For many organizations considering Network Detection and Response (NDR), one of the most valuable steps in the evaluation process is a “Proof of Value” or “POV”. In this step in the evaluation process, the organization tests a limited deployment of the NDR (in our case, Clear NDR™ - Enterprise) on their network to see how it operates in their environment.
Oftentimes, when we engage in a POV with a potential customer, we notice that Clear NDR frequently identifies threats or other vulnerabilities missed by the organization’s current security tools. This is where the “Value” comes into play. By showing how Clear NDR operates on an organization’s network, we can demonstrate just how effective NDR actually is.
In this blog post, we are going to share some results from a recent POV we did with a potential customer, where Clear NDR was able to detect evidence of non-compliance with the organization’s local regulations that another NDR being tested by the organization did not identify.
Background
A large European bank faced significant cybersecurity challenges, including sophisticated threats and limited visibility into its network infrastructure. These gaps led to missed breaches and internal policy violations, posing serious compliance risks.
To address these concerns, the organization conducted an evaluation, comparing Clear NDR with another leading network detection and response (NDR) solution.
After deploying Clear NDR, they gained full visibility into their network environment, uncovering areas of non-compliance and identifying critical policy violations and internal threats. With these insights, the bank was able to take swift action to remediate risks and maintain compliance with national regulatory standards.
What Clear NDR found
The organization evaluated Clear NDR for a total of 30 days, during which Clear NDR observed and analyzed over 504 TB of network traffic and collected insights of more than 10 billion network communication logs (including hosts, websites, devices, and more) from both within and outside of the organization.
Among those events, the Clear NDR Server generated 11.6 million raw detection events (alerts). Of these events, Clear NDR identified 2,511 policy violations impacting 2,500 assets. These violations, escalated into Declarations of Policy Violation (DoPVs), indicate serious breaches of internal company security policy. Furthermore, many of these violations have implications in terms of compliance with both local and international regulations such as GDPR.
Clear NDR detected several instances of personal data and clear text password transmissions. A clear text password is a password that is stored or transmitted in plain text, making it highly susceptible to theft and unauthorized access. This often happens as a result of a misconfiguration or weak security practice, but it must be remediated in order to maintain compliance with GDPR data regulations.
In the screenshot below, the clear text password shows up in the HTTP request body upon password change done from the user (obfuscated):
Due to the abundance of the evidence provided by the Clear NDR system, logs and information including PCAP the investigation identified and concluded this was a misconfigure application setup.
Clear text passwords are not the only clear text data at risk of breaking compliance. Other plain text data can be transmitted via SMTP protocol. We can see an example of this in the following screenshot, where Clear NDR identified a PDF file sent through email:
In addition to these critical policy violations, Clear NDR also identified an instance where an internal user connected to a bank account from their mobile phone via an unencrypted connection.
This is often a huge breach in compliance standards that dictate strict access protocols.
Why this matters
These are only three examples of the dozens of security violations identified on the organization’s network. While not every violation poses a risk to the organization’s compliance, every violation does leave an organization open to risk from threat actors.
We are unable to share the specific details of Stamus Networks’ recommendations to this organization, but it is clear from the activity found that this organization has some serious work to do to tighten their internal security policies. Armed with this information — and Clear NDR™ — the organization is now empowered to make those changes and ensure they remain not only compliant with the relevant regulations, but also protected against other internal risks.
The competing NDR system the organization tested during the evaluation phase failed to catch these critical violations, and it is possible that they would have continued to go unnoticed if not for Clear NDR.
For those organizations wondering if adding NDR to their security strategy is the right choice, the most effective way to discover that answer is by engaging in a POV with the experts at Stamus Networks.
To determine if NDR is right for your organization, use the button below to book a demo and speak to our team. We would love to hear about your network and see how Clear NDR can help. To stay updated with new blog posts and other news from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.
