KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Join security and business experts from KuppingerCole Analysts and cyber technology firm Exeon Analytics as they discuss how these challenges can be met using machine learning supported and log data based Network Detection & Response solutions to improve the overall cyber security and resilience of organizations.
John Tolbert, Lead Analyst at KuppingerCole Analysts will look at reasons for deploying NDR, the various deployment models, and use cases for enterprise IT and OT environments. He will also explain how ML-enhanced detection algorithms increase confidence and reduce false positives, and discuss key requirements for choosing NDR solutions and how NDR fits into the XDR landscape.
Michael Tullius, Sales Director Germany at Exeon Analytics will discuss why NDR is necessary and how it can benefit security leaders, admins, and incident responders. He will also give examples of detectable use cases, provide an overview of Exeon’s NDR solution, and share recommendations for improving cyber resilience.
Join security and business experts from KuppingerCole Analysts and cyber technology firm Exeon Analytics as they discuss how these challenges can be met using machine learning supported and log data based Network Detection & Response solutions to improve the overall cyber security and resilience of organizations.
John Tolbert, Lead Analyst at KuppingerCole Analysts will look at reasons for deploying NDR, the various deployment models, and use cases for enterprise IT and OT environments. He will also explain how ML-enhanced detection algorithms increase confidence and reduce false positives, and discuss key requirements for choosing NDR solutions and how NDR fits into the XDR landscape.
Michael Tullius, Sales Director Germany at Exeon Analytics will discuss why NDR is necessary and how it can benefit security leaders, admins, and incident responders. He will also give examples of detectable use cases, provide an overview of Exeon’s NDR solution, and share recommendations for improving cyber resilience.
Hello everyone. Welcome to our webinar today. I'm John Tolbert, director of Cybersecurity Research here at KuppingerCole, and today I'm joined by Michael Tullius, who's sales director for Exeon Analytics. Hi Michael. Hi John. Our topic today is gonna be network detection and response, or NDR is central to a modern cybersecurity architecture. So let's jump right in. A few logistics things here. So everyone's muted. There's no need to mute or unmute yourself. We're gonna do a couple of polls during my part of the presentation, and then we'll look at the results and talk about them.
We will take questions and we'll do q and a at the end after our presentations, and you can enter your questions in the control panel on the side at any time. And we'll those will be registered and we'll, we'll take 'em at the end. And then we are recording the webinar and both the webinar and the slide should be ready in a few days. So with that, I'll start off and talk about, well, what is N D R? What are some of the key capabilities to look for? What are some of the use cases that I think are important and you know, really where does it fit into your overall security architecture?
Then I'll turn it over to Michael and he can go into more detail on, on N D R and, and the use cases that they see. Then we'll do those q and as. So first up, I think, you know, let's talk briefly about, you know, what is the current cybersecurity threat landscape.
You know, we hear a lot about ransomware, fraud data breaches of different kinds, intellectual property theft, advanced persistent threats. All these things are things that as security professionals, we have to deal with and try to prevent every day.
So, talking about polls, we've done a number of polls over the last year, and we're always interested to find out what you know from other security professionals and executives, what are some of the top security concerns that they have? And you can see ransomware is pretty much top of mind for everyone, has been probably for the last couple of years, just because it's become so pervasive and so damaging in many, many cases.
Then we see concerns about things like tax on critical infrastructure, malicious insiders, business email compromise, and it's closely related counterparts, c fraud DDoS, software, supply chain attacks, and, and a p t, you know, p t's something that was a term that was coined probably 13 or 14 years ago now, but, you know, these things are still going on and things that we have to defend against. And, and all of these involve of course, things, software and users, vulnerabilities, training, proper communication, but these, these are the things that most organizations are concerned about today.
So, looking at ransomware, ransomware has of course been in the news quite a bit over the last few years. You know, it has been quite destructive. It really ramped up, I'd say about seven years ago. And now it, it continues to, to target all kinds of organizations.
But, you know, in the last two years we've seen much more focus on things like hospitals and clinics as well as schools and state and local governments. I think these attack perpetrators know that many of these kinds of organizations can't really afford to be down, that's why they attack them.
But, you know, large enterprises are obviously still at risk and, and small businesses and medium sized businesses are too. I've heard, you know, years ago people would say, well, you know, I'm not in such a big business, I don't think I'd be targeted.
