Hello, everyone. Welcome to our webinar today. I'm John Tolbert, Director of Cybersecurity Research here at KuppingerCole, and today I'm joined by Michael Tullius, who is Sales Director for Exeon Analytics.
Hi, Michael. Hi, John. Our topic today is going to be Why Network Detection & Response, or NDR, is central to a modern cybersecurity architecture. So let's jump right in. A few logistics things here. So everyone's muted. There's no need to mute or unmute yourself. We're going to do a couple of polls during my part of the presentation, and then we'll look at the results and talk about them. We will take questions, and we'll do Q&A at the end after our presentations.
And you can enter your questions in the control panel on the side at any time, and those will be registered, and we'll take them at the end. And then we are recording the webinar, and both the webinar and the slides should be ready in a few days. So with that, I'll start off and talk about, well, what is NDR? What are some of the key capabilities to look for? What are some of the use cases that I think are important?
And, you know, really, where does it fit into your overall security architecture? Then I'll turn it over to Michael, and he can go into more detail on NDR and the use cases that they see. Then we'll do those Q&As. So first up, I think, you know, let's talk briefly about, you know, what is the current cybersecurity threat landscape?
You know, we hear a lot about ransomware, fraud, data breaches of different kinds, intellectual property theft, advanced persistent threats. All these things are things that, as security professionals, we have to deal with and try to prevent every day. So talking about polls, we've done a number of polls over the last year, and we're always interested to find out what, you know, from other security professionals and executives, what are some of the top security concerns that they have?
And you can see ransomware is pretty much top of mind for everyone, has been probably for the last couple of years, just because it's become so pervasive and so damaging in many, many cases. Then we see concerns about things like attacks on critical infrastructure, malicious insiders, business email compromise, and its closely related counterpart, CEO fraud, DDoS, software supply chain attacks, and APT.
You know, APT is something that was a term that was coined probably 13 or 14 years ago now, but, you know, these things are still going on and things that we have to defend against. And all of these involve, of course, things like software and users, vulnerabilities, training, proper communication. But these are the things that most organizations are concerned about today. So looking at ransomware, ransomware has, of course, been in the news quite a bit over the last few years.
You know, it has been quite destructive. It really ramped up, I'd say, about seven years ago, and now it continues to target all kinds of organizations.
But, you know, in the last two years, we've seen much more focus on things like hospitals and clinics, as well as schools and state and local governments. I think these attack perpetrators know that many of these kinds of organizations can't really afford to be down. That's why they attack them.
But, you know, large enterprises are obviously still at risk, and small businesses and medium-sized businesses are too. I've heard, you know, years ago people would say, well, you know, I'm not in such a big business. I don't think I'd be targeted. But the reality is everybody's being targeted now. Anybody who's got, you know, money to pay is a potential ransomware target.
And, you know, we've seen some particularly devastating attacks, things that have disrupted businesses, entire supply chains, software supply chains, and even, you know, economies. The pipeline attack from a few years ago wound up having a pretty large impact across a large part of the U.S. So ransomware can be quite devastating, and it isn't always contained to the first targeted organization either.
We've seen ransomware attackers change their tactics, you know, evolving from like a screen locker to encrypting people's pictures or whatnot to, you know, encrypting business data, hard drives, network drives, and, you know, being destructive wipers, just, you know, wiping out data, not even trying to encrypt it. And, you know, more recent cases there have been attacks where the data is sort of stolen and then threatened to be leaked, so not even encrypted. So there's a whole lot of different tactics that can be used by these perpetrators.
You know, I mentioned the pipeline. There have been other attacks on critical infrastructure, anything ranging from attempts to sabotage, like with a water treatment facility in Florida, tried to deliver malicious firmware, denial of service, you know, within plants or from outside different kinds of plants, ransomware, as we've been talking about, and how it affected the pipeline. And even in that case, you know, there's a concern for attack spillover from the IT environment.
In fact, you know, in some ways, that looks like to be the most common vector for, you know, operational technology to be attacked from the IT side. I mentioned advanced persistent threat.
You know, they're still out there. These are things that are perpetrated by either state intelligence agents or corporate espionage or sometimes those working together. They often use advanced or zero-day malware, you know, malware that's based on vulnerabilities that haven't been detected or mitigated yet, so they can exploit that.
