Skip to main content

Solution Brief

Netography Fusion® for Frictionless NDR

Eliminate the burden of sensors and start detecting malicious activity that bypasses your other controls, such as lateral movement and data exfil. Get cloud-agnostic, environment-agnostic, and encryption-agnostic detection and response. Today.

View/Download PDF

Network Detection and Response (NDR) tools are considered essential components in many security teams’ multi-cloud or hybrid network security stack. These products complement security gateways and endpoint agents by identifying potential threats that are active in a network.

However, despite their popularity, NDR tools have significant limitations due to their architecture and capabilities. Modern networks require cloud-agnostic, environment-agnostic, and encryption-agnostic detection and response.

Limitations of NDR in the Cloud or On-Prem

NDRs have not kept up with the continued evolution of cloud and on-prem networks. First deployed about 15 years ago, NDRs were designed to inspect payloads for malicious content traversing on-prem networks between gateways and endpoints.

However, the technology has not fundamentally changed despite the significant evolution of these networks. Today’s NDRs have several design limitations that prevent them from detecting and responding to malicious activity while also increasing costs, including:

  • Reliance on Sensors: Both cloud and on-prem NDRs continue to require deploying sensors, taps, or probes to collect network activity for analysis. The cost of installing sensors or probes to monitor every cloud workload in a multi-cloud network can overwhelm most organizations’ security budgets. The cost of deploying NDR sensors on-prem can also be unsustainable. With the decentralization of critical workloads and data, an enterprise network with multiple locations can require the deployment of dozens or hundreds of physical or virtual sensors to monitor every segment and environment (such as OT, IoT, and IT).
  • Deep Packet Inspection (DPI): Most NDR tools rely on DPI to detect potentially malicious content in payloads. Yet forecasts state that enterprises have encrypted 80% to 90% of their network traffic, effectively blinding NDR tools’ inspection capabilities. To enable the inspection of encrypted data, your operations teams must deploy costly decryption technology. Solution Brief Netography Fusion® for Frictionless NDR Detect Malicious Activity without Sensors in Your Multi-Cloud or Hybrid Networks Frictionless NDR
  • Limited Cloud Platform Support: Cloud NDR vendors frequently support only one or two platforms, yet 97% of enterprises plan to use multiple clouds. Enterprises running workloads on unsupported cloud platforms will have no insight into malicious activity targeting those assets.
  • Pre-Compromise Focus: NDR tools detect potential threats (e.g., an exploit targeted at a machine that may or may not be vulnerable) on the network that have bypassed the gateway controls but before the attack reaches the targeted system. The focus on detecting incoming packet contents rather than anomalous activity exhibited by a system means that NDRs ignore post-compromise activity, such as communicating with external IP addresses, lateral movement, data harvesting, or data exfiltration.
  • Siloed Visibility: Some NDR vendors do not support monitoring on-prem and cloud activity in a single platform. This requires the deployment of separate tools with separate detection models and data sets, which creates silos of visibility that prevent rapid detection and response to malicious activity.

For these reasons, modern networks require a frictionless approach to NDR that eliminates the obstacles caused by legacy NDR tools. In this brief, we’ll explore the key benefits of Frictionless NDR and how it detects and responds to malicious activity in today’s multi-cloud and hybrid networks.

Frictionless NDR: A New Approach to Detecting & Responding to Malicious Network Activity

The Netography Fusion® platform provides a cloud-agnostic, environment-agnostic, and encryption-agnostic alternative to outdated cloud and on-prem NDR technologies. It offers significant differences from other cloud and on-prem NDR tools by eliminating the use of sensors and monitoring your metadata rather than inspecting data packets.

How it Works

Data: The Fusion platform aggregates and normalizes network metadata from anywhere you want visibility in your multi-cloud or hybrid network. Fusion’s 100% SaaS architecture eliminates the burden of deploying sensors, taps, probes, or agents.

