ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Experience with NDR Solutions

    IT Discussion
    ndr security
    10
    34
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scottalanmiller
      last edited by

      What experience do y'all have with NDR (Network Detection and Response) solutions? Any that you've used, like, don't like? Anything open source out there? Thanks.

      D F 2 Replies Last reply Reply Quote 0
      • D
        dafyre @scottalanmiller
        last edited by

        @scottalanmiller said in Experience with NDR Solutions:

        What experience do y'all have with NDR (Network Detection and Response) solutions? Any that you've used, like, don't like? Anything open source out there? Thanks.

        Are you talking along the lines of Intrusion Detection or something more sophisticated?

        S 1 Reply Last reply Reply Quote 0
        • S
          scottalanmiller @dafyre
          last edited by

          @dafyre said in Experience with NDR Solutions:

          @scottalanmiller said in Experience with NDR Solutions:

          What experience do y'all have with NDR (Network Detection and Response) solutions? Any that you've used, like, don't like? Anything open source out there? Thanks.

          Are you talking along the lines of Intrusion Detection or something more sophisticated?

          Well, I know it is mostly a marketing term, but in theory a step beyond IPS.

          1 Reply Last reply Reply Quote 0
          • S
            scottalanmiller
            last edited by

            But honestly, it seems like just a scam. Like how SD-WAN is just code for "same VPN as always." NDR seems like code for IPS as always.

            1 Reply Last reply Reply Quote 1
            • D
              dafyre
              last edited by

              If you want to stick in that vein, I'm familiar with two of them. Snort and Suricata.

              I've run both in IPS mode (where they actively block attacks). Suricata is the more performant option from my experience.

              It's been a while since I've run either of them on live traffic though.

              T 1 Reply Last reply Reply Quote 1
              • T
                travisdh1 @dafyre
                last edited by

                @dafyre said in Experience with NDR Solutions:

                If you want to stick in that vein, I'm familiar with two of them. Snort and Suricata.

                I've run both in IPS mode (where they actively block attacks). Suricata is the more performant option from my experience.

                It's been a while since I've run either of them on live traffic though.

                We're supposed to be reselling Cylance. I haven't heard of any actual sales or installs yet, so I don't really know the ins and outs of it yet.

                S 1 Reply Last reply Reply Quote 0
                • J
                  jclambert
                  last edited by

                  When you drill into some of the solutions out there, some are just black boxes that give you a result. However, what was missed? In these cases, you don't get an audit trail on anything other than what was identified.

                  1 Reply Last reply Reply Quote 1
                  • S
                    scottalanmiller @travisdh1
                    last edited by

                    @travisdh1 said in Experience with NDR Solutions:

                    We're supposed to be reselling Cylance. I haven't heard of any actual sales or installs yet, so I don't really know the ins and outs of it yet.

                    Cylance is gone. It's Blackberry now. Imagine trying to tell a customer that you recommend stuff by Blackberry. jajaja. I think not.

                    1 Reply Last reply Reply Quote 0
                    • F
                      Florida_man @scottalanmiller
                      last edited by

                      @scottalanmiller the truth is that this is something that AI is not really capable of doing right now. Sure solutions can automatically block things, but many times they block legitimate traffic, too. The amount of machine learning that must be in place far exceeds the benefit this automation can provide.

                      Build your solutions with zero trust and this really isn't much of an issue anymore. The main reason people do this shit is for compliance purposes to check boxes. If they really cared about security, they'd design the infrastructure in a way where this type of shit isn't even necessary.

                      D S 2 Replies Last reply Reply Quote 1
                      • D
                        dafyre @Florida_man
                        last edited by

                        @Florida_man said in Experience with NDR Solutions:

                        Build your solutions with zero trust and this really isn't much of an issue anymore. The main reason people do this shit is for compliance purposes to check boxes. If they really cared about security, they'd design the infrastructure in a way where this type of shit isn't even necessary.

                        The problem with doing that is what if there's a vulnerability in the application/website itself? Something that allows unauthenticated attackers to do 'Bad Things'.

                        I think you are right in that a lot of the tools will block some legit traffic, but that's also why you spend some time with the tools you use to learn them and figure out where and how to fine tune what is allowed / blocked and what it sends you alerts on.

                        F 1 Reply Last reply Reply Quote 0
                        • F
                          Florida_man @dafyre
                          last edited by

                          @dafyre said in Experience with NDR Solutions:

                          The problem with doing that is what if there's a vulnerability in the application/website itself? Something that allows unauthenticated attackers to do 'Bad Things'.

                          That's the whole point of zero trust. You assume every component is a bad actor and only provide minimum permissions for each microservice of the application.

                          1 Reply Last reply Reply Quote 2
                          • S
                            scottalanmiller @Florida_man
                            last edited by

                            @Florida_man said in Experience with NDR Solutions:

                            @scottalanmiller the truth is that this is something that AI is not really capable of doing right now. Sure solutions can automatically block things, but many times they block legitimate traffic, too. The amount of machine learning that must be in place far exceeds the benefit this automation can provide.

                            Build your solutions with zero trust and this really isn't much of an issue anymore. The main reason people do this shit is for compliance purposes to check boxes. If they really cared about security, they'd design the infrastructure in a way where this type of shit isn't even necessary.

                            Zero Trust is hard to do when you don't make bespoke software. Most firms run uncontrolled third party stuff.

                            F 1 Reply Last reply Reply Quote 0
                            • N
                              notverypunny
                              last edited by

                              Darktrace does some pretty cool stuff. I've had some experience with the detection part, the automated response wasn't part of the package that was in use but the potential looked interesting.

                              FieldEffect has some interesting looking stuff too, not sure if they offer an automated response piece or not.