You know, the biggest risks around APT are loss of intellectual property and loss of competitive advantage. But, you know, even going beyond that, it's possible that losing your IP, losing your competitive advantage, can be an existential threat for a company. That's why APT are still incredibly dangerous.
And then, you know, if you're an organization that has very sensitive information, maybe government-related information, there can be fines associated for losing export-controlled data. So with all these things in mind, let's take our first poll question and just kind of following up on what we saw in the first chart. What are the kinds of cyber attacks that you and your organization are most concerned about today and for the foreseeable future?
Is it ransomware, software supply chain attacks, CEO fraud or business email compromise more generally, loss of intellectual property, or data breaches that involve PII? Great. So keep on voting. It's nice to be able to get this in real time.
So yes, you know, nearly 50% are concerned about ransomware, and then software supply chain attacks and loss of IP are sort of tied for second. And data breach loss of PII is third then. Very interesting.
So yeah, now let's take a look at a more in-depth overview on NDR. So what does NDR do or what should it do? A little hint on how it's deployed. You can deploy it either inline, you know, in your network or, you know, in your cloud instances.
You know, in that case, it would be like off SPAN ports, off the switches. Or another way of doing it is with offline log telemetry processing. And in those cases, you've got to make sure you've got, you configure all of your telemetry gathering devices or instances if they're like virtual machines or virtual appliances to be able to send that to your central NDR console. But we'll talk about the deployment a bit more in a minute. NDR should be able to detect both north-south intrusions, you know, things coming in from the outside, as well as east-west or lateral movement.
This might be, you know, reconnaissance of an attacker that's already compromised one or more machines, trying to look for, you know, what data they might want to exfiltrate or even malicious insiders. And it's also important to point out that NDR can be particularly effective in OT or ICS environments. That's operational technology and industrial control systems. Because a lot of these tools understand at the network protocol level those kinds of protocols that are used in OT and ICS environments, which tend to be very different from the ones that we see in enterprise environments.
You know, most of those kinds of protocols are for connectivity between SCADA nodes or PLCs, programmable logic controllers, human and machine interfaces, various sensors. So having a protocol-level awareness of the kinds of traffic in OT and ICS environments is very important for an NDR solution to be able to understand that and be able to detect when threats exist in those kinds of environments.
NDR tools also have threat hunting tools built in, you know, to be able to do both sort of investigations of what may have happened as well as, you know, a more proactive threat hunt, find a new indicator of compromise, and then go look for signs that maybe that's happening in an enterprise. And, you know, it can find evidence of malicious activities when other tools might miss it. And by this, we mean, you know, everybody, every device, if at all possible, should run some sort of endpoint agent, endpoint protection, detection, and response.
But, you know, there are some kinds of devices that can't, you know, for a variety of different reasons. Maybe they don't have an operating system that's supported.
Maybe, you know, the support is provided by a service, a manufacturer, and, you know, it might void the warranty to put some sort of additional security software on there. So there's reasons why you might not be able to install security software.
NDR, you know, sitting at the network level can see, look for signs that something is missed on your network, you know, look for those anomalies and report when it finds them. So it can be really the last place to find signs of malicious activity. And then it should also be able to provide automated responses, you know, we'll look at the responses more in detail in a minute or two. But things like, you know, blocking traffic, isolating nodes, DNS sinkholing for DDoS attacks. The top use cases we see are increasing that visibility.
You know, like I said, agents are good on endpoints, but they're not everywhere, so you might miss attacks if you're not looking at the network level. Rapid ransomware response.
You know, let's say an endpoint gets compromised. It's great to be able to shut that down at the network level, prevent it from, you know, contaminating other network drives or cloud-hosted systems. So NDR can find that and go, okay, let's automate that response. Let's block access so that it doesn't encrypt or steal other data.
It can assist with those APT investigations, look for indicators of compromise, look for those signs that an attacker may have compromised something else and is now looking around your network, you know, looking for other kinds of unusual communications or command and control communications. It can be the last place to stop, you know, IP and PII from actually leaving your network.
