Network infrastructure security is the protection of network assets such as hardware, software, and data against threats. These threats may be external, such as cyber-attacks that lead to data theft, or internal, such as careless or rogue employees.
Network infrastructure protections include firewalls, antivirus, intrusion prevention and detection systems, email security, access controls, and data loss prevention. These technologies play their own unique roles in protecting the network and are layered together to form a holistic defense system.
The age-old firewall is one of the longest-standing network security protections. Firewalls act as the frontline of network defense by regulating what enters and leaves the network. By monitoring and filtering incoming and outgoing data packets, firewalls block what is deemed malicious based on preconfigured firewall rules.
Endpoint security includes conventional antivirus software and newer EDR (endpoint detection and response) solutions, which are installed on endpoints like PCs, mobile devices, and servers to protect them. These solutions detect and remove malware that has bypassed the firewall to land on the endpoint or was loaded on the endpoint from inside the network or removable media.
Email security refers to the various technologies and mechanisms used to protect email accounts and communication, including authentication, content filters, and content encryption. Phishing emails are one of the most prevalent ways threat actors breach a network. By crafting email content that is highly authentic-looking, attackers lure email recipients into clicking a URL to download malware or redirect them to another site for malicious purposes, such as credential theft.
Zero trust is a security concept that assumes all users are untrusted by default. This means that all users, whether they are inside or outside the network, need to be authenticated and authorized every time they want to access network applications and data. Zero trust is designed to meet the challenges of modern-day network access scenarios, including the remote network access of employees and third-party network access such as suppliers, and countering the sophisticated credential theft or bypass capabilities of attackers.
Data loss prevention (DLP) solutions are designed to protect the sensitive data of organizations from loss, misuse, and unauthorized access. DLP solutions monitor data in use (on endpoints), in motion (network traffic), and at rest (database server) and identify violations of data policies as defined by the organization or data protection laws, such as HIPAA and GDPR. Once violations are detected, DLP will enforce remediation measures, such as alerting, blocking access, and data encryption.
In cybersecurity, sandboxing is the practice of running untested or untrusted programs and code in an environment that is isolated from the rest of the operating system that it is installed on. By running programs and code in an isolated environment, Sandboxing prevents malicious programs and code from damaging the actual operating system or spreading to other hosts on the network.
The above-mentioned, and the majority of, network protections are signature-based and/or passive protections. While they play a vital role in securing the network, the increasing sophistication of cyber-attacks and widening attack surface (more entry points of attack) means that they are no longer adequate, either individually or used in conjunction. Let’s explore why.
Signature-based protection refers to the detection of malware and malicious activity using known indicators of compromise (IoC). Known IoCs include malware hashes (the unique ID of a piece of malware, just like a fingerprint), the IoCs of adversary infrastructure such as the malicious IP addresses and domains used in an attack, known application vulnerabilities, and known attack patterns.
Network security solutions that rely on signature-based detection include firewalls, IDS and IPS, endpoint security solutions, application firewalls, and sandboxing. The effectiveness of these protections is limited by the following challenges.
Passive protection refers to security tools, mechanisms, and processes that detect and respond to threats when they appear but does not actively hunt for them.
Signature-based protections are essentially passive protections, as are rule-based protections such as access controls, zero trust access, and data loss prevention. The effectiveness of these protections is limited by the following challenges.
When all else fails, network detection and response provides a robust last line of defense.
What is Network Detection and Response?
Network detection and response (NDR) is a burgeoning cybersecurity solution that analyzes real-time network-wide traffic to detect and respond to malware and behavioral-based malicious activity in the network.
The two keywords are real-time and behavioral-based.
NDR actively analyses real-time traffic from across the network to hunt for threats that have breached the signature-based and rule-based protections. NDR detects behavioral-based threats that use legitimate tools, services, and traffic to evade detection. To do this, NDR leverages machine learning to build and continuously optimize baseline models for normal network activity. Network traffic is analyzed using AI-powered behavioral analytics and the results are correlated with baseline models to detect anomalies. Anomalies in network activity are good indications of threats since legitimate accounts, tools, services, and data are going to be used in ways different from normal use patterns. For example, NDR would be able to detect the legitimate traffic of DDoS attacks by sensing a spike in the number of incoming requests.
The Advantages of NDR
Active, behavioral-based protection technologies such as NDR are not superior to passive, signature-based protections. Passive, signature-based protections provide a robust first line of defense that filters out most threats. Without them, networks will be overrun with threats left, right and center. This allows active, behavioral-based protections like NDR to focus on cleaning up what has slipped through. They are essentially a double act working in tandem to provide network infrastructure with multi-layered, holistic protection.