Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

Is Traffic Mirroring for NDR Worth the Trouble? We Argue It Isn’t

September 2, 2021

Community Detection & Response (NDR) is an rising know-how developed to shut the blind safety spots left by standard safety options, which hackers exploited to realize a foothold in goal networks.

These days, enterprises are utilizing a plethora of safety options to guard their community from cyber threats. Probably the most distinguished ones are Firewalls, IPS/IDS, SIEM, EDR, and XDR (which mixes the performance of EDR and SIEM). Nevertheless, all these options endure from safety gaps that stop them from stopping superior cyber-attacks effectively.

NDR was developed based mostly on Intrusion Detection System (IDS). An IDS answer is put in on the community perimeter and screens the community visitors for suspicious actions.

IDS techniques endure from many downsides that make them inefficient in stopping trendy cyber-attacks: IDS use signature-based detection strategies to find irregular actions, making them unable to identify unknown assaults.

As well as, IDS techniques set off a lot of safety alerts. This leads to losing safety staff time and making them unable to analyze all safety alerts. And at last, IDS was not constructed to offer any response or investigation capabilities, making it unable to reply effectively to ongoing cyberattacks.

Community Detection & Response to extract data from community visitors

NDR was the response to mitigate the downsides that IDS techniques fail to guard. NDR techniques transcend signature-based detection and analyze all community visitors coming inside or exiting the community and create a baseline of regular community exercise. The baseline is used later to check present visitors with common community exercise to detect suspicious behaviors.

NDR options make the most of superior applied sciences to detect rising and unknown threats, comparable to Machine Studying and Synthetic Intelligence (AI). Utilizing these applied sciences permits NDR techniques to transform data gathered from community visitors into actionable intelligence used to detect and cease unknown cyber threats.

An NDR answer can run robotically impartial of human supervision to detect cyber threats and reply to them. NDR may also combine with present safety options comparable to SIEM and SOAR for enhanced detection and response.

Conventional NDRs flaws in dealing with encryption and the growing quantity of information

Up till now, NDRs relied on visitors mirroring, usually mixed with {hardware} sensors to extract the data – similar to how IDS used to do it. Nevertheless, there are three game-changers more and more difficult this strategy:

  1. A big share of web visitors is encrypted, based on the Google Transparency Report, already 90% of the net visitors. Due to this fact, the standard visitors mirroring can’t longer extract data from payload and is thus dropping its effectiveness.
  2. Growing bandwidths and new networking applied sciences, making visitors mirroring costly and even infeasible.
  3. A shift in the direction of extremely distributed hybrid networks the place merely analyzing visitors on one or two core switches is not sufficient. Many assortment factors must be monitored, which makes visitors mirroring-based options much more costly to function.

Taking these developments under consideration, mirroring networks is just not a future-oriented answer for securing networks anymore.

ExeonTrace: A trusted future-proof NDR answer

ExeonTrace doesn’t require mirroring the community visitors to detect threats and decrypt encrypted visitors; it makes use of algorithms that do not function on payload, however on lightweight community log information exported from an present community infrastructure through NetFlow.

This permits it to analyse metadata passing via the community at many assortment factors to find covert communication channels employed by superior menace actors, comparable to APT and ransomware assaults.

NetFlow is an open normal that permits networking gadgets (e.g., routers, switches, or firewalls) to export metadata of all connections passing via them (bodily community, virtualised setting, and personal cloud setting – or what is named north-south and east-west monitoring functionality). Thus, this strategy is perfect for distributed networks which embrace cloud environments as properly.

ExeonTrace answer offers complete visibility over your complete IT setting, together with related cloud providers, shadow IT gadgets, and may detect non-malware assaults comparable to insider threats, credential abuse, and information exfiltration. The whole community visibility will make it possible to examine all community visitors coming into or leaving your enterprise community.

ExeonTrace is not going to cease right here, as it’ll monitor all inside interactions between all gadgets throughout your enterprise community, to detect superior menace actors hiding in your networks, comparable to APT and Ransomware.

ExeonTrace’s utilisation of supervised and unsupervised Machine Studying fashions permits it to detect non-malware threats, comparable to insider menace, lateral motion, information leakage, and inside reconnaissance. ExeonTrace additionally allows the addition of network-based customized rulesets to confirm all customers are adhering to the applied safety insurance policies (e.g., stopping customers from utilizing explicit protocols). On high, ExeonTrace can combine with accessible menace feeds or use a customer-specific menace feed to detect recognized threats.


NDR techniques have grow to be a necessity to cease the ever-increasing variety of cyberattacks. Conventional NDR options have to mirror the whole community visitors although to analyse packet payloads, which is not efficient in stopping trendy cyber threats that leverage encryption to hide their actions. As well as, mirroring the whole community visitors is turning into more and more inconvenient, particularly with the large rise of information quantity passing via company networks. A future-proof NDR like ExeonTrace that depends on the evaluation of metadata permits to mitigate these downsides – and will subsequently be the imply of selection to guard company networks effectively and successfully.

Posted in SecurityTags:
Write a comment