NDR: The new pillar of cybersecurity
Prevention and protection are still considered the means of choice when safeguarding one's own IT systems. However, the fact that this approach is not sufficient can now be read almost daily in the media. Current cases such as the attack on Microsoft Exchange, Colonial Pipeline in the United States or, most recently, Siegfried in Switzerland illustrate the dangers: Business interruptions, loss of trust among customers and partners, product defects or legal consequences. One of the most common approaches currently used by hackers is the so-called ransomware attack - in other words, extorting a ransom in exchange for the non-publication or decryption of data that has been rendered unreadable.
As long as a company is recognised as a worthwhile target, it is also in the sights of potential attackers - regardless of size or industry. However, detecting and eliminating them in one's own system is a mammoth task that can be carried out successfully and efficiently with automated, AI-supported network monitoring alone.
The search for the „Crown jewels“
Maintaining an IT security infrastructure has been a must for companies for decades, with IT security ideally always one step ahead of hackers. However, attackers are also continuously moving with the times and fine-tuning their methods. The professionalisation is also evident in the strategies that hackers pursue: They often spend entire weeks patiently preparing, executing the attack and searching for the "Crown jewels" among the data inside a company network - and usually without being discovered.
This is often done by infiltrating with malware. Hackers thereby establish a communication channel into the interior of the system and can thus remotely control an internal end device without being noticed. This can then be used to encrypt or steal data. Cobalt Strike, a legally available software solution used by companies for internal tests, is often misused by hackers for their own purposes.
Once the attackers are in the system, for example via phishing emails, the malware - hidden in regular data traffic - establishes a so-called command & control (C&C) channel through which the attackers then take over further control. Customer data, patents or critical systems that must not fail under any circumstances are then the target of the search, which can be stolen or also encrypted via the established communication channel - both with the aim of blackmailing the victim.
The search for the needle in the haystack
To avoid this, it is essential to detect threats, attacks and data leaks as immediately as possible and to initiate countermeasures before the damage is done. In terms of security, however, this idea is not easy: corporate networks produce vast amounts of information. Examining this manually for suspicious activities is like the proverbial search for a needle in a haystack: The IT department has to analyse manually, develop its own algorithms and keep an eye on the whole system.
For many companies, simply creating an overview of all networks or devices to be protected is a challenge. In the case of suspicious activities, it is even more complex to assess their potential danger. Teams have to take a long time to get an overview, which often gives attackers all the time they need. Frighteningly, this means that on average it takes several weeks for such a cyber-attack to be detected.
With artificial intelligence, network traffic can be analysed easily and automatically. The system learns the routine processes in the network and also detects untypical activities or changing connection patterns. Since various cyber threats each have specific patterns, corresponding algorithms can be used to independently scrutinise the data traffic.
This approach is called Network Detection & Response (NDR). Similar to an alarm system, NDR strikes as soon as the intruder has entered the house - and not only when he is already looking around in peace or after trying to steal data, for example.
The technology can also help security teams in other ways, such as investigating and responding to incidents, which often takes a lot of time. The correlation, evaluation and prioritisation of such alarms are automated. This is done with the help of data from other security systems - such as endpoint detection, device monitoring, antivirus programmes or access management - whereby alarms with typical threat or attack patterns are also taken into account. In this way, the system itself can make assessments and prioritisations and limits the number of incidents to be investigated to a minimum.
IT security teams are therefore in a better position to identify threats and deal with them, as they have a full overview of an ongoing attack at all times. Accompanying this, the AI makes suggestions on how to defend against the attack, taking into account the attack pattern.
Network Detection & Response solutions based on AI technology ensure that even the most complex networks can be consistently monitored and suspicious processes combated. They thus ensure that classic cybersecurity now has an additional mainstay alongside prevention: that of reaction in real-time.
Chief Operating Officer