You know, being able to shut that down, terminate connections if it looks like, let's say, an endpoint is trying to send up data, you know, that it's encrypted using some strange tool or something. You can use NDR to stop exfiltration. And it's good for insider threat investigations, you know, looking for, you know, unusual traffic and at different times that might be a sign that, you know, a particular machine has been compromised and it's not really that user on that machine, you know, trying to send information out or trying to access information that that machine's never talked to before.
And then lastly, it's got to be part of your overall security infrastructure, so it needs to be able to interop with SIEM, security information and event management, and SOAR, security orchestration and automation and response. The key features we see are, you know, support for the different environments.
You know, it's got to be able to work on-prem, in hybrid modes, in infrastructure as a service cloud, and then in the OTICS world. It should be able to do encrypted traffic analysis. You shouldn't have to decrypt traffic to go through NDR to understand what it is. And there are a lot of different methods. I won't read them all out here, but there are a lot of different methods that NDR vendors have come up with to look at, just say, you know, header information to figure out if traffic is legitimate or suspicious.
And to do that, they often use or they really have to use machine learning, both unsupervised to sort of categorize or find anomalies and then supervised to categorize those different kinds of traffic and tell you, you know, what potentially what kind of threat it is. It has to be trained on real data, not just academic data sets. It's best if it's trained on data from within your particular organization. It needs to be able to get cyber threat intel.
You know, many different sources for cyber threat intel, but it needs to be brought in and, you know, applied to the circumstances in which it operates. NDRs have consoles for SOC management, forensic investigations, threat hunting. They need API exposure so that they can interoperate with other parts of your security infrastructure.
You know, SIM and SOAR being probably the two main use cases, but there may be others like ITSM systems. And then lastly, playbooks.
You know, a lot of what security analysts have to do can be very repetitive, very time-consuming, being able to automate parts of investigations, opening tickets, you know, getting IP reputation information, or even just, you know, once you know that IPs or whole networks or domains are bad, being able to automatically block access to those things are ways to, you know, decrease your attack surface and do so in a way that's much more efficient and a better use of your analyst's time. So where do you deploy NDR?
If you're doing an agent-based system, you really need agents or virtual appliances off of all the different network segments, we'll call them, you know, whether it's in your office or, you know, around if you haven't completely de-perimeterized and you're using firewalls or WAFs or email and secure web gateways. They collect, of course, your IT or your OT and ICS environments as well and cloud. All that needs to be able to roll up to an NDR console, which can then, you know, interact with external cyber threat intelligence sources.
It should be able to pass this information, as we've said, to SIEMs and then be utilized by SOARs. But, you know, it should be bidirectional communication between NDR and all of its sensors or virtual appliances in the cases where, you know, it's not actually sitting right off of a SPAN port. But API connectivity in those cases is very important. So on the response side, we expect it to be able to, in the NDR console, to allow an analyst to run those CTI queries, collect forensic evidence.
Ideally, that would be automated because even the evidence collection stuff can be kind of tedious. A lot of it can be scripted.
So, yeah, be able to run scripts to support threat hunting. Incident response, once you find something, you know, scripting out, you know, how to begin to shut it down and recover from that. Create cases and open tickets. That's where, you know, having API connectivity to an ITSM is useful.
Of course, you should be able to alert SOCs and analysts. Get those tickets to the analysts. Get it pre-populated with the kinds of information they need to be able to sort of hit the ground running in an investigation and not have to look up lots and lots of stuff just to get sort of the lay of the land when they first receive that case.
It should be able to isolate nodes and networks, as we've said, and then ideally be able to update detection rules based on the findings so that, you know, once you see something that's potentially malicious on one machine, you should be able to look for that across your entire network estate. I want to briefly talk about MITRE ATT&CK. MITRE ATT&CK is a framework that shows tactics, techniques, and procedures that are common to most cyber attacks. I've got a lot of info on here, and I'm kind of running out of time, so I'll just kind of go through this quickly.
The colored boxes are the different tactics and techniques in the MITRE ATT&CK framework, starting with recon, you know, in the initial stages, and then ending up with impact on the bottom right. And what I wanted to do here is kind of show where NDR fits in. So obviously it's DR, detection and response. It's going to be more in the detect phase. So you see NDR becoming, you know, an important tool to find evidence of persistence, evidence that it might try to evade defenses, evidence of lateral movement, for example, or trying to collect information, do that C2 communication, or exfiltrate.
