πŸ–§ NDR

Network Detection & Response for East–West Visibility & Exfil Control

Network Detection & Response (NDR) analyzes network trafficβ€”on-prem, cloud, and edgeβ€”to detect, investigate, and contain threats that endpoint tools miss. SolveForce deploys NDR sensors and flow analytics to uncover lateral movement, command-and-control (C2) beacons, data exfiltration, and policy violations, then orchestrates response with your firewalls, SD-WAN, NAC, ZTNA, and SIEM/SOAR.

Where NDR sits in the SolveForce model:
🌐 Connectivity (Grammar) β†’ Connectivity β€’ πŸ–§ Fabric β†’ Networks & Data Centers
πŸ”’ Security (Semantics) β†’ Cybersecurity β€’ πŸ›‘οΈ EDR/MDR/XDR β†’ EDR β€’ MDR
πŸ“Š Analytics/Automation β†’ SIEM / SOAR β€’ πŸ”€ Control β†’ SD-WAN β€’ SASE β€’ ZTNA

🎯 Outcomes (What SolveForce NDR Delivers)

  • East–west visibility where EDR coverage is partial (OT/ICS, IoT, servers, BYOD/guest).
  • Early detection of beaconing, lateral movement, DNS tunneling, and staged exfil.
  • Containment in minutes via SD-WAN path pins, ACL pushes, NAC quarantine, ZTNA revocation.
  • Forensics & evidence (PCAPs, metadata, timelines) aligned to ATT&CK for audits and IR.
  • Lower MTTR through SOAR playbooks and NOC runbooks tied to SLOs.

πŸ” What NDR Sees (Signals & Enrichment)

  • Packets/PCAP (full/streamed) β€” selective capture for deep analysis and replay.
  • Flow records β€” NetFlow/IPFIX/sFlow for scalable baselines and anomalies.
  • Protocol metadata β€” DNS (queries/answers), HTTP(S) headers, TLS SNI/JA3/JA3S, SMB/NTLM, RDP, SSH, LDAP/Kerberos, DHCP/ARP.
  • Behavioral features β€” periodicity, fan-out/fan-in, byte symmetry, burst patterns, long-lived flows, entropy.
  • Threat intel β€” domains/IPs/certs, sandbox verdicts, ASN/geo tags.
  • Identity hints β€” map IP/MAC to IAM/MDM inventory when available. β†’ IAM / SSO / MFA β€’ MDM / UEM

Decryption policy: We default to metadata-first (no TLS break) and enable lawful, consented decryption only where approved and necessary. See privacy notes below.

🧱 Sensor & Deployment Patterns

  • SPAN/TAP sensors (on-prem) β€” DC core, aggregation, and critical segments (server β†’ DB, OT/ICS).
  • Virtual sensors (cloud) β€” AWS VPC Traffic Mirroring, Azure vTAP, GCP Packet Mirroring; hub VPC/VNet mirrors. β†’ Cloud
  • Kubernetes/containers β€” CNI mirroring, eBPF sidecar, or node-level taps for east–west pod traffic.
  • Remote sites/edge β€” lightweight appliances at branches; summarize to central analytics over secure tunnels.
  • Out-of-band vs in-line β€” detection out-of-band; enforcement via integrations (FW/SD-WAN/NAC/ZTNA) keeps the data plane safe.

Capacity planning: size SPAN/TAP links to avoid drops; timestamping and loss counters are monitored like SLOs. β†’ NOC Services

🚨 High-Value Detections (Use Cases)

  1. C2 & Beaconing β€” low-and-slow periodic callbacks, domain generation algorithms (DGA), JA3 mismatches.
  2. Lateral Movement β€” abnormal SMB enumeration, RDP brute/valid, WMI/WinRM, Kerberoasting patterns.
  3. DNS Abuse β€” tunneling (TXT/CNAME volumetrics), fast-flux, suspicious NXDOMAIN ratios.
  4. Credential Theft/Reuse β€” pass-the-hash/Golden Ticket indicators (NTLM/Kerberos anomalies).
  5. Exfiltration β€” large egress spikes to new ASNs, encrypted archives to cloud storage, TOR/VPN proxies.
  6. Malicious SSL/TLS β€” self-signed oddities, deprecated cipher suites, cert reuse across unrelated infra.
  7. Rogue Services β€” unauthorized DHCP, ARP poisoning, LLMNR/NBNS spoof, shadow IT devices.
  8. Crypto-mining β€” pool connections, protocol signatures, GPU-heavy hosts correlating with network spikes.

