Evolving beyond reaction: Putting AI into NDR

1,341 Views

It is an uncomfortable truth that across Europe and the US, the strategies, tactics, rewards, and risks for cyberattacks have changed, whilst companies’ safeguards have not.

Put simply, cyberthreats have evolved, and cybersecurity is playing catch up. Artificial Intelligence (AI) is a critical part of this evolution.

Evolving beyond reactive approaches

The first step is to develop capabilities beyond the reactive firewalls, antivirus programs, intrusion detection system (IDS) and intrusion protection systems (IPS) that treat the effect of a cyber attack, but not the cause.

In the case of the innovative, advanced persistent threats seen recently, the use of these technologies is already too late. If the attacker is already in the system, the damage has been done.

NDR has arisen as one of the few methods of recognising attacks already when they are being developed, and “nipping them in the bud.”

NDR solutions intervene at the point of anomaly detection through the proactive monitoring of network traffic. They take automated countermeasures before an attack vector can be exploited.

There are several techniques that NDR uses to enable this threat recognition:

      1. Behavioural analysis: NDR systems monitor the behaviour of devices, users, and applications in the network, to detect anomalies. NDR systems can recognise when a device or user is acting outside of the normal pattern of behaviour.
      2. Automation and orchestration: NDR systems provide automated reactions to known threats. For example, they can automatically isolate a host or a user or send a warning to the security team.
      3. Real time monitoring: NDR systems provide real-time monitoring of network activities, so that threats can quickly be recognised and reacted to.

These methods make NDR systems more efficient and precise than traditional IDS/IPS systems. But the development of NDR driven by AI and specifically, machine learning (ML) to continually recognise patterns of attack and behavioural anomalies in real-time and to react to these.

What does AI bring to NDR?

AI and ML play a decisive role in improving all aspects of Network Detection and Response.

Both AI and ML are used to enable behaviour-based threat recognition. Instead of relying on known signatures or predefined rules, behaviour-based recognition investigates the behaviour of network components and identifies threats based on deviating or unusual patterns of behaviour, in real time.

Remediation options then include blocking IP addresses, isolating affected devices, the use of security patches or updating firewall rules. Because reactions have been automated, reaction times are shortened, and potential damage is minimised.

AI-infused NDR systems can also reduce false positives and trigger automated defensive measures. Through the automation of these reactions, security teams can react more quickly and effectively to incidents and reduce the risk of harm and data loss. AI and ML-supported systems can also improve the investigations, by automatically preparing relevant data and information related to a security incident.

When compared to more traditional security approaches such as firewalls, intrusion detection system (IDS) and intrusion protection system (IPS), NDR enables companies to:

    1. Recognise unknown threats: NDR can detect behaviour-based anomalies with the aid of AI and ML, so it can identify unknown and zero-day threats, which could be overlooked by traditional security systems.
    2. Improve network transparency: NDR offers a deeper and more comprehensive view of the network traffic than conventional approaches, so security teams see suspicious activities and anomalies in the network and to react to them quicker.
    3. React faster to incidents: Thanks to automation and real-time analysis, NDR reacts faster to security incidents. Reducing the timespan between recognition and reaction minimises the risk of damage and data losses.
    4. Reduce false alarms: Using AI and ML, NDR can more effectively differentiate between normal and abnormal behavioural patterns. This leads to a reduction of false alarms (false positives) and enables security teams to concentrate on actual threats.
    5. Proactively hunt threats: Unlike conventional security approaches, which are passive and reactive, NDR enables security teams to proactively search for threats in the network and take preventive measures.
    6. Improve incident response: Through the real-time analysis of network traffic and the continual monitoring of anomalies and threats, security teams can better understand the scope, the cause, and the effects of an incident. This enables a faster and more effective reaction, in order to minimise potential harm and to accelerate the recovery of systems and services.

Conclusion – the future of AI and NDR

In an increasingly networked world, in which IT risks are becoming ever more complex and cyber threats are becoming ever more sophisticated, Network Detection and Response is an essential component of the security strategy. But in order to improved security, detection, and reaction NDR needs Artificial Intelligence and Machine Learning to continually monitor the network traffic and identify threats.

Advances in AI and ML will contribute to making NDR systems more efficient and precise in the detection and recognition of threats. Furthermore, the integration of NDR solutions into companies’ comprehensive IT security architecture, including cloud security and IoT device security will be of vital importance. Through the use of NDR technologies, companies can strengthen their security and prepare for the challenges of a continually developing threat landscape.