But the, the reality is, everybody's being targeted. Now, anybody who's got, you know, money to pay is a potential ransomware target.
And, you know, we've seen some particularly devastating attacks, things that have disrupted businesses, entire supply chains, software supply chains, and, and even, you know, economies, the pipeline attack from a few years ago wound up having a, a pretty large impact across a large part of the us. So ransomware can be quite devastating and it isn't always contained to the first targeted organization either.
We've seen ransomware attackers change their tactics, you know, evolving from like a screen locker to encrypting people's pictures or whatnot to, you know, encrypting business data, hard drives, network drives, and, you know, doing, being destructive wipers, just, you know, wiping out data, not, not even trying to encrypt it. And in, you know, more recent cases, there have been attacks where the, the, the data is sort of stolen and then threatened to be leaked, so not even encrypted. So there's a whole lot of different tactics that can be used by these perpetrators.
You know, I mentioned the pipeline. There have been other attacks on critical infrastructure. Anything ranging from attempts to sabotage, like with the water treatment facility in Florida, tried to deliver malicious firmware, denial of service, you know, within plants or from outside different kinds of plants, ransomware as we've been talking about, and how it affected the pipeline. And even in that case, you know, there's a concern for a tax spillover from the IT environment.
In fact, you know, in some ways that looks like to be the most common vector for, you know, operational technology to be attacked from, from the IT side. I mentioned advanced persistent threat, you know, they're still out there. These are things that are perpetrated by either state intelligence agents or corporate espionage or sometimes those working together, they often use advanced or zero day malware, you know, malware that's based on vulnerabilities that haven't been detected or mitigated yet. So they can exploit that.
You know, the biggest risks around a p t are loss of intellectual property and loss of competitive advantage. But you know, even going beyond that, it's possible that, you know, losing your ip, losing your competitive advantage can be an ex existential threat for a company. That's why a p t are are still incredibly dangerous.
And then, you know, if you're an organization that has very sensitive information, maybe government related information, there can be fines associated for losing export controlled data. So with all these things in mind, let's take our first poll question and just kind of following up on what we saw in the first chart. What are the kinds of cyber attacks that you and your organization are most concerned about today?
And for the foreseeable future are, is it ransomware software, supply chain attacks, c e o fraud or business email compromise, more generally, loss of intellectual property or data breaches that involve pii? Great, so keep on voting. It's nice to be able to get this in real time.
So yes, you know, nearly 50% are concerned about ransomware and then software supply chain attacks and loss of IP are, are sort of tied for second and data breach loss of PII is, is third then very interesting. So yeah. Now let's take a look at a more in-depth overview on N D R.
So, so what does NDR do or what should it do? A little hint on how it's deployed. You can deploy it either in line, you know, in your network or you know, in your cloud instances.
You know, in that case it would be like off span ports, off of switches. Or another way of doing it is with offline log telemetry processing. And in those cases you gotta make sure you've got, you configure all of your telemetry gathering devices or instances if they're like virtual machines or virtual appliances to be able to send that to your central NDR console. But we'll talk about the deployment a bit more in a minute. NDR should be able to detect both north south intrusions, you know, things coming in from the outside as well as east, west or lateral movement.
This might be, you know, reconnaissance of an attacker that's already compromised, one or more machines trying to look for, you know, what data they might want to exfiltrate or even malicious insiders. And it's also important to point out that NDR can be particularly effective in OT or i c s environments. That's operational technology and industrial control systems cuz a lot of these tools understand at the network protocol level, the, those kinds of protocols that are used in OT and i c s environments, which tend to be very different from the ones that we see in enterprise environments.
You know, most of those kinds of protocols are for connectivity between SCADA nodes or PLCs, programmable logic controllers, human to machine interfaces, various sensors. So having a a protocol level awareness of the kinds of traffic in OT and i c s environments is very important for an nd r solution to be able to understand that and be able to detect when threats exist in those kinds of environments. NDR tools also have threat hunting tools built in, you know, to be able to do both sort of investigations of what may have happened as as well as, you know, a more proactive threat hunt.
Find a, you know, a new indicator of compromise and then go look for signs that maybe that's happening in an enterprise and you know, it can find evidence of malicious activities when other tools might miss it. And by this we mean, you know, everybody, every, every device if, if at all possible should run some sort of endpoint agent endpoint protection, detection and response. But you know, there are some kinds of devices that can't, you know, for a variety of different reasons.
