Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Mathias Reinwarth, I'm an analyst and advisor at KuppingerCole
My guest today, and I'm really looking forward to that, is John Tolbert. He is lead analyst and managing director of KuppingerCole Inc in Seattle. So the US leg of KuppingerCole and today we will talk about NDR.
Good to have you again. Yeah. Great to be here again.
First of all, we have just an acronym NDR. This is the starting point. What does this acronym?
Well, NDR stands for network detection and response. It's kind of been shortened in general by the industry to match EDR or endpoint detection and response. But I think there's a letter that's kind of key that we leave out there and that's teeth threat. So it's really network threat detection and response. It's looking for threats that are on the network that may not have been detected elsewhere. So NDR is network detection and response
This part of a layered security approach. I understand. So what would be the, the threats and the yeah, the dangers that are around that would slip through everything else and that NDR?
Well, yeah, you know, it's kind of viewed in many circles as a sort of a last line of defense. Typically everyone should have endpoint protection or, you know, like next generation anti-malware so EPP in-point protection, you know, that also covers things like URL filtering endpoint firewall. So it's kind of like a complete package of protecting the endpoint. And then about eight or nine years ago, some startups in the security realm created EDR endpoint detection and response. So that was designed to look at things that may have slipped past the endpoint protection malware that it may have gotten through. And, you know, it was behaving in a healthy way. So EDR has become somewhat commonplace. It's still not everybody uses it, but most of the big security stack vendors have integrated EDR into their EPP products. So then inter network detection and response, there have been cases where particularly with apt or advanced persistent threat, but these are the incidents that are perpetrated by state actors, usually trying to steal intellectual property or other kinds of secrets. NDR can sit on the network and look for advanced malware and communication that may have been missed by EPP or even the EDR products. And that's why it's sometimes it's the last place to see evidence of some sort of security incident going on.
Okay. So it's that part of security infrastructure that is mostly transparent to the end user. They don't even realize it's there and it's just doing its work. How does it come into your network? I understand there is, there's lots of intelligence in there to understand what's going on. So where actually would this sits? How is it deployed?
Well, you know, you're right. It's not something that end-users directly interact with. It's more of an IOT shop security kind of solution. It comes in a couple of different forms, either on an appliance, you know, with a hard, no S and you stick the appliance generally like off of a, a span or a tap port on your network. And it will take in all the traffic going by and analyze it. In some cases it can be deployed in-line. And by that, we mean, you know, given the amount of traffic that is encrypted these days, if you stick a, an appliance in there and decrypt the traffic and read the traffic, some, some vendors and their customers believe that's a more effective solution than simply looking at network connection, metadata, but there are two very significantly different approaches there. So it's either the inline mode where you're decrypting or sort of a more passive mode where it's listening and analyzing the network connection metadata.
So back to the format, it can either be an appliance, a virtual appliance, or there are cloud images, AMS, and things like that. For infrastructure as a service environments, I will say that with regard to the inline decrypting type of deployment, many vendors and customers are not really interested in that because they see a potential increase in risk by turning the security product into a vector for potential attack. And most companies believe, or most NDR vendors believe that they can achieve the same level of ability to understand what's going on on the network simply by looking at the network connection, metadata, and applying various machine learning to understand, you know, whether or not the traffic itself seems to be malicious or suspicious.
But if we look at the, at the mere amount of data that's going on in such a, in such a network, even just looking at the, at the metadata of the network, connections is an immense amount of data. So you've mentioned already. So it's, it's it's machine learning. That's, that's coming into play here as well. So how are these, these huge machines that can really do that? Or how do they deal with the immense amount of data to identify what's relevant? And what's not,
You know, in terms of processing power, I think, you know, the appliances are definitely pretty, pretty sturdy. And one thing I learned as a result of doing the recent leadership compass on NDR is that I'd say the median traffic flow across an NDR deployment is around 10 gigabits per second, which is pretty impressive. When you think about it, that you could either in inline mode or more often the passive mode be able to scan 10 gigabits per second of data and look for, you know, anomalous patterns and things like that.
And this is something that the typical it security analyst, then what you saw, or the input that is gathered by this system would be direct input to the analyst or input to the SOC to the security operations center.