So again, you know, particularly malicious APT campaigns will do things like erase logs on machines where they have compromised those systems. So, you know, I'd consider that a defense evasion technique. They could also try to shut down, you know, other security systems, security agents on endpoints.
And NDR, again, can be a way to look for signs of that defense evasion. So quickly wrapping up my part here, we'll do the second poll. What do you think are the three biggest challenges in implementing cybersecurity? Is it a budgetary limitation? Do you feel like you have siloed organizations where maybe you are in a big conglomerate and you've got multiple independent, you know, almost autonomous business units that maybe don't have to adhere to the same overall enterprise architecture, and you can't force them to use, you know, a particular product? Is it the skill shortage?
Or do you think, no, you know, we've already got too many tools, it's difficult to manage what we have? Or lastly, could it be stakeholder management? Too many or maybe your executives aren't completely bought in on spending more on your cybersecurity budget or there's confusion over what the priority should be. Okay.
Well, this is interesting, too. We're split between budget and too many tools. We're the top vote-getters here.
I mean, I can certainly understand a budget being a concern, you know, for the last few months as we sort of move into economically uncertain times, but that's what we've changed. Okay. So right now we have too many tools. Okay. So just a reminder, you can submit questions into the Zoom control panel here, and we'll take those questions at the end. And with that, I'm going to turn it over to Michael. Okay. So just some small advice. Who is Xeon Trace or Xeon the company? We are a Swiss-based XDR vendor.
And I will talk about a little bit of a solution with our solution as a software, increasing the visibility. One of the key things is that all data are stored locally. So where the software solution is stored, any data for analysis is stored. In that case, probably most in your private network. We're using metadata to reduce storage and stuff, and we are designed as an easy integration into your existing environment. So there are some key parts in that area. Looking to why is network detection response important to your network?
What we can see is that the paramedic security starts to get a lot of investment. But we know nobody is perfect. Attacks are going through. The endpoint security, for another place to see, cannot cover anything. Because like John said, we have a lot of devices in your network where you can't place an agent. Where from a network perspective, not like a laptop or whatever, and we will see what I mean with that. But in both sides, between paramedic and endpoint security, you have the network communication. And network communication is key for anything in the IT area. We know that.
But it's a lot of times a hidden place. It's just there. We recognize this if your laptop or your connections are not working, if the performance is not good. But what we need to do is a security monitoring of this network communication. And why is it? I have three different views on that. A little bit from a management perspective, from a network security admin perspective, and from a CSIRT SOC perspective. So I will show you in the next minutes some examples of that. Starting from an IT, and looking from a management perspective, what means IoT? We know that we don't have security on design.
So we know that we need open communications, even if you have software. You have API libraries. You need to communicate in between. You have software development kits, the SDK part. And while there is no security on design, we also know that we have open doors. We have mistakes there. And this is one part of IoT. So it's not like the typical, oh, here's my handy. Here's my lighter, my light, or whatever. It's much more software, which has its own security risk. The other part, which I think from an Internet of Things, is devices which have no Internet connections. Very interesting, I can say.
I'm talking about Internet of Things, and then I'm talking about devices which, let's say, have no Internet connection. This is, by the way, wrong, because they have connections to the network infrastructure. And either they have a connection to clouds, to remote services, or whatever. These are Internet connectivities which are indirectly connected. And what I mean, these are sensors, which is production environment, OT environment, and I'm showing you a little bit later why. And you need to think about that.
Devices which you think they are connected, while they have no Internet connectivity, but they have connectivity through Internet or through partners or through vendors with your backbone. So this needs attention, too. And then we have the part which has Internet connectivity, and you see the car. It's so easy to break down the internal firewall in a car, and coming from a car perspective, over the car, and open ABIs to your handy, and then going in your company Internet. So these parts need to get always some attention in that case. And we have a security layer.
In a lot of cases, we see that this is missing to monitor what's going on on these devices, because sometimes they are so standard, you don't think about this, and you don't even think that they can use to break in your network. And it's not a classical ransomware in that case.
Yesterday, we saw a message. There's an active group called Titan, which are focusing on critical infrastructure, and we are starting to prepare to break down your connectivity in that case. An interesting article. You will find this, I'm pretty sure, on the Internet, which gives a completely different focus on why an NDR is important. So blind spots in the IoT world needs to be monitored. And in a lot of cases, you can't use agent technology. You need to monitor it just from a network perspective, this part.