Maybe they don't have an operating system that's supported, maybe, you know, the support is provided by a service a manufacturer and you know, it might void the warranty to, to put some sort of additional security software on there. So there's reasons why you might not be able to install security software.
Mdr, you know, sitting at the network level can see look for signs that something is amiss on your network, you know, look for those anomalies and report when it finds them. So it can be really the last place to find signs of bad AC malicious activity. And then it should also be able to provide automated responses.
You know, we'll look at the responses more in, in detail in a minute or two. But things like, you know, blocking traffic, isolating nodes, DNS sink holding for DDoS attacks, the top use cases we see are increasing that visibility.
You know, like I said, agents are good on endpoints but they're not everywhere. So you might miss attacks if you're not looking at the network level rapid ransomware response, you know, let's say an endpoint gets compromised, it's great to be able to shut that down at the network level print event it from, you know, contaminating other network drives or, or cloud hosted systems. So N D R can find that and go, okay let's, let's automate that response.
Let's, let's block access that it doesn't encrypt or steal other data. It can assist with those A P t investigations. Look for indicators of compromise. Look for those signs and an attacker may have compromised something else and is now looking around your network.
You know, looking for other kinds of unusual communications or command and control communications. It can be the last place to stop, you know, IP and P I I from actually leaving your network.
You know, being able to shut that down, terminate connections If it looks like, let's say an endpoint is trying to send out data, you know that it's encrypted using some strange tool or something you can use NDR to SH to stop exfiltration and it's good for insider threat investigations, you know, looking for, you know, unusual traffic in at different times that might be a sign that you know a particular machine has been compromised and it's not really that user on that machine, you know, trying to send information out or trying to access information that that machine's never talked to before.
And then lastly it's gotta be part of your overall security infrastructure. So it needs to be able to interrupt with SIM security information and event management. And so security orchestration and automation and response. The key features we see are, you know, support for the different environments.
You know, it's gotta be able to work on prim in hybrid modes in infrastructure as a service cloud and then in the OT i c s world it should be able to do encrypted traffic analysis. You shouldn't have to decrypt traffic to go through N D R to understand what it is and there are a lot of different methods, I won't read 'em all out here, but there are a lot of different methods that N D R vendors have come up with to look at.
Just say you know, header information to figure out if traffic is legitimate or suspicious and to do that they often use or they really have to use machine learning both unsupervised to sort of categorize or fi or find anomalies and then supervise to categorize those different kinds of traffic and tell you you know, what potentially what kind of threat it is. And it has to be trained on real data, not just academic data sets. It's best if it's trained on data from within your particular organization.
It needs to be able to get cyber threat intel, you know, many different sources for cyber threat intel but it needs to be brought in and you know, applied to the circumstances in which it operates. NDRs have consoles for SOC management, forensic investigations, threat hunting, they need a p i exposure so that they can interop operate with other parts of your security infrastructure, you know, SIM and so being probably the two main use cases but there may be others like I t SM systems. And then lastly playbooks.
You know, a lot of what security analysts have to do can be very repetitive, very time consuming, being able to automate parts of investigations, opening tickets, you know, you know getting IP reputation information or, or even just, you know, once you know that ips or or whole networks or domains are bad, being able to automatically block access to those things are ways to you know, decrease your attack surface and do so in a way that's much more efficient and a better use of your analyst's time. So where do you deploy N D R?
If you're doing an agent based system, you really need agents or virtual appliances off of all the different device network segments. We'll call 'em you know, whether it's in your office or you know around if you haven't completely de DEIR and you're using firewalls or WAFs or email and secure web gateways, they collect of course your IT and or your OT and ICS environments as well and cloud all that needs to be able to roll up to an NDR console which can then, you know, interact with external cyber threat intelligence sources.
It should be able to pass this information as we've said to Sims and then be utilized by SOS. But you know it should be bidirectional communication between N D R and all of its sensors or virtual appliances in the cases where you know, it's not actually sitting right off of a span port. But API connectivity in those cases is very important. So on the response side we expected to be able to the NDR console to allow an Analyst to run those C T I queries, collect forensic evidence. Ideally that would be automated cuz even the evidence collection stuff can be kind of tedious.
