Progress Flowmon Network Detection and Response Explained

Defending against the current and evolving threat landscape requires a multi-layered defense strategy. A robust, understandable and easy-to-use Network Detection and Response (NDR) solution is a core component of such a defense strategy. 

Progress Flowmon delivers the detection and response functionality today’s threat landscape demands via a modern NDR solution. In a recent webinar titled Network Detection Response (NDR) Explained, Filip Černý, Product Marketing Manager, and Martin Škoda, Product Manager, discuss the importance of combining behavior-based and signature-based approaches to the detection of security incidents with a focus on Flowmon anomaly detection systems (ADS) and NDR solutions. They emphasized the need for a detailed overview of security incidents and the value of NDR solutions in providing real-time detection and response capabilities. Filip highlighted unique features and capabilities, including simplicity and ease of deployment. Additionally, he discussed how Flowmon helps reduce the impact of a security breach by monitoring network traffic proactively and alerting about detected issues quickly.

You can watch the 50-minute webinar on YouTube or via the following video.

URL: https://youtu.be/2h0dGJSAzQ0

Throughout this blog, we’ll summarize the key points from the webinar.

Understanding Network Detection and Response

NDR solutions typically detect abnormal network activity by applying behavioral analytics to network traffic data. Unlike traditional signature-based detection methods used by firewalls and intrusion detection systems, NDR solutions continuously analyze network packets or traffic metadata within internal networks and the data flowing between internal and external networks.

The key advantages of including NDR in a multi-layer defensive strategy include:

• Early Threat Detection - NDR can identify potential threats before they escalate into full-blown attacks by analyzing network behavior.
• Visibility Into All Traffic - NDR provides insights into lateral movement (east-west traffic) within your network, not just north-south traffic flowing into and out of it.
• Zero-Day Threat Detection - Because NDR doesn’t rely on signatures, it can detect previously unknown threats due to the abnormal network activity they generate.
• Encrypted Traffic Analysis - Since most internet traffic is encrypted, modern NDR solutions must be able to analyze encrypted data.

The SOC Visibility Triad

To understand the role and benefits of NDR, it’s helpful to consider it within the Gartner SOC Visibility Triad. The SOC model comprises three key pillars:

Security Information and Event Management (SIEM) – SIEM tools help identify potential security threats by analyzing big-picture patterns, log data and behaviors across the entire infrastructure.

Endpoint Detection and Response (EDR) - EDR tools monitor endpoints for suspicious activities. They provide real-time threat detection and response capabilities, making it difficult for attackers to compromise individual devices and then use them to attack additional assets on the network.

Network Detection and Response - NDR tools provide in-depth views of network traffic activity. By analyzing traffic flowing in and out of the network and internal traffic, NDR solutions can detect intrusions that may not be visible to SIEM or EDR alone.

As we’ve said several times in this blog (and others), no single solution is enough to deliver the full defensive security needed to counter modern threats. All three pillars of the SOC Triad and other tools are required and need to work collaboratively.

How NDR Works

NDR works via a three-step process: detection, investigation and response.

Detection - NDR solutions use machine learning, signatures, adaptive baselining and behavioral analytics to identify unusual activities within the network. Unlike traditional signature-based detection methods, NDR solutions don’t rely solely on known threat signatures. This increases the likelihood of them detecting zero-day attacks and emerging threats.

Investigation - Once an anomaly is detected, the next step is to investigate its nature and scope. NDR solutions provide alerts and detailed insights into detected anomalies, helping security teams understand the context and potential impact of the threat.

Response - After investigating the threat, security teams can take appropriate action to mitigate the risk. NDR solutions often integrate with other security tools to automate response actions, such as isolating compromised hosts or blocking malicious traffic.

Flowmon Network Detection and Response

Now that we’ve considered NDR solutions, let’s look at what Flowmon NDR provides. At its core, Flowmon NDR is an AI-powered network security analyst delivered as a software solution. It automates many of the time-consuming tasks typically performed by security analysts, allowing your team to focus on high-priority issues and respond more effectively to potential threats.

The Flowmon NDR solution is a critical weapon in your cybersecurity arsenal. It enables organizations to detect, investigate and respond to threats in real time. By adopting Flowmon, you’ll enable continuous network monitoring and enhance your organization’s defenses against the ever-evolving cyberthreat landscape.

Key Features of Flowmon NDR

Powerful Detection Capabilities - Flowmon employs a mix of advanced detection methods, including machine learning (which it used before the current GenAI boom), signature-based detection, adaptive baselining, heuristics and behavior analysis. This wide-ranging set of detection approaches provides broad attack coverage against known and unknown threats and for new and unknown emerging attacks.

