Network detection and response (NDR) is a discipline that evolved out of what was once known as network traffic analysis. Basically, as network traffic became more complex—and more potentially malicious—network traffic analysis had to take a more security-focused trajectory. Instead of relying on human monitors or simpler behavioral analytics, NDR relies on machine learning and automation to improve threat hunting and incident response.

Unlike rules-based security tools such as firewalls, NDR focuses on non-signature-based machine learning and analytical techniques. These tools must be capable of modeling network behavior based on continuous real-time raw traffic and flow analysis, alerting anomalous behavior and traffic patterns that may represent malfunctions or attackers. They must also move their analytics beyond the traditional perimeter, monitoring both north-south and east-west traffic.

Similar to the traditional Intrusion Detection Systems (IDS) that focus on monitoring the perimeter for intruders and alerting if an attack is detected, NDR solutions are also focused on analyzing network communications to detect and investigate threats. But one of the main differences is that NDR includes automatic responses, like triggering commands to a firewall to drop suspicious traffic or manual responses like providing threat hunting and incident response information to dig deeper.

Ensuring Complete NDR Visibility

The best way to optimize the performance of your NDR tool is to make sure it gets as much information or packet visibility as possible.

According to Gartner's Market Guide for Network Detection and Response, "Network detection and response (NDR) remains a crowded market with a low barrier to entry, as many vendors can apply common analytical techniques to traffic monitored from a SPAN port."

The TAP vs. SPAN debate is over. If your NDR tool doesn’t get the proper data, it won’t be able to establish a good baseline for your network—which means that it will be harder to detect potentially malicious anomalies.

We know that a lot of vendors consider mirroring traffic from a SPAN port and apply analytics techniques to the output, which may catch potentially malicious traffic. Although you might be satisfied with the results, there may be a hole in your visibility.

SPAN (which stands for Switch Port Analyzer) is a dedicated port on a network switch. The SPAN port mirrors the packets to an out-of-band security tool such as NDR for analysis.

Here are the problems with SPAN:

• Mirroring can alter information within packets, as well as packet timing.
• SPAN has lower availability. Switches may reassign priorities during times of heavy traffic.
• SPAN ports can drop packets when a port is oversubscribed.
• SPAN ports don’t scale past the gigabit range. 
• SPAN’s bidirectional traffic opens additional security vulnerabilities.

SPAN has its uses. In low bandwidth applications, and in applications where real-time intelligence isn’t important, SPAN will serve well. Those applications aren’t NDR, however. For NDR to work most effectively, the tool needs to drink from a firehose. It needs all your information, as accurately as it can be provided. That isn’t what a SPAN port does, however.

Reduce NDR Deployment Friction with Garland Technology

When IT Security teams are designing NDR deployments, architecting proper connectivity and packet visibility best practices are critical for success. This includes instrumenting network TAPs to provide complete packet visibility, to ensure that no threats or anomalies are hiding in dropped packets or blind spots.

Garland Technology’s network TAPs have unidirectional data diode circuitry ensuring production networks and monitoring tools are secure. Pairing network TAPs with network packet brokers provide traffic reduction features like aggregation and deduplication that improve the performance of the NDR tool. Providing this visibility foundation ensures continuous real-time raw traffic analysis functions as planned.

Some companies are now facing deployment friction choosing between their network TAP and packet broker vendors and NDR solution vendors. With the crowded NDR market growing, visibility companies like Gigamon have positioned their ThreatINSIGHT in direct competition with NDR vendors like Garland partners Bricata, Cisco, Corelight, Extrahop, Fidelis, Flowmon, and others.

Vendors like Gigamon and Keysight Ixia are shifting their focus to security and monitoring applications, overselling their network packet broker hardware and management systems while looking to embed their software products, ultimately tying customers into a licensed based platform that bloats operation costs over time.

Garland is solely focused on doing what we do best–providing innovative network TAPs and packet brokers that are simple and easy to use, designed to deliver packets to NDR deployments.

Garland remains committed to empowering NDR vendors with our TAP to Tool philosophy by architecting to the tools, not competing with them. We align ourselves with trusted ‘best of breed’ partners whose sole expertise is to protect or monitor the network, not spread themselves thin trying to cover every market share. Garland Technology provides the scalability and flexibility to deploy what you need when you need it, so you can focus on what's important - performance and cybersecurity.

Looking to add secure TAP visibility to your NDR deployment, but not sure where to start? Join us for a brief network Design-IT evaluation or demo. No obligation - it’s what we love to do.