A lot of it can be scripted. So yeah, be able to run scripts to support threat hunting incident response once you find something, you know, scripting out, you know how to begin to shut it down and recover from that. Create cases and open tickets, that's where you know, having a p i connectivity to an I T S M is useful.
Of course you should be able to alert socks and and analysts get those tickets to the analysts, get it prepopulated with the kinds of information they need to be able to sort of hit the ground running in in an investigation and not have to look up lots and lots of stuff just to get sort of the lay of the land when, when they first receive that case. It should be able to isolate nodes and networks as we said.
And then ideally be able to update detection rules based on the findings so that you know, once you see something looks potentially malicious on one machine, you should be able to look for that across your entire network estate. I wanna briefly talk about minor attack. Minor attack is a framework that shows tactics, techniques and procedures that are common to most cyber attacks. I've got a lot of info on here and I'm kind of running outta time so I'll just kind of go through this quickly.
The, the colored boxes are the, the different tactics and techniques in the mire attack framework starting with recon, you know, in the initial stages and then ending up with impact on the bottom right. And what I wanted to do here is kind show where NDR fits in. So obviously as DR detection and response it's gonna be more in the detect phase. So you see NDR becoming, you know, an important tool to find evidence of persistence evidence that it might try to evade defense's, evidence of lateral movement for example. Or trying to collect information, do that C2 communication or exfiltrate.
So again, you know, particularly malicious A P T campaigns will do things like erase logs on machines where they have compromised those systems. So you know, I'd consider that a defense evasion technique. They could also try to shut down, you know, other security systems, security agents on endpoints and N D R again can be a way to look for signs of that defense evasion. So quickly wrapping up my part here, we'll do the second poll. What do you think are the three biggest challenges in implementing cybersecurity or is it a, a budgetary limitation?
Do you feel like you have siloed organizations where maybe you are in a big conglomerate and you've got multiple independent, you know, almost autonomous business units that maybe don't have to adhere to the same overall enterprise architecture and they you can't force them to use, you know, a particular product? Is it the skill shortage or do you think no, you know, we've already got too many tools, it's difficult to manage what we have.
Or lastly, could it be stakeholder management too many or maybe maybe your executives aren't completely bought in on spending more on your cybersecurity budget or there's confusion over what the priority should be? Okay, well this is interesting too. We're split between budget and too many tools for the top vote getters here. I mean I can certainly understand budget being concerned, you know, for the last few months as we sort of move into economically uncertain times. But that's what we've changed.
Okay, so right now we have too many tools. Okay, so just a reminder, you can submit questions into the zoom control panel here and we'll take those questions at the end. And with that I'm gonna turn it over to Michael.
Okay, so just, just some small guys who is Accion Trace or Exon the company. We are Swiss based and Exer and I will talk about little bit of a solution with, with our solution as a software increasing the visibility. One of the key things is that all data are stored locally ever. So where the Solu software solution is stored, any data or analyzes is stored in that case probably most new private network we are using metadata to reduce storage and stuff and we are designed and as an easy integration into your existing environment.
So that are some key parts in that area looking to why, why, why is spec protection response important to your network? What we can see is that the perimeter security starts to get a lot of investment but we know nobody's perfect. The tax are going through the endpoint security from another place to see cannot cover anything. Cause like John said, we have a lot of devices in your network where you can't place an agent where in in from a network perspective, not like a laptop or whatever. And we will see what what I mean with that.
But in both sides, between perimeter and endpoint security, you have your network communication and network communication is key for anything in the IT area. We know that but it's, it's a lot of times late. It's just there. We recognize this if your laptop of your connections are not working, if the performance is not good. But what we need to do is a security monitoring of this network communication And why is it, I have three different views on that a little bit from a management perspective, from a network security admin perspective and from a C soft perspective.
So I will show you in the next minutes some examples of that starting from an IT and if I'm looking from a management perspective what what means iot, we know that we don't have security on design so we know that we need open communications. Even if you have software, you have API libraries, you need to communicate in between you have software development kit, the s e K part and why there is no security on this sign. We also know that we have open doors, we have mistakes there and this is one part of iot. So it's not like the typical O is my handy, here's my lighter my light or whatever.