Fusion ingests:

    • AWS VPC flow logs, AWS Transit Gateway flow logs
    • IBM Cloud VPC flow logs
    • Google Cloud Platform (GCP) VPC flow logs
    • Microsoft Azure NSG flow logs, Microsoft Azure VNet flow logs
    • Oracle Cloud Infrastructure (OCI) VCN flow logs
    • NetFlow v5, NetFlow v9, NetFlow v10 (IPFIX) flow logs
    • sFlow logs

Context Enrichment: Context enrichment transforms low-value IP address tables into context-rich descriptions of the activities of your users, applications, data, and devices. Fusion can ingest dozens of attributes to enrich your metadata, including asset risk, environment, last known user, region, risk score, security workgroup, type of entity, and vulnerability count.

Fusion incorporates context already contained in your applications and services, including asset management, cloud-native application protection platforms (CNAPP), configuration management database (CMDB), endpoint protection agents (EPP), and vulnerability management.

AI-Powered Detection: The Fusion platform detects anomalous and malicious network activity with over 300 open Netography Detection Models (NDMs). You have complete flexibility to customize Fusion’s NDMs to deliver high-confidence, high-fidelity alerts to your CloudOps, NetOps, and SecOps teams.

Fusion detects malicious activity before, during, and after a threat actor compromises your assets, including:

    • Pre-compromise reconnaissance (external-to-internal activity), such as brute force attacks and external use of internal services.
    • Post-initial-compromise lateral movement (internal-to-internal activity) such as network scanning, brute force attacks, and ransomware staging over SMB.
    • Post-compromise data exposure and exfiltration (internal-to-external activity) such as communication with known C&C/C2 infrastructure, anomalous data transfer over SSH and DNS, and data exfiltration to Amazon S3 buckets and private cloud storage services.

Investigate: Your operations and IR teams can conduct real-time and forensic analysis of the core evidence found in network activity logs to investigate anomalous or malicious activity.

Fusion’s capacity to retain up to 12 months of historical data will accelerate your teams’ ability to investigate any activity.

Respond: The Fusion platform enables you to implement a range of response workflows in real-time. Respond from within the Fusion platform directly or via built-in integrations with a range of technology partners:

    • Push alerts to communication applications for distribution to diverse teams.
    • Send alerts to AIOps and IT management systems for automated remediation.
    • Forward alerts to SIEM and SOAR platforms for correlation with alerts from other security events to improve their detection fidelity.
    • Quarantine devices using integrations with EDR or XDR tools.
    • Block or redirect traffic from threat actors or reroute traffic for further analysis automatically using BGP, RTBH, Blocklist Manager, Flowspec over BGP, API, and DNS orchestration

Benefits of Frictionless NDR

The Fusion platform overcomes numerous challenges that current cloud and on-prem NDR tools create when deployed in modern networks, including:

Eliminates Sensors

Frictionless NDR eliminates the cost and complexity of deploying sensors, probes, or taps to collect data. Deploying additional infrastructure is unnecessary to begin using the Fusion platform. Its architectural simplicity means you can start monitoring your multicloud or hybrid network activity in minutes or hours, instead of days or weeks.

Fusion’s 100% SaaS architecture uses your existing cloud and on-prem infrastructure instead of virtual or physical devices.

    • Cloud flow and DNS logs: Forward them to a storage bucket, and Fusion will begin ingesting them.
    • On-prem flow logs: Forward them to the Fusion cloud platform (customers have the option of using the NetoFuse connector to encrypt the upload)

Eliminates Deep Packet Inspection

Netography has created hundreds of detection models to deliver high-confidence, context-rich alerts to security teams without inspecting packets. Because flow and DNS data are ubiquitous in your network, it’s an extremely useful method for detecting active threat actors who have bypassed your other security controls.

While Frictionless NDR does not provide payload granularity like DPI, it is highly effective in detecting certain types of threats that packet inspection misses, such as lateral movement, command-and-control communications, and data exfiltration.

