Learn how organizations monitor, 检测, 和 respond to suspicious network activity.
InsightIDR产品Network 检测 和 response (NDR) is the practice of 应用ing rules or signatures to network traffic in order to automatically trigger alerts for activity that could indicate malicious behavior.
NDR解决方案类别是从以前所知的 网络流量分析(NTA)该系统也旨在监控网络流量. The broadening in scope was a response to the need for the category to include automated response actions in st和ard solutions.
这意味着大多数现代解决方案都具有监视功能, 检测, 并对潜在的威胁做出反应. 这意味着, 在检测到威胁之后, 安全人员可以立即采取措施控制或应对, 快速杀死恶意进程或隔离受感染进程 端点.
According to Gartner®, organizations rely on NDR to 检测 和 contain postbreach activity such as ransomware内部威胁或横向移动. 核心功能包括:
NDR works by bringing together a team of security professionals to input processes to monitor, 检测, 和 respond to alerts that could negatively affect the integrity of the network 和 business. 让我们更仔细地看看这些过程:
One of the most important aspects of this process is the ability to access real-time information about user activity, 应用程序活动, 网络活动. 另外, network data should be easily searchable so that analysts can accelerate investigations into alerts based on suspicious activity. It’s also important to be able to build custom alerts as well as access a library of 攻击者行为分析 so that the process is starting from a wealth of information about past suspicious activity.
It's extremely critical to establish a baseline of usual network behavior 和 actions so that automated systems know what is normal 和 what is suspicious. 例如, 用户行为分析 are helpful for enabling your team to quickly determine whether a potential threat is an outside attacker impersonating an employee or an employee who presents some kind of risk, 无论是由于疏忽还是恶意. UBAs connect activity on the network to a specific user as opposed to an IP address or asset. That activity is then compared against a normal baseline of event activity for that user.
NDR solutions should have the ability to take automated actions when an incident is 检测ed. 来自检疫, 连接终止, to executing a series of predefined actions developed by security operations center (SOC) analysts, it should be possible these days to rapidly take down an attacker if a network perimeter is breached, 无论是在本地还是在云中. Actions taken during this process would include deep-dive analysis of incidents, 像恶意软件这样的逆向工程攻击方法, 创建入侵报告.
A 威胁情报 (TI) feed should be a continuous stream of data that informs automated threat prioritization 和 remediation efforts. A TI feed should help a security organization to compensate for its potential lack of context for certain threats. Threat feeds come in many forms, from open source community-driven lists to paid private feeds. 这些饲料的有效性很大程度上取决于以下几个因素:
上下文情报馈送不仅为分析人员提供了 妥协指标(ioc) but also a thorough explanation of the attacker's use of infrastructure 和 tools. Feeds containing contextual information are far more effective for successful threat 检测.
NDR的好处是巨大的. 保护的数量是没有限制的, 检测, 和 overall benefits that can come from closely monitoring your network for malicious activity 和 enacting quick responses – here are a few of those benefits:
NDR是必备的, but modern attacker methodologies extend beyond the network – 和 your security coverage should as well. NDR非常擅长检查网络日志, but it doesn’t cover endpoint alerts 和 events 和 also doesn’t extend to the cloud.
For this reason, NDR products aren’t typically used as st和alone solutions. Rather, they’re part of a suite of solutions that offer comprehensive coverage for true 扩展检测和响应(XDR). 这包括:
用户遥测提供了对文件和网络访问的洞察, 注册表访问或操作, 内存管理, 开始和停止活动. 检测到的异常行为可能包括生成命令shell的进程, 内存注入次数, 或者访问不寻常的文件位置.
服务器遥测技术提供了有关差异极大的数据的信息. 因为服务器处理这么多重要的组织功能, XDR telemetry can help prioritize investigations 和 remediations of incidents on a more macro level.
网络遥测提供了对流量的洞察, 尤指体积的突然增加, 新的网络协议, 或者异常的特权升级. Advanced encryption methods can often hinder deeper network analysis that could otherwise thwart threat actors. 结合端点遥测, 网络流量分析可能是XDR攻击的基础.
云遥测提供了对基础设施的洞察. This can include 检测ing security anomalies for any cloud workloads or deployed components. Attackers specifically targeting an organization’s cloud can easily gain access with the proper credentials, so it’s important to leverage the advanced 检测 technology of XDR to hunt threats faster 和 fortify cloud environments.
通过将攻击者行为分析作为 军事 方法, teams can quickly develop new rules for emerging attacker behavior 和 push 检测s out within minutes of discovering a new technique or trend. UBAs are adept at identifying breaches in the “lateral movement” phase of the attack chain. ABAs enable 检测 of attacker activities in all other phases of the attack lifecycle.
Gartner, 网络检测与响应市场指南, 杰里米·D 'Hoinne, Nat史密斯, 托马斯Lintemuth, 12月14日.