It's much more it's software which has his own secure risk. The other part which I think from an internet of things is devices which have no internet connections. I very interesting like I'd say I'm talking about internet of things and then I'm talking about devices which they have no internet connection. This is by the way wrong cause we have connections to the network infrastructure and either we have connection to the third cloud to to to clouds, to remote services or whatever. These are internet connectivities which indirectly connected.
And what I mean these are sensors which is production environment, OT environment. And I'm showing you a little bit later why And you need to think about that devices which you don't think or which you think they're connected while they have no internet connectivity but they have connectivity through internet or through partners or through to through vendors with your backbone. So this needs attention too.
And then we have the part which has internet connectivity and you see the car, it's so easy to break down the internal firewall in the car and coming from a car perspective over the car and the open APIs to your handy and then going in your your company internet so that these parts needs to get always some attention in that case. And we have a security layer in a lot of cases we see that this is missing to monitor what's going on on these devices.
Cause sometimes they're so standard you don't think about this and you don't even think that they can use to break in your network and it's not a classical ransomware. In that case, which is today we saw on message there's an actor group called Titan which are focusing on critical infrastructure and we are starting to prepare to break down your connectivity in that case.
An interesting article, you'll find this I'm pretty sure in the internet which gives them complete different focus and why, why in NDR even this important so blind spots in the IOT world needs to be monitored and in a lot of cases you can't use agile technology. You need to monitor just from a network perspective. This part. The other part is going, if you're going the security layer stack, we see always the blind spots starting with advanced threat protection. Like John said, going in a network security how you, how you're proving your policies from your firewall, from your different rounders.
Do you have an realtime monitor crossover your network? 90% of the companies, I'm asking do you have an overview about any connectivity in your network? And answer is mostly no cause it might be from an performance perspective, from an error research perspective but not from a security perspective. And if you're going around these, all these stacks, sorry, going from a network security to data security, it's not only data leak prevention, you need to see if data is going out of your network if you don't want from it.
You need to monitor your DNS infrastructure and HTTP and especially in monitoring what you are doing going from a C day perspective where you don't don't have any signature any, you don't have a use case. That case cause it happens now it happens real time, it happens with new ideas from a hacker perspective to break in in your network And you can't see this with standard tools in that case. The last part which I'm looking is in the OT environment.
And if you are going here you can see how the enterprise and your internal network is going more and more in area we're talking about about ip, we're talking about open, oh with the connectivity and connections we need in that case, yes, on the process side and the scatter zone, you have special protocol but it's going more and more on an IP layer perspective. And even if you have network segments and say yes this is completely separate area, I tell you it's not cause you need remote connections from your vendors. You have your administration partner needs to be done.
So you have like you can see a remote access server application server which are addressed by IP and that means the communication is in here and it's not encrypted in the most case, right? So there's a clear communication in the OT environment. So these are the free segments. So it's iot you need to consider, you need your normal IT office environment, you need to consider and you need OT environment and they're coming more and more together. This gives a higher risk in that what we are doing is we are software appliance. Why we saw the need.
You can't put more and more hardware in your network. Cause if you're looking up to from a hardware perspective, you need to increase capacity on your routers, you need additional taps, you need additional firewalls cause Samir course are not enough, performance is not enough. And if you, if you're putting DPI products in your network, there's a lot of effort more and we think a much smarter way and this is why we say next generation in the getting what you have already in the infrastructure.
So that means firewall locks, net flow locks, also private and public locks where it gives us an information about well how your communication acts in your in in your network going out in your network, coming in in your network. But this is not enough. You need to analyze dns, you need to analyze all the HT d p. You say okay hgd P is encrypted but on if you're losing security webcase you'll get information where the where where the traffic is going, which is unencrypted in that case. So we can see how it goes.
And you need to monitor H D P because it's very common used by hack cash to build connections to command and control server to to ized services. And I'll show you some examples. How does it work in that case? The last part and why it's A is nd r n a little bit on I C R is that you have additional lock data which is related to your connectivity network. That means cmdp data active directory.
If you are using threat feeds on isc, we are basically always signature less that we as our machine learning is independent from from the signature cause it's based on behaviors and you need to do this especially if you're going on the Sierra Day environment in that case. And that's why we have different machine learning models which which works to minimize on one side alarms to work independently for any signature. We can use spread feature and signatures as an addition but it's no needed in that case.
