Determining whether or not Network Detection and Response (NDR) is right for your organization, and then which NDR is the best fit for your unique needs is no easy task. Thankfully, Gartner has produced the “2024 Market Guide for Network Detection and Response” to help organizations better understand the changes in the NDR market, which vendors fit into the NDR category, and how organizations should be evaluating those vendors.
In this series, we have been unpacking the 2024 market guide, and lending our viewpoints to some of the various topics covered. Please visit the Stamus Networks Blog to read the first three entries to this series:
- Unpacking the 2024 Gartner® NDR Market Guide: The Return of IDS
- Unpacking the 2024 Gartner® NDR Market Guide: The Critical Role of Automated Response
- Unpacking the 2024 Gartner® NDR Market Guide: Securing the Agentless Attack Surface
In their report, Gartner highlights six key factors for organizations to consider when evaluating NDR vendors. In this final entry to our series on the 2024 Market Guide for Network Detection and Response, we will be sharing each of these considerations and how we believe the Stamus Security Platform answers each one. Each section will begin with a quote directly from the Gartner Market Guide, followed by our thoughts and observations.
Consideration 1: Pure-Play Versus NDR as a Feature
"Consider cost, deployment requirements, complexity and efficiency of the NDR detections before deciding to implement NDR as a feature from another technology vendor (for example, SIEM or XDR), or investing in a more full-featured, pure-play NDR solution from one of the vendors analyzed in this Market Guide.”
Our customers tell us that a dedicated, pure-play NDR solution offers several key advantages over NDR features integrated into other security technologies. Stamus Networks has a singular focus on developing and refining the Stamus Security Platform to provide the most effective network detection and response capabilities possible. We believe that defense is bigger than any one person, platform, company, or technology, and the most effective threat detection and response strategy involves multiple vendors and varied technologies.
When you rely on a single detection technology, for example, risk creating a single point of failure. By integrating multiple solutions that are each the best of breed in their category, you reduce your risk and create a more resilient and holistic security strategy.
For example, when using network security features in a tool like XDR or a SIEM, you may not be getting comprehensive network coverage. While these systems certainly have their use-cases, they are not an effective substitution for the end-to-end network visibility provided by NDR. Our experience tells us that most organizations are better off using a variety of security tools, and integrating them into a larger security stack that provides a layered defense in both the types of detection and technology used.
Consideration 2: Hybrid-Network Visibility
“It is more rarely the case that the scope for a new NDR deployment will be only for on-premises IT segments. Each type of network (e.g., OT, IaaS) has its own set of requirements and might face specific threats.”
It goes without saying that every organization must consider their unique network environment. In some cases, NDR may not be the best solution to fit your organization’s needs. It is important to consider how your network is set up, the types of technology you use, and the specific threats you face when choosing an NDR vendor — or in some cases, foregoing NDR entirely.
Stamus Security Platform is designed and equipped to provide comprehensive network visibility and threat detection in hybrid-network environments than can include:
- On-Premise Networks: SSP seamlessly integrates with your existing infrastructure to monitor and protect your traditional IT assets.
- Remote Office Networks: SSP probes can scale down to cost-effectively monitor network communications in even your small remote facilities.
- Cloud Environments: SSP can monitor network traffic among cloud workflows with deep visibility into public, private, and hybrid cloud environments., allowing you to detect and respond to threats in real time.
- Operational Technology (OT) Networks: SSP is equipped to handle the unique requirements of many OT environments such as those seen in healthcare, military applications, and manufacturing, providing critical visibility and protection to “agentless” attack surfaces.
We cover this topic more in-depth in our previous blog post “Unpacking the 2024 Gartner® NDR Market Guide: Securing the Agentless Attack Surface”.
Consideration 3: Detection
"Determine if your vendor of choice has a good track record of helping to minimize false positives through customizable thresholds or fine-tuning of the behavioral biometrics with organizations in your market segment.”
Stamus Security Platform employs a multi-layered approach to threat detection, combining behavioral analytics, machine learning, traditional IDS signatures, and both internal and external threat intelligence to minimize false positives. In an innovation unique to SSP designed to eliminate false positives, Declarations of Compromise™ (DoC) are ultra high-confidence and high-priority security events generated by Stamus Security Platform that indicate a “serious and imminent” threat on an asset. SSP has DoC coverage for thousands of known threats and TTPs using hundreds of different detection methods. DoCs can be fine-tuned by the user, allowing each organization to determine the priority level and response actions of different threat types. And when SSP generates a DoC, it creates a data record that contains a substantial amount of meta data and associated artifacts that help the analyst understand exactly why it triggered and provide evidence for any investigation that may follow.