🧭 Response Integrations (Containment without Drama)

  • Firewalls/WAF β€” dynamic blocklists, policy updates, virtual patching. β†’ WAF / Bot Management
  • SD-WAN β€” steer/blackhole malicious prefixes; pin golden paths; withdraw Anycast where needed. β†’ SD-WAN
  • NAC β€” quarantine VLAN, port shutdown, 802.1X reauth on compromised hosts. β†’ NAC
  • ZTNA/SASE β€” revoke app sessions or step-up MFA; isolate risky users/devices. β†’ ZTNA β€’ SASE β€’ IAM / SSO / MFA
  • EDR/MDR β€” send host isolate/kill actions; share IOCs; enrich EDR timeline. β†’ EDR β€’ MDR
  • SOAR β€” orchestrate playbooks: block β†’ alert β†’ ticket β†’ notify β†’ evidence pack. β†’ SIEM / SOAR

πŸ“ SLO Guardrails (Recommended Targets)

MetricTarget (Recommended)Notes
Mean Time To Detect (C2 beacon)≀ 5–10 minWith baselines & intel feeds
Mean Time To Contain (net action)≀ 15–30 minFW/NAC/SD-WAN/ZTNA integrations
Sensor packet loss= 0% sustained (alert at >0.1%)Validate SPAN/TAP capacity
False Positive Rate≀ 5–8%Weekly tuning loop
Evidence completeness (Sev-1/2)100%PCAPs/flows/timeline attached

SLO dashboards live in SIEM/NOC; monthly exec reports include trends and root cause themes. β†’ NOC Services β€’ SIEM / SOAR

πŸ”’ Privacy, Policy & Decryption

  • Metadata-only first β€” DNS, SNI, headers, flow features, and certificate intel detect a large share of threats.
  • Selective TLS break β€” only with business/legal approval for scoped apps/segments; log who/what/when was decrypted.
  • Data minimization β€” keep PCAP windows short; mask PII where possible; rotate keys; strict RBAC.
  • Evidence handling β€” chain-of-custody for PCAPs; immutable storage for audit cases.

πŸ§ͺ Tuning & Noise Reduction (Keep Signal High)

  • Build allowlists for known backup/replication/sync flows.
  • Suppress expected scanners (vuln scans, discovery) while retaining anomaly triggers.
  • Favor behavioral models over static IoC firehoses; align to ATT&CK.
  • Weekly hunt calendar (e.g., SMB enum spikes, anomalous JA3s, new TOR exits).
  • AIOps in the NOC to deduplicate flaps and correlate multi-signal incidents. β†’ NOC Services

☁️ Cloud & Kubernetes Patterns

  • AWS β€” mirror ENIs (VPC Traffic Mirroring) to NDR; tag flows with VPC/ASG metadata; shield origins behind Direct Connect. β†’ Direct Connect
  • Azure β€” vTAP mirroring; ER hubs; NSG/ASG tags in analytics.
  • GCP β€” Packet Mirroring; project/label tags; pair with Cloud Router telemetry.
  • Kubernetes β€” eBPF sensor or CNI mirror; detect pod-to-pod and service mesh anomalies; enrich with namespace/service labels.

🏭 Industry Patterns (What β€œGreat” Looks Like)

  • Healthcare β€” monitor imaging/EHR segments; detect SMB misuse; PHI exfil prevention; NAC quarantine; HIPAA evidence packs. β†’ Healthcare
  • Finance β€” low-latency venues; C2/exfil to new ASNs; tokenization upstream; PCI DSS logging; Anycast withdraw for sick POPs. β†’ Finance
  • Government β€” NIST-aligned detections, FedRAMP cloud mirroring; ZTNA per-mission; crisis playbooks. β†’ Government
  • Enterprise β€” SD-WAN + SASE + NDR triad; microsegmentation; ISO 27001 program evidence. β†’ Enterprise

βœ… Pre-Engagement Checklist

  • πŸ“ Segments & sites β€” DC, campus, branches, OT/ICS, cloud regions.
  • 🧲 Mirror points β€” SPAN/TAP locations, VPC/vNet mirroring, container scope.
  • πŸ“ˆ Capacity β€” peak Gbps, packet rates, timestamp accuracy, loss budgets.
  • πŸ” Policy β€” decryption stance, PCAP retention, RBAC, privacy notice.
  • πŸ”— Integrations β€” FW/WAF, SD-WAN, NAC, ZTNA, EDR, SIEM/SOAR, ticketing.
  • πŸ“Š SLOs β€” MTTD/MTTC targets, FP rate, evidence standards, reporting cadence.
  • πŸ§ͺ Drills β€” blackhole test, quarantine VLAN test, Anycast withdraw test.

πŸ”„ Where NDR Fits (Recursive View)

1) Grammar β€” signals ride Connectivity and the Networks & Data Centers fabric.
2) Syntax β€” delivery patterns in Cloud and k8s inform sensor placement.
3) Semantics β€” Cybersecurity preserves truth with NDR+EDR+SIEM.
4) Pragmatics β€” SolveForce AI correlates patterns, reduces noise, and triggers auto-containment.
5) Foundation β€” shared terms enforced by Primacy of Language.
6) Map β€” indexed in the SolveForce Codex & Knowledge Hub.

πŸ“ž Deploy NDR with Confidence

Get east–west visibility, stop exfil fast, and ship audit-ready evidence.

Related pages:
Cybersecurity β€’ EDR β€’ MDR β€’ SIEM / SOAR β€’ ZTNA β€’ SASE β€’ SD-WAN β€’ Direct Connect β€’ WAF / Bot Management β€’ NOC Services β€’ Knowledge Hub