And that helps a lot of to minimize any efforts, how to handle the system, how to minimize false positives and that the focus is on communication and what's going on in your communication.
In that case, yes the integration is high cause we need to integrate it in Siemens source so that we can, that you can use it in existing environments and that the additional tool like you mentioned is integrated in your environment and you need it as a resource and which is taking not way additional personal resource can be managed by the way from a, so also a network and security admin has some advances on one side we see like, like we said, letter movements, we see scanning parts in your network which you may don't want.
Which by the way this might be not hacker, it could be internal software, internal appliances and whatever. Something you can learn also how to optimize your network. And the network and security admin is also a very quick graphical view. What's going on? He got an alarm, hey what's this here? And he say oh this is an abnormal event that's not normal in my network. But he needs also to drill down from this part to see what's going on. Who is affected, what kind of service was it, when was it which timeframe.
And get a clear picture in seconds that he can follow up and maybe solve the situation or ah no this is a typical situation where my, it was installing a new server or a new application and yeah let it work or it's an SSH such session which is coming from outside which might be an hacker cause it's not allowed and you need to stop this. In that case that is one part that's an important part. How to visual with doing security on a visualization level level and not on an Excel list. So that you can do small very quick trick drill down on that.
The part, what we are doing is internal shadow id, external shadow id, although it's very important to have a a custom specific text to monitor critical server creating a communication in your network. Cause any network is individual and it's, it's, it's in always in movement area where you say it's living, there's no day where a network is looking like the day. And so you need to have specific texts to to do configuration with this in your own network or on on your own network. Specifics important also to detect non authorized services.
And again the fuel helps in, in a daily business a lot in especially if you're looking from it o environments. In that case from a SOC perspective, the use case, there's only some use cases is if you're looking at to to analyze hdp, you can see directly authorized cloud services or mail services and how communications is running in that case. Is it a raw event?
Is it just happen in that case or is our user, which using services which are not allowed like is to, oh I need again my data on my private phone was my company laptop is broken and I'm just sending to box some datas or something like that. In that case it's just an example. And this is not a hacker example, this is a daily user example. In that case figure out an auto cloud and mail service example and see is just with the click. The other part is I'm looking for, for a more ICT R environments. You can also build algorithm and analyze us in a way.
Show me devices based if their I OT load is a memory loads is changing if the cpu CPU has a change and is using more frequently than normal or there's a load memory percentage which is going abnormal. This is a design from a, from perspective, from an OT perspective or we did it for banking industry monitoring ATMs which you can use not not monitor from a software perspective or monitoring from a network perspective.
And we want to see if is manipulating this so can use this, there's some examples which is going beyond the normal network detection and response but it's an integration and that's why I'm saying we monitoring communication in that case and how it communicates a device. The other part is dns. I can give you an example. We have an standard environment like a company which have just 2000 devices. They are generating on a daily basis 18 million flows per second on one side but on the other side 18 million DNS requests daily.
And you need, and this is just an average size in that case, if looking for an HT P perspective, you can imagine we are something like 1.5 million HTTP requests per second. And out of this amount of data, finding a hacker and saying, okay looking in the DN as in the millions of requests we saying found this communication which is a command control communication as example or we see that a mail is starting to use TNS and channels. In that case, that is why we are using machine learning algorithm and find, find this communication and this helps the a lot.
In that case it's all about zero day, this is about zero day threats, which going from machine learning and ki we don't need use cases cause this is based based on animal E behaviors and it helps to write use cases if you have a seam. Okay. Cause the seam is acting only if you have use cases, if you had, if you have no use cases and seam doesn't help cause it's, it doesn't know how to, what it has to look for. It's a detection based on your own network environment and it's deployed based on your network environment.
You see that you got a C 360 degree few including the different security layer stacks and we trying to close the blind spots and help on a zero day detection on a dynamics zero day detection with security monitoring and analyzes in that case. That's why from a sub perspective it's important. That case was very quick in that usual on taking a little bit more half an hour work to go through with more examples but time is running and I hope you find this helpful and so we can go to the q and a section in that case. So yeah, we'll move into the q and a section.
The first step I wanted to remind everybody that we're having an event in Frankfurt in November, a cyber evolution where we will be talking about subjects like N D R. So invite you to join us there. And on the topic of ndr, I've got a leadership compass, a buyer's compass in an executive view on the Xeon Trace product and there are links that you can find in the slides when that is published as well. So with that, let's take a look at the questions. First question, let's see. Do you install N D R agents on network devices only or also on all endpoints or is it part logs and agent information?
