Cyber Defense eMagazine July 2021 Edition

NDR technology is built on three principal tenets to provide SOC/IR teams:
●
●
●
Visibility to and metadata retention of corporate network traffic across cloud and core networks;
Advanced detection techniques designed to identify presence of adversaries inside the
organization; and
Capabilities to triage, threat hunt, and investigate activity to understand the adversaries’ activities
and formulate comprehensive response plans.
These fall into the category of three steps forward, but NDR technology can force SOC/IR teams to take
three steps back if we don’t redefine how SaaS-NDR solutions are delivered.
Guided-SaaS Step 1: No longer… In The Dark
Sixty-nine percent of IT and security practitioners cite network visibility as the top reason for SOC
ineffectiveness. As packets are tamper-proof (unlike EDR logs), NDRs provide network context to
confidently triage, hunt, and investigate threats effectively. But NDRs don’t magically provide
comprehensive visibility. While traditional SaaS-based NDR vendors might work to ensure optimal
visibility at the time of deployment, the responsibility falls on the customer’s security teams to make sure
the NDR sensors are functioning properly and that the right mirrored traffic is getting to the NDR as
networks dynamically change. That’s easier said than done in today’s complex hybrid-world and it doesn’t
take long before blind spots popup and the SOC/IR team are left in the dark. A Guided-SaaS NDR
delivery model recognizes the importance of including expert lead routine visibility and health checks,
where the vendor’s specialists assist to optimize visibility and ensure the NDR sensors are healthy.
Guided-SaaS Step 2: No longer… Distracted.
Perhaps the most alarming statistic is that 84% of IT and security practitioners also reported that the
“Minimization of false positives” as the most important SOC activity. While NDRs provide anomaly-based
machine learning detection techniques, they come at a very expensive cost. Most NDRs require an initial
4 weeks of laborious efforts by security analysts to ‘train’ the technology on what is benign and malicious
with the end goal of at best ‘reducing’ false positives if done properly. Oh, and then security analysts
have to come back and routinely retrain the solution. In other words, the NDR vendor is putting the burden
on the customer, distracting them from their focus of identifying and responding to adversaries. That is
a crime.
Cloud-native NDRs afford us a different approach. With machine learning, behavioral analysis, and threat
intel-based detection engines working in the vendor’s cloud, Guided-SaaS NDR vendors can perform the
QA and training of their detection engines for their customers, producing high true-positive findings and
removing tedious distractions from the SOC/IR team.
Guided-SaaS Step 3: No longer… Alone.
It’s no secret to anyone with experience in day-to-day SOC activities that the job is intense with 70% of
SOC analysts reporting burnout due to the high-pressure environment. Not only is it a race to respond
before adversaries carry out their mission, but it's daunting to face the challenge without external
support… effectively going it alone. It is here where redefining SaaS can provide a unique benefit to
customers. One of the adjacent advances linked to SaaS offerings is software vendors embracing
Cyber Defense eMagazine – July 2021 Edition 93
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.