Previously, our Strategic Advisor, Dr. Marcus Thompson, shared his thoughts on what's needed for an active cyber defence strategy. Read below for the full LinkedIn article:

Reducing Cyber Risk: How NDR Tools Fit in an Active Cyber Defence Strategy

Cyber security is now as topical in the boardrooms of Australia as workplace health and safety and financial risk. Last year we saw major cyber attacks on Optus, Medibank and a host of other organisations.

We’ve had Prime Ministers, business leaders, senior bureaucrats and other commentators warn of the potential for serious cyber-attacks and encourage the implementation of cyber security measures. And we have had the most significant investment in the Australian Signals Directorate since the end of World War II.

So, what do Australian businesses need to do to beef up their cyber security?

WHAT IS ACTIVE CYBER DEFENCE?

If you have read any of my previous articles, you will know that I am a big believer in a comprehensive approach to cyber security combining self defence (individual security), passive defence (firewalls/perimeter, anti-virus/endpoint), and active defence (managed detection and response, threat hunting, threat intelligence etc).

To only partially address these functions is to be only partially secure.

To be partially secure is to be insecure.

Most medium and large businesses should already have self defence and passive defence measures in place or under development. While these are critical elements of a sound cyber security strategy, it is a commonly held view in the cyber field that a motivated attacker will get past your passive defences. Hence the need to add active defences. In this article, I want to provide advice on how organisations can further reduce cyber risk by adding active cyber defence tools to their arsenal.

What is meant by “active cyber security”?

It is the concept of actively monitoring or “patrolling” your own systems, so that you know what is happening on those systems, and notice when unexpected activity occurs. It’s like having a security guard actively patrolling the inside of your network to look for criminals who snuck past the passive security guards standing at the entrances.

An important aspect of active cyber defence is employing the best tools, including next-generation Network Detection and Response (NDR).

WHAT IS NETWORK DETECTION AND RESPONSE?

Network detection and response (NDR) tools automatically detect abnormal system behaviours by applying behavioural analytics to network traffic data. They continuously analyse raw network packets or traffic metadata between internal networks (east-west) and public networks (north-south).

NDR can be delivered as a combination of hardware and software tools for sensors, and a management and orchestration console in the form of an on-premises software or SaaS.

The purpose of NDR is to assist organisations to detect and contain post-breach activity such as ransomware, insider threat, and lateral threat movement.

WHY SHOULD I CARE ABOUT NETWORK DETECTION AND RESPONSE?

NDR as a category is now considered to be a necessary part of any serious organisation’s security strategy. Thought leadership firm, Gartner, has for a number of years shared the concept of “SOC Nuclear Triad”, which evolved into the “SOC Visibility Triad”.

Source: Gartner, Applying Network-Centric Approaches for Network Detection and Response, March 2019.

The model addressed the concept of “security visibility” as broader than just detection or response alone. The proposition was that both detection and response processes need to source data from more than one key data channel and, ideally, all three key visibility channels. This approach of sourcing data from all three visibility pillars vastly reduces the risk of missing a significant threat during detection and investigation.

Stated in the reverse, organisations not using all three visibility pillars are substantially increasing their risk of missing a major security event.

As a side note, if you hear about tools offering XDR capabilities, this is simply an offering that bundles NDR together with endpoint detection and other features. Your XDR solution should still include NDR tools.

THE KEY ASPECTS OF A NETWORK DETECTION AND RESPONSE SOLUTION?

When organisations are exploring NDR options, they should consider solutions that are:

• Simple to deploy

• Fast to baseline “normal” network activity i.e. within hours

• Affordable

• Quiet i.e. a handful of high priority alerts a week

• Sovereign

• Can process encrypted traffic without decryption

• Privacy conscious i.e. no deep packet inspection

• Easy to integrate with existing solutions

• Offers managed analysis and reporting

SOVEREIGN NDR

I’ve written before about the need for sovereign Australian cyber security capabilities. Our greatest threats come from abroad, but the bulk of our cyber investment goes abroad through the engagement of big foreign technology companies. More than ever, we need to build stronger sovereign capabilities at home.

I’m pleased that Australia now has its own NDR provider, in the form of Hyprfire. Hyprfire has harnessed new technologies at an Australian university in developing its next generation, hyper-stateful NDR tools. I’m proud to share that I recently became a strategic advisor to HyprFire, and I look forward to helping them grow this sovereign cyber security company.

ABOUT ME

I retired from the Australian Army as a Major General, where my final appointment was as the inaugural Head of Information Warfare for the Australian Defence Force. I have a PhD in cyber security, and work with Australian businesses and organisations to improve their cyber security and resilience.

Want to learn more about active NDR? Start your free trial demo of Firebug today.