Network Detection and Response (NDR) is a cloud-native product for the public cloud that provides network detection and response capabilities. It uses bypass traffic mirroring and features such as traffic filtering, full traffic retention, association analysis, and threat analysis to quickly detect and respond to advanced network threats. NDR serves as the final line of defense for the network traffic of your business assets in the cloud.
Feature overview
Asset and risk management
NDR automatically identifies the upper-layer services of cloud assets, including web services, database services, email services, file management services, and remote control services. NDR accurately detects the blind spots of cloud assets exposed on the Internet and identifies assets that have exposed vulnerable ports and weak password-based logons every day at the earliest opportunity. NDR also supports scenario-specific management to address the exposure of sensitive data, such as AccessKey pairs, transferred plaintext, weak passwords, and personal identity information.
Automatic retention of attack packets
NDR automatically retains alerts generated for attacks and the raw traffic that is generated during the attacks. Traffic that does not cause risks or alerts is not retained to help minimize labor and storage costs. NDR supports online payload analysis to help O&M engineers trace and analyze attacks. This allows security technical support personnel to identify attacks on internal networks at the earliest opportunity. NDR is suitable for O&M analysis of advanced threats such as advanced persistent threats (APTs) in scenarios that require strong protection such as critical event protection. This feature resolves the issue that the traditional security devices cannot automatically retain attack packets and post-attack analysis is difficult.
Two-way and asynchronous full-traffic threat detection
NDR performs full traffic mirroring in both directions to implement asynchronous threat detection.
The two-way detection technology is used to facilitate attack confirmation and reduce false positives. Specific malicious behavior is only scanned and detected. Secondary detection on response packets helps determine whether attacks are successful. The characteristics of specific attack requests are distributed in multiple packets. Malicious behavior is difficult to identify based on a single packet because the characteristics of a single packet are insufficient. In this case, the characteristics of multiple packets must be correlated for detection. Two-way and full-traffic detection can effectively detect specific threats to resolve the blind spot issue of one-way traffic detection of traditional security devices. This significantly enhances attack identification and prevents potential security hazards caused by false positives.
Association analysis based on multiple detection engines
NDR supports multiple detection and analysis engines, such as characteristic rules, threat intelligence, file sandbox, behavior analysis, and exposure analysis, and can correlate and analyze the results of each detection module.
For example, when the characteristics of malicious traffic behavior hit an Intrusion Detection System (IDS) rule, NDR can use technologies such as threat intelligence, behavior analysis, and file restoration to detect the traffic. The association and attestation capabilities can increase the accuracy of alerts. If malicious behavior that is difficult to identify bypasses static rule detection or if the behavior hits only a rule with a low severity level, the behavior can also be detected by other detection engines. However, traditional security devices not provide multi-dimensional detection capabilities. In this case, if the behavior does not hit detection rules or the attestation is insufficient, the behavior is allowed and may be ignored by O&M personnel. This can lead to severe security risks.
Search for, filter, and deliver protocol logs
NDR can collect, query, analyze, transform, and consume the protocol logs of protected assets in real time. The service can deliver logs within seconds, which helps you monitor and protect network assets and meet classified protection requirements.