So this is a really good question. I'll start off and and then you can jump in there too, Michael N D R agents. Well there's, I I would say there are two major architectural models. So if you've got an appliance based or even a virtual appliance based NDR solution that doesn't really go on the endpoints or servers, that goes something that needs to plug into, you know, your router or switches. So you only need that, you know, wherever you have network equipment and or the cloud.
They're also virtual images that are used to monitor and, and be able to take responses on cloud hosted instances as well. So it's not something that has to go on individual endpoints and servers, it's, it's purely for at the network level. And then there's also, you know, another mode where you get those network devices to send their telemetry to an NDR console and then the N D R console should be able to instruct it to do full packet captures or IP fix or you know, whatever is needed to collect all the information.
So yeah, to answer that part of the question, it's no endpoint agent necessary. It has to be able to collect information from the network and there's two major ways to do that. The second part was, is it part logs and agent information? And I think that's kind of covered there where either you're, it's not really logs, it's collecting, you know, more detailed network level telemetry that would be more like a sim if it was just sending logs. So you need, you know, much more detailed network level telemetry to be able to really do, really do NDR appropriately.
What are your thoughts on that Michael? Yeah, I can talk from from our vendor perspective. So we don't need any agents. We're taking lock files, we're taking net flow protocol files. We can incorporate EER lock files by the way. But we are completely agent less cuz otherwise cause we, we cannot build agents for, for network devices cause we cannot go on operations systems of network brand. So lock files and NetFlow is a protocol which is part of network devices and switches by the way.
And so you can enable this and then us information from a, cause we are software solution which is based on for server and then we are working with these all these kind of datas and this builds up the complete communication crossover your network network segments and whatever. Okay, great, thank you.
So yeah, feel free to enter another question or two in the, in the question blank. We've got one more or two more here we can take the next one is, do companies who use the SIM or E D R really need an NDR?
And if so, why? I would say yeah because they're, it's it's it really doing network level detection depends on network level data and you're not necessarily gonna get that from SAM or SOAR unless you've got that visibility. And that's what NDR allows you to have is network layer visibility into what's going on and E D R E P D R endpoint protection, detection and response.
You know, the combination of like endpoint security plus E D R are great and and I think are absolutely mandatory. You need it on every business device that you can possibly put it on. But you know, in the case of sophisticated attacks, attackers have been known to even wipe out NDR logs and, and you know occasionally if they know how disable some of those kinds of services.
So I think, you know, as I said before, NDR is sort of the last place that you can look for signs of an attack if a really knowledgeable attacker has been able to get in and and clean up all traces of what they've been doing. What are your thoughts on that Michael? I guess?
Yeah, one of the major differences is if an an ndr no CM needs constantly consulting and use cases. If you don't have use cases you dunno what to search for, right? So it's not only the graphical view you need, like I said, if you're looking to the billions, millions of datas you need machine learning algorithm, which are designed for network communication. That's one of the big differences.
Second, and see with CM has no use case. You have to blind spot cause you don't see it. And in slack analyze needs to write a use case this, so this is first of all and you need to constantly do this and this. The third one ISM has a lot of false positives as we get feedback from customers.
And, and the third, this one of the major argument is if you focus in miscommunication reduces fault, you reduces false positive alarms. Yeah. So if you get more efficient in that case you are quicker, you're looking for zero D cause you don't use cases to alarm or p network communication point and that's an advance. If you're working in addition, an EDR has no focus also on the network communication, it's on the device based level.
But in my, and you need mostly an agent, right? So you are missing all devices, which are, which which don't have an agent from the ER perspective installed. And sometimes you have devices you can't install devices, an agent software, sorry. And we go closing this gap and this blind spot also. So it's not, we are an addition and we are working close together. In that case we cannot replace an edr, we cannot and, but we can make more them more efficient why we have to complete network communication and, and and focus in case. Yeah.
I wanted to follow up on something you said there that is really interesting. I mean we both mentioned machine learning and you know, just to explain why I think that's so important.