Beyond DoC coverage for known threats, SSP also includes other detection features for unknown threats and other suspicious and anomalous network behaviors, such as SIGHTINGS and the Malware Beaconing Metric. All of SSP’s threat coverage is updated daily, ensuring users stay protected against emerging threats and tactics. By uniting numerous network threat detection technologies under a single system, the Stamus Security Platform strives to provide the most complete threat detection possible.
Consideration 4: False Positives
“All technologies based on anomaly detection will be prone to false positives. Determine if your vendor of choice has a good track record of helping to minimize false positives through customizable thresholds or fine-tuning of the behavioral biometrics with organizations in your market segment.”
False positives commonly plague nearly all network-based threat detection systems. The Stamus Security Platform attempts to solve this issue using Declarations of Compromise™ (DoCs) and Declarations of Policy Violation™ (DoPV). A DoC is SSP’s highest-confidence security event signaling a serious and imminent threat on an asset. DoPVs provide high-priority notifications on unauthorized activity or violations of organizational policies such as clear text passwords, outdated TLS versions, insecure cypher suites, and TOR browser usage.
By providing these high-confidence alerts, Stamus Security Platform significantly cuts down on the noise commonly associated with network threat detection technologies, allowing security teams to focus only on the most serious threats and alerts. SSP still provides all the available lower-priority alerts however, enabling analysts to sort through for context or perform in-depth proactive network threat hunting for specific activities.
Consideration 5: Response
“Some vendors focus more on automated responses (for example, sending a command to a firewall to drop suspicious traffic), whereas other vendors focus more on supporting incident response workflow or even complement it with threat hunting features.”
Stamus Security Platform provides several possible avenues for both automated response and more hands-on response workflows:
- DoC and DoPV Automation: Both DoCs and DoPVs can be configured to trigger automated responses ranging from notification to block, quarantine, or shut down actions. For example DoCs and DoPVs can trigger an endpoint detection and response system to take an endpoint offline. In addition, it can be used to open tickets in incident response systems, trigger a playbook in a SOAR, send notifications to enterprise chat applications, or send emails. SSP users can determine exactly how much or how little automation they wish to employ upon a DoC or DoPV event action.
- Threat Hunting: SSP includes hundreds of guided threat hunting filters, making it incredibly simple to search through network traffic data to identify specific threats, suspicious activities, unauthorized user behaviors, policy violations, and more. Any hunting filter can also easily be escalated into a DoC or DoPV.
Consideration 6: Integration
“When the NDR product senses an issue, must the alert go to its console, or can it be sent to a third-party tool for alerting? Is there an integration with third-party enforcement products, such as an enterprise firewall or network access control product?”
As we mentioned earlier, we believe that defense is bigger than any one person, platform, company, or technology. As such we recognize that the Stamus Security Platform is not the only tool in your security tech stack. So it is designed to seamlessly integrate with your existing security ecosystem, providing a unified view of your network and enabling you to streamline your security operations. As mentioned above, DoC and DoPV events can send urgent alerts to other third-party tools such as a SIEM system or SOAR platform to launch incident response playbooks or otherwise notify via tickets, shut down, or email actions. But it is also designed to be a rich source of network telemetry for your central analytics platforms like XDR, SIEM, and AI tools. Finally, SSP also offers an API that allows users to integrate with other security tools and custom applications, providing flexibility and extensibility.
Stamus Networks: Your NDR Vendor of Choice
We believe that the Stamus Security Platform aligns closely with the recommendations provided in the “2024 Gartner Market Guide for Network Detection and Response”. By delivering transparent network threat detection with explainable, evidence-based results, SSP enables organizations to see clearly and act confidently.
By choosing Stamus Security Platform, your organization can:
- Enhance Network Security: Benefit from advanced threat detection, prevention, and response capabilities.
- Improve Operational Efficiency: Streamline your security operations and reduce the time to respond to incidents.
- Protect Critical Assets: Safeguard sensitive data and ensure the continuity of your business operations.
To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.
Attributions and Disclaimers
Gartner, Market Guide for Network Detection and Response, Jeremy D'Hoinne, Thomas Lintemuth, Nahim Fazal, Charanpal Bhogal, 29 March 2024
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the
U.S. and internationally and is used herein with permission. All rights reserved.