Alibaba Cloud Network Detection and Response (NDR) is a cloud-native network detection and response product designed for the public cloud. It is easy to use, requires no deployment, and can be activated with a single click. NDR can quickly detect threats in network traffic.
Cloud-native vs. traditional commercial vs. open source NDR
Feature | Alibaba Cloud NDR | Traditional commercial NDR software | Open source NDR software |
Deployment speed | Fast Within minutes | Time-consuming deployment Requires provisioning underlying resources | Relatively fast Complex configuration |
Cost-effectiveness | High SaaS subscription, low CAPEX | Medium High CAPEX and OPEX | Medium Extra machine costs, high OPEX |
Operational efficiency | High Native integration | Medium Separate purchase, consumes IT resources | Low Custom development |
Maintenance and updates | Real-time Within minutes | Automatic Depends on the vendor | Manual Depends on the community |
Flexibility and scalability | Elastic PAYU | Low Requires purchasing additional licenses | Manual Self-managed |
No deployment, instant activation, and one-click access
No deployment and one-click access: You do not need to perform complex traffic diversion configurations. The one-click access mode saves significant operations and maintenance (O&M) time and meets various access requirements.
Non-intrusive bypass deployment: NDR automatically synchronizes all your cloud assets and is compatible with any network architecture. You can activate the service as needed. The bypass deployment method has zero impact on your services.
East-west traffic detection in private networks: NDR detects lateral threat movement and unauthorized transfers of sensitive data within your internal network. This helps you quickly locate compromised assets and improve your internal network security.
Automatic retention and retrieval of attack messages
Automatic retention of attack traffic: NDR automatically retains traffic from attack events, including traffic before and after the attack, without requiring manual intervention. The retained attack traffic is only 1/10,000th the size of full traffic retention. This avoids the high storage cost of retaining unnecessary traffic and helps balance retention needs with cost.
Custom retention of core asset traffic: You can create custom message filtering rules to retain traffic as needed and save costs. This feature meets internal and external compliance audit requirements and provides evidence for reproducing anomalies. It also helps security teams accelerate event response.
Efficient retrieval of traffic messages: The advanced BPF retrieval component lets you search 300 million logs in under 10 seconds. You can analyze attack payloads online and generate PCAP files. This reduces repetitive local downloads, improves the search page experience, and dramatically increases query response speed.
Full traffic threat detection and multi-engine association analysis
Bidirectional and asynchronous full traffic threat detection: NDR analyzes both request and response traffic to improve the confirmation of Remote Code Execution (RCE), SQL injection (SQLi), and Local File Inclusion (LFI) attacks. This enhances your ability to respond to advanced threats, covers detection blind spots in request packets and response traffic, significantly reduces threat noise, and lessens the burden on your O&M team of investigating false positives.
Multi-engine association analysis: NDR uses multiple detection engines, such as feature rules, threat intelligence, file sandbox, behavior analysis, and exposure analysis. Alerts are displayed on a timeline. This approach covers a wider range of threat types, helps you quickly identify anomalies and associated threat events, improves security operations efficiency, and accelerates your security team's response speed.
Infer attack intent with ATT&CK: Using the ATT&CK framework, you can understand the techniques and tools that attackers use, identify intrusion paths, confirm attacker identities, and determine attack objectives. This supports your security team in quickly identifying system vulnerabilities, strengthening patch updates, optimizing firewall policies, and shutting down exposed services. When necessary, NDR also provides evidence for legal action against attackers.
Comprehensive asset service mapping and scenario-based risk management
Scenario-based mapping of asset service exposure: Public asset exposure often leads to exploitation by hackers and regulatory penalties. NDR automatically identifies the business services that run on your cloud assets. It precisely locates blind spots in the external exposure of your cloud assets. It also automatically discovers daily risks, such as vulnerable port exposure and weak security token logons.
Risk management for sensitive data exposure: NDR uses traffic detection to identify sensitive data exposure risks in asset services. It identifies risky asset areas and assesses potential data breach issues, improving the efficiency of your security team's risk operations for business assets.
Protocol log retrieval, filtering, and delivery
Protocol log retrieval: You can retrieve Layer 7 protocol logs, such as HTTP, DNS, and TLS, along with 5-tuple logs. NDR refines detailed fields and payload information from raw logs, and no analysis software installation is required. This lets you visually trace unusual traffic behavior to meet various compliance and regulatory requirements.
Protocol log filtering: You can filter and retain protocol logs as needed and flexibly customize information for core service traffic. A wide range of log types and 5-tuple filter conditions are supported. This significantly reduces log analysis and storage costs and improves operations management efficiency.
Protocol log delivery: Logs can be delivered in seconds. You can customize the log fields to be delivered and the number of storage days.