anomaly and its effects on IT services and IT assets such as servers and databases.