The other part is going, if you go in the security layer stack, we see always the blind spots starting with advanced threat protection, like John said, going into network security, how you're proving your policies from your firewall, from your different routers. Do you have a real-time monitor cross over your network? 90% of the companies I'm asking, do you have an overview about any connectivity in your network? And the answer is mostly no, because it might be from a performance perspective, from an error research perspective, but not from a security perspective.
And if you're going around all these stacks, going from network security to data security, it's not only data leak prevention. You need to see if data is going out of your network if you don't want from it. You need to monitor your DNS infrastructure and HTTP, and especially monitoring what you are doing, going from a zero-day perspective, where you don't have any signature. You don't have a use case in that case, because it happens now. It happens real-time. It happens with new ideas from a hacker perspective to break into your network, and you can't see this with standard tools in that case.
The last part, which I'm looking at, is in the OT environment. And if you are going here, you can see how the enterprise and your internal network is going more and more in the OT area. We're talking about IP. We're talking about connectivity and connections we need in that case.
Yes, on the process side and the SCADA zones, you have special protocol, but it's going more and more in an IP layer perspective. And even if you have network segments and you say, yes, this is a completely separate area, I tell you it's not, because you need remote connections from your vendors. You have your administration part where you need to be done. So you have, like you can see, a remote access server, factory-proc application servers, which are addressed by IP. And that means the communication is in here, and it's not encrypted in the most case.
But there's a clear communication in the OT environment. So these are the three segments. So it's IoT you need to consider. You need your normal IT office environment you need to consider. And you need an OT environment. And they're coming more and more together. This gives a higher risk in that case. What we are doing is we are software appliance. Why we saw the need. You can't put more and more hardware in your network. Because if you're looking from a hardware perspective, you need to increase capacity on your routers. You need additional taps. You need additional firewalls.
Because we, of course, are not enough. The performance is not enough. And if you are putting DPI products in your network, there's a lot of effort more. And we think a much smarter way, and this is why we say next generation in the ER is getting what you have already in the infrastructure. So that means firewall locks, net flow locks, also private and public outlocks, where it gives us information about how your communication acts in your network, going out in your network, coming in in your network. But this is not enough. You need to analyze DNS. You need to analyze also HTTP.
You say, okay, HTTP is encrypted. But if you're losing security in that case, you're getting information where the traffic is going, which is unencrypted in that case. So you can see how it goes. And you need to monitor the HTTP traffic, because it's very common used by hackers to build connections to a command and control server, to unauthorized services. And I'll show you some examples how does it work in that case. The last part, and why I say it's NDRN a little bit, and XDR is that you have additional lock data, which is related to your connectivity network.
That means CMDB data, active directory. If you're using thread feeds on IFC, we are basically always signature-less. That means our machine learning is independent from the signature because it's based on behavior. And you need to do this, especially if you're going on a zero-day environment in that case. And that's why we have different machine learning models, which works to minimize only one-side alarms, to work independently from any signature. We can use thread feature and signatures as an addition, but it's no need in that case.
And that helps a lot to minimize any efforts, how to handle the system, how to minimize false positives, and that the focus is on communication and what's going on in your communication in that case. Yes, the integration is high because we need to integrate it in CMDB source so that you can use it in existing environments and that the additional tool, like you mentioned, is integrated in your environment and you need it as a resource, which is taking not away additional personal resource, which can be managed, by the way, from a software also. A network and security admin has some advantages.
On one side, we see, like we said, letter movements. We see scanning parts in your network, which you may don't want, which, by the way, this might be not an hacker. It could be internal software, internal appliances, and whatever, so we can learn also how to optimize your network. And the network and security admin is also a very quick graphical view of what's going on. You got an alarm.
Hey, what's this here? And you see, oh, this is an abnormal event. That's not normal in my network.
But he needs also to drill down from this part to see what's going on, who is affected, what kind of service was it, when was it, which time frame, and get a clear picture in seconds that he can follow up and maybe solve the situation or add, no, this is a typical situation where my IT was installing a new server or a new application and, yeah, let it work or it's an SSH session, which is coming from outside, which might be an hacker, because it's not allowed, and you need to stop this, in that case. That is one part.
