Articles /

TDR, NDR, ETD, EDR: Concepts of Threat Detection and Response

What is Threat Detection and Response (TDR)?

Threat Detection and Response (TDR) is the practice of deep analysis of security ecosystems to identify bad actors or irregular behaviors that could lead to compromises on the network. TDR helps Managed Security Service Providers (MSSPs) and Security Operation Centers (SOC) teams detect malicious network activity and stop the movement of threats. Based on a zero-trust model, Threat Detection and Response serves as a cyber line of defense to assess, identify, and block hackers while limiting damages done when systems are penetrated.

Threat Detection and Response can refer to any advanced cybersecurity tool that analyzes the IT environment and identifies threats. Threat detection starts with time-sensitive discovery and mitigation of any discovered threats. An in-house security program or a qualified managed security services provider (MSSP) should operate 24/7 year-round to monitor the networks and allow for decisive and quick action to prevent attackers from breaching sensitive data repositories. Threat Detection and Response will stop:
  • Known threats detected based on signature
  • Unknown, emerging threats detected with behavior-based detection tools
  • Sophisticated malware threats
  • Zero-day vulnerabilities
  • Advanced persistent threats
Threat Detection and Response services are now considered essential for securing networks and critical infrastructure in a constantly evolving digital landscape. Vulnerabilities and threats should be found or prevented, corresponding systems backed up and secured. IT managed services focused on security should demonstrate clear value within a strong threat detection program.

Components of a Threat Detection Program

Organizations need to approach their cybersecurity posture from end to end to assess threats and terminate risks before they become issues. These considerations lead to a three-fold approach for a comprehensive threat detection program.

Network Detection and Response (NDR)

Established by Gartner in 2020 as a category that grew from network traffic analysis, Network Detection and Response enables organizations to monitor traffic on their networks for suspicious activities and, in turn, respond to the detection of cyber threats. Network Detection and Response includes automatic capabilities such as blocking bad traffic at the firewall to manual responses such as incident response. As organizational data and analytics capabilities vastly expanded, network traffic was first monitored through a technology called Network Traffic Analysis (NTA), a staple service of security operation centers. Traffic analysis was no longer enough as the market evolved and broadened, and the category expanded to include network detection and response. Today, with the advancements in emerging technologies, NDR solutions harness advanced threat detection skills through artificial intelligence and machine learning. Network Detection and Response Benefits
  • Improved detection capabilities
  • Capability to determine the confidence and risk level of a threat
  • Increasingly automated tasks allow MSSPs to focus on triage and rapid response

How Does NDR Work?

NDR solutions monitor north-south and east-west traffic flow with sensors to provide deep network visibility.

Cyber Incident Detection

Advanced NDR solutions utilize machine learning and data analytics to detect patterns and anomalies in network traffic and standard signature-based detection.

Investigation

The NDR solution, monitored by SOC analysts, allows for the generation of automated responses that facilitate incident investigation activities.

Intelligence Management

Threat intelligence is aggregated from sources inside and outside of the organization. This intelligence is used to detect potential threats.

Feed Creation

The NDR solution provides SOC analysts with insight into the current security posture and any existing threats to the network as a feed of security alerts.

Threat Prevention

Attackers can fool firewalls by masquerading as legitimate users while avoiding signature-based detection. Still, it is almost impossible for hackers to avoid rules-based detection by an advanced NDR solution.

Event Threat Detection (ETD)

Event Threat Detection aims to provide customers with a managed service in which log data is ingested and analyzed for potential threats lurking on your network. A strong SOC or MSSP will continuously monitor your organization and identify threats in your systems. There are four types of threat detection: configuration, modeling, indicators, and threatening behavior. These differing threat detection approaches provide different benefits at different costs.

Endpoint Threat Detection and Response (EDR)

Endpoint detection and response (EDR) is also known as endpoint threat detection and response (ETDR). It is an integrated endpoint security solution that combines near real-time continuous monitoring of endpoint data and aggregates it with rules-based automated responses. Suspicious activities are flagged for a SOC team to assess, identify, and respond. EDR monitor and log the activities taking place across endpoints and all workloads. This in turn enables the SOC team or MSSP to respond with consistent visibility into system behaviors. ATS is a customer-centric MSP offering innovative solutions for today’s IT challenges.