On May 12, 2021, the president of the United States released an executive order on cyber security. The order contained prescriptive actions for compliance as the executive branch responded to the “persistent and increasingly sophisticated malicious cyber campaigns” and their resulting impact on business and public life. But much of the document is more declarative and focused on desired outcomes tied to the overall directive to modernize and improve the nation’s cybersecurity posture, narrowing in on the need for early detection of threats and vulnerabilities. As both public and private organizations look to comply with the order, many are wondering how to identify and fill the gaps within their security stack.
Endpoint detection and response (EDR), multi-factor authentication (MFA), and the need for increased encryption, while implementing a zero-trust approach, were all called out as requirements within the order. Also cited is the directive to follow the National Institute of Standards and Technology (NIST) guidance when modernizing networks within a zero-trust architecture (see NIST Special Publication 800-207). But organizations did not receive the same level of prescriptive guidance across the entirety of the order. As organizations look to build compliance and improve the early detection of vulnerabilities and incidents by employing “all appropriate resources and authorities,” as stated in Section 7(a), beyond EDR, there is room for interpretation on how to meet this executive declaration.
In a recent whitepaper, “NDR as the Cornerstone for Visibility and Threat Detection to Support the Executive Order on Cybersecurity,” the Enterprise Strategy Group (ESG) took a look at the order and noted a common theme – the need for network detection and response (NDR). ESG also cited research that shows that many organizations are already on this path, with 43% of surveyed participants using network-centric detection technologies such as network traffic analysis (NTA) or, more specifically, NDR as a first line of defense when it comes to threat detection.
[See figure 1]
While the term NDR is relatively new, the technology is not. NDR is the evolution of the long-standing NTA market. It emerged to focus on the increased need for visibility and early threat detection in the highly distributed network. NDR solutions apply a combination of non–signature-based advanced analytical techniques such as behavioral modeling and machine learning to network traffic and flow records to alert on anomalous behavior and malicious activities within the network. NDR further increases SecOps teams’ effectiveness by providing response capabilities to act upon alerts through integrations with network access control (NAC) solutions, firewalls, security orchestration, automation, and response (SOAR) tools, or EDR solutions. More recently, as organizations are looking to extend automated responses within a platform, NDR is specifically called on as a critical component of extended detection and response (XDR).
In the whitepaper “NDR as the Cornerstone for Visibility and Threat Detection to Support the Executive Order on Cybersecurity,” ESG takes a deeper look at the emergence of NDR as “an essential component of any threat detection and response program” and cites how this sometimes “overlooked” technology supports the executive order. I encourage you to read the entire whitepaper to learn more, but I have summarized my view on five key takeaways below:
Five ways NDR supports the executive order
- Detection of stealthy and unknown threats.This is done via advanced analytics that leverage machine learning and behavioral modeling, which is necessary to detect sophisticated attacks that have yet to be identified. Cisco Secure Network Analytics delivers NDR to help organizations meet Section 7 of the executive order and maximize the early detection of incidents based on high-fidelity alerts for known and unknown threats based on multiple telemetry sources from the network, the endpoint, and more.
- Coverage for cloud and on-premises environments.With threat actors increasingly using the distributed network to their advantage, maintaining consistent visibility across the entire network to detect malicious behavior is critical. Cisco Secure Cloud Analytics focuses on the complete network, unifying visibility, and threat detection from the data center, into the cloud, and across the campus and branch.
- Provide intelligence into enforcement points to support zero trust.Building and maintaining trust beyond the initial authentication is critical in a zero-trust framework. NDR with Cisco Secure Network Analytics derives intelligence from real-time network telemetry so that any malicious or suspicious behavior is identified and made actionable with integration into policy enforcement points to maintain continual trusted access.
- Integrations with SIEM, SOAR, and XDR.To optimize threat hunting and to aid in the overall effort of improving early threat detection and response, NDR solutions must integrate with other tools and platforms. This should include XDR, SIEM, and SOAR offerings. To radically simplify security, taking a platform approach with an eye on XDR will give analysts a complete view of the attack chain without pivoting from one part of the investigation to the next and providing automated remediation built in. XDR will be essential to achieve a modern and simplified approach to security.
- Analyze encrypted traffic.The executive order calls for an increase in data encryption, both “at rest and in transit,” to protect users and organizations. It is no secret that modern attackers use encryption to hide attacks. With increased privacy concerns, decrypting data isn’t always an option. NDR solutions that can inspect this traffic without decrypting sensitive data are required to balance the need for privacy with modernizing the network for early threat detection.
This executive order, like most orders from leadership, was a call to action. This call extends beyond entities within the government and those who do business with the government. It signals a new level of involvement of the government in cybersecurity compliance and governance. However, the line has been drawn, and we suspect in the current political climate this will lead to increased oversight and guidance. Directives like this are not all unwelcomed and they can provide a framework for compliance that leads to increased security. And NDR is just what is required to fill the gaps in visibility, to enable early threat detection, and comply with the cybersecurity posture that the executive branch deems is necessary to keep our data safe and our networks secure.
Download and read “NDR as the Cornerstone for Visibility and Threat Detection to Support the Executive Order on Cybersecurity” to take a deeper look at the emergence of NDR as “an essential component of any threat detection and response program.”
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels