Network Detection & Response for East–West Visibility & Exfil Control
Network Detection & Response (NDR) analyzes network traffic—on-prem, cloud, and edge—to detect, investigate, and contain threats that endpoint tools miss. SolveForce deploys NDR sensors and flow analytics to uncover lateral movement, command-and-control (C2) beacons, data exfiltration, and policy violations, then orchestrates response with your firewalls, SD-WAN, NAC, ZTNA, and SIEM/SOAR.
Where NDR sits in the SolveForce model:
🌐 Connectivity (Grammar) → Connectivity • 🖧 Fabric → Networks & Data Centers
🔒 Security (Semantics) → Cybersecurity • 🛡️ EDR/MDR/XDR → EDR • MDR
📊 Analytics/Automation → SIEM / SOAR • 🔀 Control → SD-WAN • SASE • ZTNA
🎯 Outcomes (What SolveForce NDR Delivers)
- East–west visibility where EDR coverage is partial (OT/ICS, IoT, servers, BYOD/guest).
- Early detection of beaconing, lateral movement, DNS tunneling, and staged exfil.
- Containment in minutes via SD-WAN path pins, ACL pushes, NAC quarantine, ZTNA revocation.
- Forensics & evidence (PCAPs, metadata, timelines) aligned to ATT&CK for audits and IR.
- Lower MTTR through SOAR playbooks and NOC runbooks tied to SLOs.
🔍 What NDR Sees (Signals & Enrichment)
- Packets/PCAP (full/streamed) — selective capture for deep analysis and replay.
- Flow records — NetFlow/IPFIX/sFlow for scalable baselines and anomalies.
- Protocol metadata — DNS (queries/answers), HTTP(S) headers, TLS SNI/JA3/JA3S, SMB/NTLM, RDP, SSH, LDAP/Kerberos, DHCP/ARP.
- Behavioral features — periodicity, fan-out/fan-in, byte symmetry, burst patterns, long-lived flows, entropy.
- Threat intel — domains/IPs/certs, sandbox verdicts, ASN/geo tags.
- Identity hints — map IP/MAC to IAM/MDM inventory when available. → IAM / SSO / MFA • MDM / UEM
Decryption policy: We default to metadata-first (no TLS break) and enable lawful, consented decryption only where approved and necessary. See privacy notes below.
🧱 Sensor & Deployment Patterns
- SPAN/TAP sensors (on-prem) — DC core, aggregation, and critical segments (server → DB, OT/ICS).
- Virtual sensors (cloud) — AWS VPC Traffic Mirroring, Azure vTAP, GCP Packet Mirroring; hub VPC/VNet mirrors. → Cloud
- Kubernetes/containers — CNI mirroring, eBPF sidecar, or node-level taps for east–west pod traffic.
- Remote sites/edge — lightweight appliances at branches; summarize to central analytics over secure tunnels.
- Out-of-band vs in-line — detection out-of-band; enforcement via integrations (FW/SD-WAN/NAC/ZTNA) keeps the data plane safe.
Capacity planning: size SPAN/TAP links to avoid drops; timestamping and loss counters are monitored like SLOs. → NOC Services
🚨 High-Value Detections (Use Cases)
- C2 & Beaconing — low-and-slow periodic callbacks, domain generation algorithms (DGA), JA3 mismatches.
- Lateral Movement — abnormal SMB enumeration, RDP brute/valid, WMI/WinRM, Kerberoasting patterns.
- DNS Abuse — tunneling (TXT/CNAME volumetrics), fast-flux, suspicious NXDOMAIN ratios.
- Credential Theft/Reuse — pass-the-hash/Golden Ticket indicators (NTLM/Kerberos anomalies).
- Exfiltration — large egress spikes to new ASNs, encrypted archives to cloud storage, TOR/VPN proxies.
- Malicious SSL/TLS — self-signed oddities, deprecated cipher suites, cert reuse across unrelated infra.
- Rogue Services — unauthorized DHCP, ARP poisoning, LLMNR/NBNS spoof, shadow IT devices.
- Crypto-mining — pool connections, protocol signatures, GPU-heavy hosts correlating with network spikes.