Yes. So hopefully a lot of the pre-processing is done by the MDR solution with those email algorithms, but eventually when things are discovered, it would likely go to the SOC and security analysts would take over and invest.
Okay. And you've just mentioned that you did this leadership compass, so you have an overview over the products and over the different flavors they come in, where are the, what are the typical use cases where you already see this technology being deployed, where they do, they play out their strength?
I would say most commonly you find these solutions in organizations that have pretty high security needs. I was mentioning apt those that feel like they may be under apt attack, whether that's, you know, government defense, aerospace, public utilities, increasingly the oil and gas industry, so large companies and organizations within those industries in particular, but, you know, even IOT networks, especially networks in hospitals and clinics that have IOT devices or devices, you know, with IP addresses the typical example, the MRI machine, you know, in many of these cases, they can't run InPoint protection or EDR kinds of clients on these devices because they're just not really capable of it. They, you know, they don't have a full fledged operating system and even trying to add software, you know, invalidates the warranties. So sometimes using a product like NDR on IOT and medical networks is really the only way for getting any kind of information about, are there threats on those networks? So that's a Loeser, I would say the typical use cases, places where high security is dated IOT, ICS, SCADA, and medical networks,
For many of our audience, maybe this NDR is just yet another acronym is, and it comes across them for the very first time. But is this something that is around for some time? Is it mature? Is it a mature market when it comes to diverse and individual offerings from the vendors?
I would say it's maturing and growing again, it's it has advantages that can find potential threats in places where other kinds of security solutions have not. So I think there's definitely value for the customers that are deploying it. But, you know, at this point, I just discovered as a result of doing the leadership compass, not everybody really agrees on the feature set. For example, some companies will tell you sandboxes are out of scope, but a sandbox is a, you know, let's say a device on the network and appliance, where if you catch a, what you think is malicious activity or malware, you send it off to the sandbox to execute it in a place where, you know, it can't hurt anything else. And then look at the results. So, you know, I think those are kind of like nice to have features. Not all NDR products do have sandboxes, but, you know, especially in the case where you've got an inline decrypted deployment and you uncover some potential malware it's would be useful to be able to detonate it and see what happens.
And then there were other companies that the ones that don't offer inline decryption would tend to argue that that's kind of an old style of doing security and it's, it's weaker. So, you know, that really shouldn't be considered part of NDR, but, you know, the truth is at least 12 or 13 companies, I believe that were in the survey. And, you know, they're all, they're all doing pretty well. They all have captured a pretty good size of a market. That's I think only going to grow and grow, and they may take different approaches with their products and solutions, but that shows that there's room in the market, different approaches as well. I think
In the, in the earlier episodes of this podcast, you always had critical look also at the products and had looked at downsides and, and, and yeah. Critical aspects of the, of the solutions. Is there something around this MDR market where you think that, that there are weaknesses that are problems around with this type of infrastructure for organizations looking into deploying it?
Well, I think like a lot of security products in the AR can be pretty complex. I mean, with the focus on machine learning and automating a lot of the tasks that security analysts do, many of the vendors have produced solutions that are not as labor intensive, but you still have to have a SOC or SOC analysts or subscribed to their managed security services to really get the most out of it. So it does take knowledgeable expertise to really get the value out of it. And then one of the other things I learned as a result of doing the leadership compass is the guys we were talking about last time, you know, maybe a third of the companies really don't have strong authentication for the administrator and Analyst console. And I think that's a significant weakness.
Absolutely. So the leadership compass is out right now. I understand. So it's available for interested readers at our website KuppingerCole dot com. Yes. I think it went up last week. Okay, perfect. So thank you very much, John, for giving this insight and to at least from me and new market segment that I learned much about today. And if anybody listening to us is interested in learning more about NDR beyond the leadership conference and maybe how that can fit into an overall security infrastructure into a layered approach for them. Please, don't hesitate to get in touch with us. So again, thank you very much, John, looking forward to having you in a future episode. And I think there's more about NDR that we could talk about. So thank you again. Sure. Thank you. Thank you. Bye. Bye