Intelligent Prioritization - Flowmon helps security teams prioritize the most critical issues first by automating analytics and prioritizing events. This feature is particularly valuable for organizations dealing with a high volume of security events. It removes the noise that overwhelms security teams and helps prevent them from missing a vital alert or issue.

Built-in Expertise – Flowmon can guide inexperienced analysts through the investigation and remediation process. This feature helps bridge the cybersecurity skills gap and improves overall team efficiency. Flowmon provides actionable insights and information using industry-respected frameworks like the MITRE ATT&CK Framework. 

Scalability and Performance - Flowmon primarily uses IPFIX and NetFlow Monitoring unlike similar NDR solutions that rely on deep packet inspection. These techniques are significantly less resource-intensive and enable superior scalability, making them suitable for organizations of all sizes. Flowmon can scale with organizations as they grow from SMEs to Enterprises.

Transparency and Control - Flowmon provides users with a “look under the hood,” allowing them to understand how detections work and why certain events are flagged. You’re not dealing with a “sealed box” solution that you have to take on trust. You can open the box and see what’s happening if you want to. Note that you can use Flowmon as a sealed-box solution. Enabling this optional depth approach allows you to use the Flowmon system in a way that matches each specific organization’s needs.

Integration and Automation – Flowmon easily integrates with other security tools, such as SIEM systems, thus enabling automated response actions. Integration with other core security systems enhances the overall efficiency of your security operations and reduces the time required to detect and respond to threats.

Real-World Use Case

During the webinar, Filip and Martin used a real-world use case to demonstrate how deploying Flowmon NDR detected and stopped a credential compromise attack. In the demonstration, the attacker tricked a user into entering their Microsoft 365 credentials on a fake login page. Once the attacker obtained the credentials, they accessed the company’s network and began scanning for vulnerable targets. They eventually found an FTP server to target and then started to exfiltrate sensitive data.

The deployed Flowmon NDR solution detected the activity related to this attack across multiple stages:

Initial Compromise Detection - The NDR solution identified the initial compromise when the attacker accessed the network using the stolen credentials. The solution detected this because of abnormal login patterns and access behaviors.

Network Scanning Detection - The solution detected the network scanning activity as the attacker searched for vulnerable targets within the network.

Brute Force Attack - The NDR solution identified a dictionary attack when the attacker attempted to gain access to the FTP server by brute-forcing the password.

Data Exfiltration - The solution detected the high volume of data the attacker transferred from the FTP server, which indicated potential data exfiltration.

Response - Upon detecting these activities, Flowmon’s NDR solution provided detailed insights and recommended response actions, allowing the security team to isolate the compromised host and prevent further damage. Throughout this process, Flowmon NDR provided security teams with detailed information about each stage of the attack, including affected IP addresses, timestamps and contextual data. The 50-minute webinar goes into more technical details.

Why Choose Flowmon NDR?

We understand that system admin and security teams have choices when it comes to selecting an NDR solution. Unsurprisingly, we feel that Flowmon NDR is the best choice for many organizations. Here’s why:

• Lower Complexity - Flowmon delivers NDR in a single solution that typically requires multiple components from competitors, reducing deployment complexity and cost.
• Robust Attack Coverage - The combination of multiple detection methods, like behavioral analysis, machine learning and signature-based detection, provides extensive protection against a wide range of threats.
• Transparency - Unlike “sealed box” solutions, Flowmon allows technical experts to understand the rationale behind detections, building trust and enabling fine-tuning.
• Scalability - Flowmon scales efficiently using network telemetry data, providing full visibility across on-premises, cloud and hybrid environments.
• Compliance - Flowmon processes all traffic without dropping packets, helping organizations comply with regulations like the SEC in the United States or NIS2 in Europe.

Deploying Flowmon NDR is a straightforward process that doesn’t require installing agents on individual clients or servers. The solution can ingest network telemetry data from existing routers, firewalls or packet brokers. In cases where these data sources aren’t available, you can deploy Flowmon sensors to collect the data.

Final Thoughts

As cyberthreats continue to evolve, organizations need robust, intelligent solutions to protect their networks and data. Flowmon NDR offers a powerful, scalable and IT team-friendly approach to network security, enabling them to detect and respond to threats more effectively. By combining advanced detection methods, intelligent prioritization and extensive visibility, Flowmon NDR empowers IT teams to stay ahead of potential threats and minimize the impact of security incidents.

Try Flowmon for Yourself

Visit the  Flowmon Security Operations page for more information on Flowmon NDR. If you’d like to speak with an expert about how Flowmon can help improve the security of your networks, don’t hesitate to  contact us.

To try Flowmon for yourself and see firsthand how it can deliver actionable insights for your organization within minutes, visit our  free trial page. Our support team can assist during your free trial testing. Use the contact page to start a conversation with the support team.