Moreover, flow-based analysis is well-suited to identifying long-term, low-and-slow attacks that may evade traditional signature-based detection methods. These types of attacks often involve subtle changes in traffic patterns over extended periods, which packet inspection will miss.

The Fusion platform can reveal a wide range of malicious activity in your network:

    • Unauthorized Access Attempts and Lateral Motion: Detects attempts to access restricted areas or unauthorized movement within the network.
    • Unusual Communication Patterns: Identifies potential botnet activity through irregular traffic patterns.
    • Data Harvesting Before Exfiltration: Spots early signs of large data access or movement that may precede data theft.
    • Internal Misuse and Policy Violations: Flags instances of employees violating internal policies or accessing unauthorized resources.
    • Communication with Malicious IPs and Domains: Detects connections to known malicious entities.
    • Anomalous Behavior Indicating Zero-Day Exploits: Uncovers deviations that indicate zero-day attacks or new threats.
    • Network Scanning and Enumeration: Identifies scanning activities used to map and probe the network.
    • Unusual Data Transfer Rates and Protocols: Spots abnormal data transfers or uncommon protocol use.
    • Application and Service Anomalies: Detects unexpected traffic or behavior related to specific applications or services.
    • Configuration Errors and Network Mismanagement: Reveals misconfigurations or errors in the network setup.

Support for All Five Cloud Platforms + On–Prem

The Fusion platform eliminates blind spots in your security strategy by supporting all five major cloud platforms:

    • AWS VPC flow logs, AWS Transit Gateway flow logs
    • Microsoft Azure NSG flow logs, Microsoft Azure VNet flow logs
    • Google Cloud Platform (GCP) VPC flow logs
    • Oracle Cloud Infrastructure (OCI) VCN flow logs
    • IBM Cloud VPC flow logs

Post-Compromise Focus

Unlike traditional NDR (which focuses on detecting malicious content before it arrives at a targeted system), the Fusion platform detects anomalous activity exhibited by a system after compromise. By analyzing all communications between IP addresses, Fusion detects in real-time when a system begins exhibiting anomalous or malicious activity, such as lateral movement, data harvesting, and data exfiltration.

Holistic View of All Network Activity

The Fusion platform eliminates the challenges of monitoring all your cloud and on-prem network activity from a single platform. Its frictionless architecture speeds deployment so you can start monitoring anywhere you want continuous network security and observability in minutes or hours, not days or weeks.

The Fusion platform delivers common datasets and detections that your NetOps, CloudOps, and SecOps teams can use, eliminating functional silos and isolated data sets. Fusion’s user-configurable dashboards and detection models eliminate the need to consult different tools by seamlessly adapting to fit different workflows, use cases, and teams.

Conclusion

Frictionless NDR from Netography frees you from the outdated detection and response approaches that no longer deliver value in modern networks. The Fusion platform delivers a range of significant benefits over traditional cloud and on-prem NDR, making it an ideal solution for anyone seeking to enhance their network security without introducing complexity or high costs.

By leveraging context-enriched metadata, AI-powered compromise detection, and frictionless architecture, Fusion provides real-time compromise detection, scalability, and ease of deployment. As a result, you can detect and respond to security threats faster and more effectively while reducing your operational burden and total cost of ownership.

If you’d like to learn more about Netography Fusion, contact us for more information, a demo, or to get started with a free trial.

About Netography

Netography is the leader in holistic network security and observability. The Netography Fusion® platform is the fastest and easiest way to detect anomalous and malicious activity in your multicloud, single-cloud, or hybrid network. Fusion is a 100% SaaS, cloud-native platform that provides frictionless detection and response to compromises and anomalies at scale in real-time without the burden of deploying sensors, agents, or taps.

Based in Annapolis, MD, Netography® is backed by leading venture firms, including Bessemer Venture Partners, SYN Ventures, and A16Z.