That's an important part, how to visualize you're doing security on a visualization level and not on an Excel list, so that you can do a small, very quick trick to drill down on that. The part, what we are doing, is internal shadow ID, external shadow ID.
Also, it's very important to have custom-specific text to monitor a critical server, critical communication in your network, because any network is individual and it's always in a movement area, where you say it's living. There's no day where a network is looking like the other day. And so you need to have specific text to do a configuration with this in your own network, or on your own network specifics.
Important, also, to detect non-authorized services, and again, the graphic view helps in a daily business a lot, especially if you're looking from IT, OT, and YMS, in that case. From a soft perspective, the use case, there's only some use cases, is if you're looking to analyze HTTP, you can see, theoretically, if there are unauthorized cloud services, or mail services, and how communications is running in that case. Is it a raw event? Is it just happening in that case?
Or is there a user which, using services which are not allowed, likely is doing, oh, I need to, again, my data on my private phone, or my company laptop is broken, and I'm just sending two boxes of data, or something like that in that case. It's just an example, and this is not a hybrid example. This is a daily user example. In that case, figure out unauthorized cloud and mail service, for example, and you can see, it's just with a click.
The other part, is if I'm looking for more XDR environments, you can also build algorithms, and analyzers, in a way, show me devices, if their IoT load is, their memory load is changing. If the CPU has a change, and is using more frequently than normal, or there's a load memory percentage, which is going up normal.
This is a design from a perspective, from an IoT perspective, or we did it for banking industry, monitoring ATMs, which you can use, not monitor from a software perspective, or monitoring from a network perspective, and we want to see if Hackaday is manipulating this, so it can use this. There's a lot of examples, which is going beyond the normal network detection and response, but it's an integration, and that's why I'm saying, we're monitoring communication, in that case, and how it communicates a device. The other part is DNS. I can give you an example.
We have a standard environment, like a company, which have just 2,000 devices. They are generating on a database, 18 million flows per second, on one side, but on the other side, 18 million DNS requests daily, and you need, and this is just an average size, in that case.
If you're looking from an HTTP perspective, you can imagine, we have something like 1.5 million HTTP requests per second, and out of this amount of data, we are finding a hacker, and saying, okay, looking at the DNS, and the millions of requests, we say, found this communication, which is a command and control communication, as example, or we see that a main barrier is starting to use DNS, and channels in that case. That is why we're using machine learning algorithm, and find this communication, and this helps us out a lot, in that case. It's all about zero day.
It's about zero day threats, which you're going through machine learning, and GI. We don't need use cases, because this is based on anomaly behaviors, and it helps to write use cases, if you have a scene, because a scene is acting only if you have use cases. If you have no use cases, a scene doesn't help, because it doesn't know what it has to look for. It's a detection based on your own network environment, and it's deployed based on your network environment.
You can see that you've got a 360 degree view, including the different security layer stacks, and we're trying to close the blind spots, and help on a zero day detection, on a dynamic zero day detection, with security monitoring, and analysis, in that case. That's why, from a software perspective, it's important, in that case. It was very quick, and again, that's usual, I'm taking a little bit more, half an hour more, to go through, with more examples, but time is running, and I hope you find this helpful, and so we can go to the Q&A section, in that case.
So yeah, we'll move into the Q&A section, but first up, I wanted to remind everybody, that we're having an event, in Frankfurt, in November, a cyber evolution, where we will be talking about, subjects like NDR, so I invite you to join us there, and on the topic of NDR, I've got a leadership compass, a buyer's compass, and an executive view, on the Xeon Trace product, and there are links, that you can find in the slides, when that is published as well. So with that, let's take a look at the questions.
First question, let's see, do you install NDR agents, on network devices only, or also on all endpoints, or is it part logs, and agent information?
