Your 2021 Security Strategy:

NDR or XDR?

December 9, 2020

  • By working with cloud providers to open up packets to security vendors, network detection and response has enabled the same comprehensive visibility in the cloud that it gives elsewhere.
  • Most XDR solutions come with the risk of vendor lock-in, preventing security teams from seeking out best-of-breed solutions for network, endpoint and logs.
  • ExtraHop’s Mike Campfield says network data should be a foundational component of your security strategy, and it’s worth considering pure-play network detection and response over a solution with some high-level network monitoring included in the mix.

 


2020 brought with it a series of changes (with very little notice) and left even less time for planning. The proliferation of remote access and accelerated cloud adoption will only continue in 2021, but this time we’ll have a bit more time to prepare. It’s time to think critically about what’s working in your security strategy and what could stand to be improved. The addition of network detection and response (NDR) to your toolset may be the critical missing link.

 

 

The Data Lake Unicorn

There are a number of potential data sources for security. In an ideal world, you’d have a single, shimmering lake of information, with every tool looking at the same data. Unfortunately, that’s not the world we live in. Data isn’t water: it’s complex and abstract, existing in many different formats and languages.

 

Traditionally, security professionals have looked first at the data provided by endpoint and logging tools. Until recently it was impossible to process 100% of a network’s data – there was simply too much of it. Now with machine learning, and by using the vast computing power of the cloud, technology can drink from the data firehose for us and return actionable insights.

 

Because of technology advances, NDR can process and reveal insights into the large data sets generated by network traffic. You should consider reversing the traditional approach by looking at network data first and using that as the foundation of your security strategy. That’s where NDR comes in.

 

 

What is Network Detection and Response?

Network detection and response is one the fastest growing cybersecurity categories in the market today. NDR solutions complement and enhance the current capabilities of log aggregation and analysis tools (SIEM) and endpoint detection and response (EDR) products.

 

NDR solutions passively ingest and analyze Layer 2 to Layer 7 network data and monitor north-south and east-west traffic. This solution category generally applies advanced behavioral analytics and cloud-scale machine learning to rapidly detect, investigate and respond to threats that might otherwise remain hidden.

 

 

Why Network Data First?

Network data is a foundational source of information. Maybe it’s tautological, but looking at the network can tell you what’s on your network. Being able to see every transaction that spans the network offers an understanding of your attack surface without needing an agent on every device. It offers a logical starting place from which to build.

 

For example, network traffic can potentially identify every device that’s connecting. That comprehensive inventory can be used to ensure that endpoint agents are deployed on every device that can support them (and that devices which can’t support agents are still monitored).

 

There are many cases where network visibility can expose the blind spots that other tools miss. Those traditional security tools also have gaps in their cloud coverage, and with cloud adoption rapidly accelerating, there’s a strong case for NDR as a central tenet of security.

 

 

NDR in the Cloud

We’re living in a hybrid and multi-cloud world. The complexity of these infrastructures makes seamless security coverage a real challenge.

 

By working with cloud providers to open up packets to security vendors, network detection and response has enabled the same comprehensive visibility in the cloud that it gives elsewhere. Higher-quality insights and fewer false positives can save time and prevent alert fatigue for chronically understaffed security professionals. Decisions can be made in real time and in context, based off of the most powerful, objective, complete source of data: the network.

 

That’s why network detection and response is one of the top-growing segments in security today.

 

 

How Does XDR Compare?

A (very) simplified overview of extended detection and response (XDR) is that it ingests data from many different sources, applies machine learning for detections and puts it all into a single UI. That probably sounds appealing to most network pros. There’s certainly the potential to simplify workflows if the alternative is three or more separate UIs, although integrations can arguably offer similar benefits.

 

One challenge to the XDR model goes back to that non-uniform data lake. Machine learning requires a consistent and well-understood set of normalized data. Every security product has developed its own data models and each model is inherently distinct due to the way different products function. As such, no single ML model would work for another product’s data set.

 

Processing and drawing meaningful conclusions from endpoint data is a completely different kettle of fish than understanding network data. The question is: how likely is it that the vendor best at understanding logs is also going to be the best at analyzing the network?

 

Most XDR solutions come with the risk of vendor lock-in, preventing security teams from seeking out best-of-breed solutions for network, endpoint and logs. It risks limiting them to a single vendor’s options. Should you throw out your best-of-breed tools to go back to the UTM model of the early 2000s?

 

 

Planning For 2021

Network data should be a foundational component of your security strategy, and it’s worth considering pure-play network detection and response over a solution with some high-level network monitoring included in the mix. Looking for vendors with strong integrations and core competencies that align with their product portfolios can simplify your workflows faster than that all-in-one XDR dream.

Mike Campfield
Mike Campfield | VP, GM of International Operations and Global Security Programs at ExtraHop
Mike Campfield is the VP, GM of International Operations and Global Security Programs at ExtraHop. Mike has been in Security, Risk, and Information Management Industry for over two decades. Prior to ExtraHop, Mike was at FireEye and EMC where he held several key roles on the FireEye Threat Analytics Platform team and leading the GTM for EMC's cloud File Sharing and Cloud Storage business unit. Mike specializes in helping advise on Security program maturity and worked with many leading Security programs to enhance their incident response and security operations capabilities.
Would you like to speak to an advisor?

How can we help you today?

Image
field-guide-cloud-list-image@2x.jpg
Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation
Image
OptivCon
Register for an Upcoming OptivCon

Ready to speak to an Optiv expert to discuss your security needs?