                              dbeatoD 1 Reply Last reply Reply Quote 0
                              • F
                                Florida_man @scottalanmiller
                                last edited by Florida_man

                                @scottalanmiller said in Experience with NDR Solutions:

                                @Florida_man said in Experience with NDR Solutions:

                                @scottalanmiller the truth is that this is something that AI is not really capable of doing right now. Sure solutions can automatically block things, but many times they block legitimate traffic, too. The amount of machine learning that must be in place far exceeds the benefit this automation can provide.

                                Build your solutions with zero trust and this really isn't much of an issue anymore. The main reason people do this shit is for compliance purposes to check boxes. If they really cared about security, they'd design the infrastructure in a way where this type of shit isn't even necessary.

                                Zero Trust is hard to do when you don't make bespoke software. Most firms run uncontrolled third party stuff.

                                That isn't the an issue anymore. Alot of COTS and open-source software runs in containers. Each container has its own microservice.

                                https://blog.aquasec.com/zero-trust-kubernetes

                                It's time to embrace containers @scottalanmiller

                                S 1 Reply Last reply Reply Quote 0
                                • S
                                  scottalanmiller @Florida_man
                                  last edited by

                                  @Florida_man said in Experience with NDR Solutions:

                                  @scottalanmiller said in Experience with NDR Solutions:

                                  @Florida_man said in Experience with NDR Solutions:

                                  @scottalanmiller the truth is that this is something that AI is not really capable of doing right now. Sure solutions can automatically block things, but many times they block legitimate traffic, too. The amount of machine learning that must be in place far exceeds the benefit this automation can provide.

                                  Build your solutions with zero trust and this really isn't much of an issue anymore. The main reason people do this shit is for compliance purposes to check boxes. If they really cared about security, they'd design the infrastructure in a way where this type of shit isn't even necessary.

                                  Zero Trust is hard to do when you don't make bespoke software. Most firms run uncontrolled third party stuff.

                                  That isn't the an issue anymore. Alot of COTS and open-source software runs in containers. Each container has its own microservice.

                                  https://blog.aquasec.com/zero-trust-kubernetes

                                  It's time to embrace containers @scottalanmiller

                                  "A lot" is subjective. Try finding any that customers actually use. MY embracing containers is irrelevant. And not the source of zero trust. Containers are a red herring in that case.

                                  First you need software that has zero trust. Then containers can or cannot be used, not super relevant. Just more buzz, like cloud, but not actually important. But until the products you are deploying support zero trust, it's all moot.

                                  1 Reply Last reply Reply Quote 1
                                  • S
                                    scottalanmiller
                                    last edited by

                                    For the customer in question, an ERP dedicated for the produce logistics industry.

                                    Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).

                                    Which of these do you know with microservices or with native container support or any addressing of zero trust? We can't deploy theoretical software for contrived customers, has to be the actual software that people need. In the real real world, we have to deploy the software that they are already on, almost never is IT consulted or listened to when it comes to which software to use. But even if it theoretically was, what software is out there that we could even recommend for real customer usages in most industries unless it is bespoke?

                                    F stacksofplatesS 2 Replies Last reply Reply Quote 2
                                    • F
                                      Florida_man @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Experience with NDR Solutions:

                                      For the customer in question, an ERP dedicated for the produce logistics industry.

                                      Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).

                                      Why not just purchase a SaaS solution?

                                      1 Reply Last reply Reply Quote 0
                                      • stacksofplatesS
                                        stacksofplates @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in Experience with NDR Solutions:

                                        For the customer in question, an ERP dedicated for the produce logistics industry.

                                        Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).

                                        Which of these do you know with microservices or with native container support or any addressing of zero trust? We can't deploy theoretical software for contrived customers, has to be the actual software that people need. In the real real world, we have to deploy the software that they are already on, almost never is IT consulted or listened to when it comes to which software to use. But even if it theoretically was, what software is out there that we could even recommend for real customer usages in most industries unless it is bespoke?

                                        Vetastic could easily be containerized and deployed on Kube.

                                        S 1 Reply Last reply Reply Quote 1
                                        • stacksofplatesS
                                          stacksofplates
                                          last edited by stacksofplates

                                          Also you don’t need Kube for zero trust. You can essentially apply it to anything with SPIFFE/SPIRE. SPIRE provide attestations for nodes and workloads as SVIDS.

                                          It’s easier on Kube because service meshes like istio and Kuma use spire under the hood for you.

                                          OPA is another step in this direction. You don’t need Kube for OPA either.

                                          1 Reply Last reply Reply Quote 1
                                          • S
                                            scottalanmiller @stacksofplates
                                            last edited by

                                            @stacksofplates said in Experience with NDR Solutions:

                                            @scottalanmiller said in Experience with NDR Solutions:

                                            For the customer in question, an ERP dedicated for the produce logistics industry.

                                            Or for many of my customers (who don't need NDR) a Veterinary Clinic Management System (PIMS).

                                            Which of these do you know with microservices or with native container support or any addressing of zero trust? We can't deploy theoretical software for contrived customers, has to be the actual software that people need. In the real real world, we have to deploy the software that they are already on, almost never is IT consulted or listened to when it comes to which software to use. But even if it theoretically was, what software is out there that we could even recommend for real customer usages in most industries unless it is bespoke?

                                            Vetastic could easily be containerized and deployed on Kube.

                                            Yes, of course Vetastic could 🙂 But 99.99% of the industry won't switch to that. If I could switch them to that, that would be amazing.

                                            Except for Vetastic, all (literally all) on premises (the only app type applicable for vet clinics) is Windows based and client/server. Archaic beyond imagination.

                                            Although the benefits of something like Kube for Vetastic are nominal since it is already zero trust and very secure.

                                            But the customer prompting the question is produce logistics, a field in which we create no software (currently).

                                            stacksofplatesS 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post