So this is a really good question, I'll start off, and then you can jump in there too Michael, NDR agents, well there's, I would say there are two major, architectural models, so if you've got an appliance based, or even a virtual appliance based, NDR solution, that doesn't really go on the endpoints, or servers that goes, something that needs to plug into, you know your router or switches, so you only need that, you know wherever you have, network equipment, and or the cloud, there are also virtual images, that are used to monitor, and be able to take responses, on cloud hosted instances as well, so it's not something that has to go, on individual endpoints and servers, it's purely for at the network level, and then there's also, you know another mode where, you get those network devices, to send their telemetry, to an NDR console, and then the NDR console, should be able to, instruct it to do full packet captures, or IP fix, or you know whatever is needed to, collect all the information, so yeah to answer that part of the question, it's no endpoint agent necessary, it has to be able to collect information, from the network, and there's two major ways to do that, the second part was, is it part logs and agent information, and I think that's kind of covered there, where either your, it's not really logs it's collecting, you know more detailed network level telemetry, that would be more like a SIM, if it was just sending logs, so you need, you know much more detailed, network level telemetry, to be able to, really do, really do NDR appropriately, what are your thoughts on that Michael?
Yeah I can talk from, from our vendor perspective, so we don't need any agents, we're taking log files, we're taking net flow protocol files, we can incorporate EDR log files, by the way, but we are completely agent less, because otherwise, because we cannot build agents, for network devices, because we cannot go on operations, this is off network vendors, so log files, and net flow is a protocol, which is part of network devices, and switches by the way, and so you can enable this, and send us the information, from a, because we are software solution, which is based on a VMware server, and then we are working with these, all these kind of data, and just builds up to complete communication, cross over your network, network segments, and whatever it is.
Okay great, thank you, so yeah feel free to enter, another question or two, in the question blank, we've got one more, two more here we can take, the next one is, the companies who use a SIM, or EDR really need an NDR, and if so why, I would say yeah, because they're, it's really doing network level detection, depends on network level data, and you're not necessarily going to get that, from SIM or SOAR, unless you've got that visibility, and that's what NDR, allows you to have as network layer, visibility into what's going on, and EDR, EPDR, endpoint protection, detection and response, you know the combination of like, endpoint security plus EDR, are great, and I think are absolutely mandatory, you need it on every business device, that you can possibly put it on, but you know in the case of, sophisticated attacks, attackers have been known to, even wipe out NDR logs, and you know occasionally, if they know how, disable some of those kinds of services, so I think you know, as I said before, NDR is sort of the last place, that you can look for, signs of an attack, if a really knowledgeable attacker, has been able to get in, and clean up all traces of, what they've been doing, what are your thoughts on that Michael, I guess one of the major difference is, if in NDR, CM needs constantly consulting, and use cases, if you don't have use cases, you don't know what to search for, right, so it's not only the graphical view, you need like I said, if you're looking for the billions of, millions of data, you need machine learning algorithm, which are designed for, network communication, that's one of the big differences, second, in CM, the CM has no use case, you have to blind spot, because you don't see it, and in SLOC analyze, needs to write a use case for this, so this is first of all, and you need to constantly do this, and the third one is, CM has a lot of false positives, as we get feedback from customers, and the third is, one of the major argument is, if you focus on this communication, which uses false positive alarms, so you get more efficiency in that case, you are quicker, you're looking for zero day, because you don't use cases, to get an alarm, or from a network communication point, and that's an advance, if you're working in addition, wouldn't seem.
In EDR, there's no focus also, on the network communication, it's on the device base level, right, and you need mostly an agent, right, so you're missing all devices, which are, which don't have an agent, from an EDR perspective installed, and sometimes you have devices, you can't install the devices, an agent software, sorry, and we go closing this gap, and this blind spot also, so it's not, we are in addition, and we're working close together, in that case, we cannot replace an EDR, we cannot replace a CM, but we can make them more efficient, while we have the complete network, communication in focus.
Yeah, I want to follow up on something, you said there, that is really interesting, I mean, you mentioned machine learning, and, you know, just to explain, why I think that's so important, you know, if you think back 20 years ago, there were systems, we called, you know, intrusion detection, and intrusion prevention, and you might think, of how we've described NDR, and go, well, you know, this sounds a little bit, like intrusion detection, and intrusion prevention, and that's true, but what I think, the key differentiator is here, is NDR really has to use ML, I mean, because, the volume of traffic, even on, even on a small business network, is such that, you know, it'd be like looking for a needle in a haystack, to find, you know, something that looked anomalous, or even suspicious, so, you know, by looking at, you know, characteristics of network traffic, you know, things like the, the HTTPS headers, the TLS, the, just keeping in mind, which machines talk to which other machines normally, you know, doing that baseline, understanding, what's, what's regular for your environment, and what is not, that's something that you absolutely have to have, ML, in order to be able to do it at scale, and at line speed.