🧭 Response Integrations (Containment without Drama)
- Firewalls/WAF — dynamic blocklists, policy updates, virtual patching. → WAF / Bot Management
- SD-WAN — steer/blackhole malicious prefixes; pin golden paths; withdraw Anycast where needed. → SD-WAN
- NAC — quarantine VLAN, port shutdown, 802.1X reauth on compromised hosts. → NAC
- ZTNA/SASE — revoke app sessions or step-up MFA; isolate risky users/devices. → ZTNA • SASE • IAM / SSO / MFA
- EDR/MDR — send host isolate/kill actions; share IOCs; enrich EDR timeline. → EDR • MDR
- SOAR — orchestrate playbooks: block → alert → ticket → notify → evidence pack. → SIEM / SOAR
📐 SLO Guardrails (Recommended Targets)
| Metric | Target (Recommended) | Notes |
|---|---|---|
| Mean Time To Detect (C2 beacon) | ≤ 5–10 min | With baselines & intel feeds |
| Mean Time To Contain (net action) | ≤ 15–30 min | FW/NAC/SD-WAN/ZTNA integrations |
| Sensor packet loss | = 0% sustained (alert at >0.1%) | Validate SPAN/TAP capacity |
| False Positive Rate | ≤ 5–8% | Weekly tuning loop |
| Evidence completeness (Sev-1/2) | 100% | PCAPs/flows/timeline attached |
SLO dashboards live in SIEM/NOC; monthly exec reports include trends and root cause themes. → NOC Services • SIEM / SOAR
🔒 Privacy, Policy & Decryption
- Metadata-only first — DNS, SNI, headers, flow features, and certificate intel detect a large share of threats.
- Selective TLS break — only with business/legal approval for scoped apps/segments; log who/what/when was decrypted.
- Data minimization — keep PCAP windows short; mask PII where possible; rotate keys; strict RBAC.
- Evidence handling — chain-of-custody for PCAPs; immutable storage for audit cases.
🧪 Tuning & Noise Reduction (Keep Signal High)
- Build allowlists for known backup/replication/sync flows.
- Suppress expected scanners (vuln scans, discovery) while retaining anomaly triggers.
- Favor behavioral models over static IoC firehoses; align to ATT&CK.
- Weekly hunt calendar (e.g., SMB enum spikes, anomalous JA3s, new TOR exits).
- AIOps in the NOC to deduplicate flaps and correlate multi-signal incidents. → NOC Services
☁️ Cloud & Kubernetes Patterns
- AWS — mirror ENIs (VPC Traffic Mirroring) to NDR; tag flows with VPC/ASG metadata; shield origins behind Direct Connect. → Direct Connect
- Azure — vTAP mirroring; ER hubs; NSG/ASG tags in analytics.
- GCP — Packet Mirroring; project/label tags; pair with Cloud Router telemetry.
- Kubernetes — eBPF sensor or CNI mirror; detect pod-to-pod and service mesh anomalies; enrich with namespace/service labels.
🏭 Industry Patterns (What “Great” Looks Like)
- Healthcare — monitor imaging/EHR segments; detect SMB misuse; PHI exfil prevention; NAC quarantine; HIPAA evidence packs. → Healthcare
- Finance — low-latency venues; C2/exfil to new ASNs; tokenization upstream; PCI DSS logging; Anycast withdraw for sick POPs. → Finance
- Government — NIST-aligned detections, FedRAMP cloud mirroring; ZTNA per-mission; crisis playbooks. → Government
- Enterprise — SD-WAN + SASE + NDR triad; microsegmentation; ISO 27001 program evidence. → Enterprise
✅ Pre-Engagement Checklist
- 📍 Segments & sites — DC, campus, branches, OT/ICS, cloud regions.
- 🧲 Mirror points — SPAN/TAP locations, VPC/vNet mirroring, container scope.
- 📈 Capacity — peak Gbps, packet rates, timestamp accuracy, loss budgets.
- 🔐 Policy — decryption stance, PCAP retention, RBAC, privacy notice.
- 🔗 Integrations — FW/WAF, SD-WAN, NAC, ZTNA, EDR, SIEM/SOAR, ticketing.
- 📊 SLOs — MTTD/MTTC targets, FP rate, evidence standards, reporting cadence.
- 🧪 Drills — blackhole test, quarantine VLAN test, Anycast withdraw test.
🔄 Where NDR Fits (Recursive View)
1) Grammar — signals ride Connectivity and the Networks & Data Centers fabric.
2) Syntax — delivery patterns in Cloud and k8s inform sensor placement.
3) Semantics — Cybersecurity preserves truth with NDR+EDR+SIEM.
4) Pragmatics — SolveForce AI correlates patterns, reduces noise, and triggers auto-containment.
5) Foundation — shared terms enforced by Primacy of Language.
6) Map — indexed in the SolveForce Codex & Knowledge Hub.
📞 Deploy NDR with Confidence
Get east–west visibility, stop exfil fast, and ship audit-ready evidence.
Related pages:
Cybersecurity • EDR • MDR • SIEM / SOAR • ZTNA • SASE • SD-WAN • Direct Connect • WAF / Bot Management • NOC Services • Knowledge Hub