Not the Final Answer on NDR in the Cloud …
Back in my analyst years, I rather liked the concept of NDR or Network Detection and Response. And, despite having invented the acronym EDR, I was raised on with NSM and tcpdump way before that. Hence, even though we may still live in an endpoint security era, the need for network data analysis has not vanished.
As we discussed during this recent webinar, this is not about competing with endpoint or endlessly arguing about what security telemetry is “better.” This is about reminding the security leaders and technologists that network telemetry matters today! Not only in the 1980s (when tcpdump was born), 1990s, 2000s, 2010s, but today in 2020s.
To summarize, network security monitoring still matters because you can monitor unmanaged devices (BYOD, IoT, ICS, etc.), detect threats with no agents, offer broad coverage from a few points, and be out of band (go and see my old Gartner paper for details).
Still, I see a few common misconceptions (more details here in this webinar) about network security telemetry data. I wanted to cover a few and then focus on ONE, in particular.
- You cannot monitor encrypted data: as I discussed here, encryption for sure saps some of the value of network security monitoring, but it does not destroy it. Both layer 3 (flow) and layer 7 (rich metadata) observation have value for encrypted data whereas full packet capture perhaps does not.
- Network monitoring is only an auxiliary control, you need endpoint first: Well, OK, maybe, but so what? You may need an endpoint first,I’ve seen enough environments where it’s the truth. The point is that you need an endpoint first, but then you need NDR to cover the gaps, unmanaged devices, etc, etc.
- “PCAP or it didn’t happen”: many years ago, before we had Bro/Zeek and the choices were “flow or pcap”, this may have been true. But you know what? In 2021, you are not saving full packet captures for weeks or months. Perhaps we have to change the slogan to “zeek decodes or it didn’t happen”?
- Network traffic is too expensive to capture: this is not a misconception at all, if you see full packet capture as the way to go. It would be prohibitively expensive in most modern environments. However, you can get a lot of value from rich L7 metadata and this is much less expensive (but also more useful than mere flows)
- Network data is not helpful in the cloud: while comparatively fewer people capture and monitor traffic in the cloud, the interest to do this grows rapidly. This is also discussed in depth below
Let’s now drill down into the last point:
Why some people think that NDR in the cloud is an anti-pattern (I prefer the term “worst practice” instead)?
- In the cloud everything is locked down and immutable, what’s the point of traffic capturing? — Sure, but it is really? In theory, it should be, but is it in your cloud?
- Everything is encrypted, so what’s there to sniff? — We already addressed this above in general for both cloud and on-premise. NDR has value for encrypted networks.
- Cloud logs and this new fancy observability stuff provide visibility, why sniff traffic? — Well, are these logs complete and available, and can be leveraged for security value? Sometimes the answer is “yes”…
- I can do flows logs in the cloud, I don’t need “costly” packets. — Same as on-premise, flow logs may not do the trick for the threat detection needs you have.
- Applications are dynamic and everything changes so captures become useless over time. — This just works that an NDR vendor needs to work harder, but not that NDR is not useful.
Go and see this webinar for additional discussion.
On the other hand, I’d like to say that NDR fits well with the public cloud today.
- Your main on-premise tool — EDR — may not be available at all (containers, etc)
- Some cloud architectures do use what on-premise would be called a flat network, hence NDR is very useful for East/West visibility.
- Cloud API logs are not exhaustive, but they are voluminous, often have inconsistent schemas and sometimes not designed for security use cases.
- In-app observability for security is not common yet, even if it is coming.
Thus, NDR lives on in the cloud!
Now, if you live mostly in SaaS applications, NDR approach may not be a fit, but I have not seen many large organizations with no IT whatsoever, just SaaS management (I bet they do exist, but they are not common).
For everybody else, in the cloud or not, NDR works. This applies to both virtual machine environments and modern cloud environments, even if not equally …