You know, if you think back 20 years ago, there were systems we called, you know, intrusion detection and intrusion prevention. And you might think of how we've described NDR as and and go, well you know, this sounds a little bit like intrusion detection and intrusion prevention and and that's true. But what I think the key differentiator is here is N D R really has, has to use ml.
I mean because the volume of traffic even on, even on a small business network is such that, you know, it'd be like looking for a needle in a haystack to find, you know, something that looked anomalous or even suspicious. So, you know, by looking at, you know, characteristics of network traffic, you know, things like the, the https s headers, the tls, the, just keeping in mind which machines talk to which other machines normally, you know, doing that baseline understanding what's what's regular for your environment and what is not.
That's something that you absolutely have to have ML in order to be able to do it at scale and and at line speed. Like, like I mentioned, like and 2000 employee company right? Generates 18 million flows per second, what I said.
And, and if you look at one or 5 million DNS requests per second, right? And then millions of H E D P requests per second. So you have billions of data which you, which you need to, to look for, you have to optimize them before you start machine learning and without machine learning you got lost. Nobody can do this manual or or to see this. Right. And just a reminder, you use this mostly if it's too late, if the hacker is on your network. Yeah.
So, so, so NDR is, is your last instance. I guess the hacker is on your network before you, if an NDR is detecting that you have it in and there's no doubt and it's, it's, it's the way to protect you at the last, last, very last end that a hacker is successful, right? And that's, that's, you should be aware of that case. Right? You know, one more thing to add there too.
I mean, thinking about the answers to the poll questions where, you know, what, what is, what's your biggest problem in cybersecurity? And it's having too many tools.
You know, I, I get that, I fully understand that because I mean that it can be costly, it can be difficult to manage. But you know, again, we go back to visibility and, and other plane for control. Not having visibility and control at the network layer can be, you know, very, can be catastrophic at times.
If, if an attacker is able to gain control of, you know, many endpoints, then you know, you can be fighting an uphill battle to just remediate and get the attacker out of your environment. But if you can control the network, that that certainly gives you an advantage in in things like, you know, very sophisticated a p t campaigns.
Yeah, I mean I remember while time ago where we say, you know, the, the birds, when when he, when when there was a danger, he put his head in the sand, right? And you can go through ways, you can say, yes, I have too many tools if I don't know it and if I don't see it, I don't care about this. But I guess special in that time, it's, it doesn't help us. But you need, you, you need to prepare, you need to think in the long run. You need to fix your problems in your network.
And by the way, visibility shows your, I mean we just have a customer, he says, wow, I even had no idea why I had 20 FTP servers in my network. I'm doing talent sessions, which I thought they're gone, right? So he has open doors in your network and nobody was aware about that and you need to close this and you, because you don't see this, it's just a small example. This is ability is is one and a security visibility by the way is much more important than just a performance or, or Arab visibility in that case. And that's why I think the role of an will be more important. Agreed.
Well let's take one more here, and this is kind of product specific, so I'll leave it for you Michael, but what makes Exxon NDR different compared to other NDRs in the market? We we're not using just network collections. We are using also other protocols like, like I said, e n s proxy and even going and extended so that you have special lock files. So this is one specialty of, of Exxon.
Second, we are built from a workflow perspective exactly how software Analyst are working. And that is a feedback from our customers. So it's software, right? There's a differentiator, but you have other software vendors.
Yeah, but the combination between on one side that we're, we're using network communication from the network lock files and including HDR to, to, to make, to, to make sure that the false positives, no, I was wrong. Sorry, my English. We are using the extended part to make sure that any, any alarm is, is bringing up on communication has a, has let say 99% accuracy. And so we are looking beyond networking detection, we are including other parts of that, that you've got a more and a bigger picture what's going on in your communication in that case.
And that's the goal of our analyzing the communication and looking a little bit over the network part going an extended way. And that's, that's, and the last point, we are local, the data are local, the data are sold in your, in the core of your network or if you have a cloud strategy, you can install this in the cloud but you have anything local so that you can use it in, in a local way. Let's for Germany also very important. Good. So I guess our time is gone or John? Yeah. Yep. We're almost at the top of the hour. So thanks everyone for joining in.
Thanks for watching the webinar and thanks Exxon and thanks Michael for your great presentation today. Thanks John, it was a pleasure to talk to you and discuss with you in that case, hope you enjoy and found a lot of fruitful information.
Yes, yes. Thank you.