Like I mentioned, like, a 2000 employee company, right, generates 18 million flows per second, what I said, and if you look at 1.5 million DNS requests per second, right, and then millions of HTTP requests per second, so you have billions of data, which you, which you need to look for, you have to optimize them before you start machine learning, and without machine learning, you get lost, nobody can do this manually, or, or to see this, right, and, just a reminder, you use this mostly if it's too late, if the hacker is in your network, yeah, oh, so the NDR is, is your last instance, I guess, um, the hacker is on your network, before you, if an NDR is detecting that anomaly, you have it in, and if there's no doubt, and it's, it's, it's the way to protect you at the last, last, very last, and that a hacker is successful, right, and that's, you should be aware of that case, right, you know, one thing to add there too, I mean, thinking about the answers to the poll questions, where, you know, what, what, what's your biggest problem in cyber security, and it's having too many tools, you know, I, I get that, I fully understand that, because, I mean, that it can be costly, it can be difficult to manage, but, you know, it, again, we go back to visibility, and, and other plane for control, uh, not having visibility, and control with the network layer, uh, can be, you know, very, can be catastrophic at times, uh, if, if an attacker is able to gain control of, you know, many endpoints, then, uh, you know, you can be fighting an uphill battle to just remediate, uh, and get the attacker out of your environment, but if you can control the network, uh, that, that certainly gives you an advantage in, in things like, you know, very sophisticated APT campaigns.
Yeah, I mean, I remember, uh, one, a good time ago where we say, you know, the, the bird Strauss, um, when, when he, when, when there was a danger, he put his head in the sand, right? And, you can go through ways. You can say, yes, I have too many tools. If I don't know it, and if I don't see it, I don't care about this, but I guess, especially in that time, it doesn't help us.
You need, you need, you need to prepare, you need to think in the long run, um, you need to fix your problems in your network, and by the way, visibility shows here. I mean, we just have a customer.
Um, he says, wow, I even had no idea why I had 20 FTP servers in my network. I doing talent sessions, which I thought they are gone, right?
Um, so he has open doors in your network and nobody was aware about that. And you need to close this and you do, because you don't see this. It's just a small example. Visibility is, is one, and the security visibility, by the way, it's much more important than just performance.
It's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's. The role of an India will be more important to change. Agreed. Let's take one more here.
Um, and this is kind of product specific. So I'll leave it for you, Michael, but what makes XE on India are different compared to other NDRs in the market?
We have, we, we're not using just network collections. We are using also, um, other protocols, like, like I said, DNS proxy, and even going and extended so that you have a special log files.
This, uh, so this is one specialty of, of excellent. Second, we are built from a workflow perspective, exactly how software analysts are working. And that is a feedback from our customers. So it's software, right? And there's a differentiator, but you have other software vendors. Yeah. But the combination between, uh, on one side, uh, that we are, uh, we are using, uh, communication from the network, uh, log files, and including HCR to, to, to make, to, uh, to make sure that the false positives, uh, no, I was wrong.
Sorry, my English. Um, we are using the extended part to make sure that any, any alarm is, is bringing up on communication as a, as let me say 99% accuracy.
And, um, so we're looking beyond networking detection, including other parts of that, that you've got a more of an, a bigger picture of what's going on in your communication. Okay. So that's the goal of our, um, analyzing the communication, uh, and, um, looking a little bit over, over the network part, going in an extended way. Okay.
So that's, that's, that's, and the last point, we are local. The data are local.
The data, um, the data are sold in your, in the core of your network, or if you have a cloud strategy, you can install this in the cloud, but you have, uh, anything local so that you can use it in, in a local way. That's for Germany.
Uh, also very important. That gets. Good. So I guess our time is gone or John. Yeah. Yep. We're almost at the top of the hour. So thanks everyone for joining in. Thanks for watching the webinar.
Um, and thanks Xeon and thanks Michael for your great presentation today. Thanks John. It was a pleasure to talk to you and discuss with you that case. Hope you enjoy and, uh, you found a lot of fruitful information. Yes. Yes. Thank you.
