_

FAQ

A Network Detection and Response (NDR) solution is a cybersecurity solution that detects all suspicious events on your company’s internal network.

Today, everything is connected to the network – wireless or wired devices, endpoints or servers, applications, users, etc. And if there’s one important thing to know about network traffic, it’s that it doesn’t lie.

In the face of increasingly sophisticated cyber attacks, NDR solutions are becoming a necessary tool for continuous network monitoring. There is a reason why the market for NDR solutions is growing rapidly (23% annual growth).

Unlike traditional signature-based prevention security solutions, NDR solutions go one step further. By leveraging Artificial Intelligence, Behavioural Analysis and Threat Intelligence, it enables the detection of zero-day attacks, so-called unknown attacks, which are impossible to detect by signature. This is the case of CUSTOCY.

An NDR will target all actions that the cyber attacker will take to access your company’s critical data, including lateral movements that are not covered by the majority of ancillary tools on the market.

In the cybersecurity market, several acronyms come up, including EDR and SIEM. Let’s see how they differ from an NDR solution.

EDR (Endpoint Detection and Response) offers monitoring of endpoints and the interactions between them.

SIEM (Security Information and Event Management) collects event log information from other systems and correlates data from different sources.

The NDR will have a detailed view of the exchanges between the devices in the network. A solution that detects elements inaccessible to other tools.

Together, these three pillars provide global visibility of security threats in the enterprise IT environment.

An XDR can leverage system logs, endpoint detection, email verification, firewall alerts and Network anomalies and correlate them all to give a global health check of your system. Sounds great…in theory. In reality, XDR solutions are generally born from a specialised component such as endpoint detection and the will to expand into other cybersecurity domains. They often lack the expertise, culture and infrastructure to compete with more specialised solutions. XDR solutions will most often sacrifice vital network information for gains in computational time and ease of integration with other data within the XDR. Jack of all trades master of none is especially true now that AI has become essential to detecting threats. AI algorithms require intense computation, extensive domain knowledge and tailored architectures. Trying to fit this all under one roof is a near-impossible task. Thus a best-of-breed approach for NDR and EDR is emerging as the best solution for total coverage.

Signature-based solutions typically use indicators of compromise (IOCs) such as IP addresses, specific protocol usage or anomalies in privileged user account activity. Their rules can be learned and overcome by adversaries who adapt their approach to each target.

By opting for an NDR solution, you can anticipate next-generation threats with the power of artificial intelligence.

AI-based detection constantly learns the normal behaviour of a network as well as the behaviour associated with malicious activity. An adversary seeking to adapt its strategy to AI-based detection would need to simultaneously possess unique knowledge of both the AI system and the network it is protecting: an almost impossible task.

Artificial Intelligence can therefore detect even the most sophisticated and persistent attacks BEFORE impact with formidable efficiency and accuracy. Thus avoiding the management of collateral damage.

The interest is twofold. Firstly, AI are able to relate a quantity of factors that are beyond the cognitive abilities of a human being. A neural network, for example, is capable of finding hundreds of millions of links in data to make decisions. Moreover, these decisions will be made in a few milliseconds. The second advantage is that it is more difficult for a malicious actor to predict and circumvent the predictions of an AI. This would require that the actor has access to the exact architecture of the AI, precise knowledge of the client’s data and the training data set.

Attackers use a multitude of procedures and tactics to penetrate a system. These procedures can be very short, such as sending a malicious file, or they can be very long; a data exfiltration for example can last for weeks. To detect these different cases, we have developed several AIs that are each specialised in detection at different time scales. We also have a master AI called the METALEARNER, which centralises the responses of these specialised AI to give a final response to the analyst. It is because of this aggregation of multiple AI that we generate few false alarms and have one of the most competitive AI on the market.

The events detected by our AI are analysed and prioritised by our AI master, the METALEARNER. It is he who will make the final decision to alert the analyst. Only important threats automatically appear in the interface with a danger score that will warn the analyst of the priority to be given. This saves time and allows the analyst to focus on the essentials.

For each active threat, Custocy brings you a targeted response thanks to the integration of MITRE D3FEND. The analysis will know how to respond in the most efficient way and thus stop the attackers.

Custocy can be used as a stand-alone solution, through its intuitive interface, or integrated into your existing ecosystem (EDR, SIEM, etc).

We install our NETSENS probe on site, within your infrastructure. Through secure access, it connects to the AWS cloud and provides all the information that passes through the network.

Our different AI, hosted on AWS, detect different threats on several time scales. Our master AI, the METALEARNER, will then analyse them and bring up in the Custocy interface only the important threats, with a danger score.

The cyber analyst sees them appear in real time with an intuitive colour-coded classification, which determines the priority of each of these threats. Its work is made easier.

No. AI do their analysis on a cloud that can scale without slowdown or latency. Also, the data used by CUSTOCY is only a fraction of the data in the network stream, not even 1/100. So the data collection and analysis is not likely to impact the monitored network.