With almost 80% cyber -spagrosis now imitates the legal behavior of users as leading SOC determine what legitimate traffic is and what is potentially dangerous?
Where do you go when the firewall and the identification of the final points and the reaction (EDR) do not have the detection of the most important threats for your organization? According to the latest reports on Verizon’s data violations, Edge Devices and VPN GateWays have grown from 3% to 22%. Edr Solutions struggles to catch zero feats, toilet methods and attacks without malware. Almost 80% of the detected threats use methods without malicious programs that mimic the normal behavior of users, as emphasized in the world report on the threat of Crowdstrike 2025. The average reality is that the usual detection methods are more insufficient, as the threatening subjects adapt their strategies using reasonable methods such as accounts or abductions to avoid opening.
In response Center for Safety Operations (SOC) refer to multilayer detection An approach that uses network data to open opponents cannot hide.
Technologies such as detection and network reaction (NDR) are accepted to ensure the visibility that supplements EDR, exposing the behavior that most likely miss the final dots. Unlike EDR, NDR works without deployment of agents, so it effectively determines the threats that interfere with common methods and legitimate tools. The essence is to evade the methods operating against the Edge device and EDR, is less likely when NDR is also on review.
Limiting: Faster Strategy of Identification Threats
Similar to the layering of unpredictable weather, elite SoC increases the stability through a multilayer detection strategy focused on network ideas. Having consolidated the detection into a single system, NDR orders management and allows teams to focus on high priority risks and use cases.
Teams can quickly adapt to the developing conditions of the attack, rather to detect threats and minimize damage. Now let’s prepare and look at the layers that make up this dynamic stack:
The base layer
Easy and fast use, they easily catch known threats to become the basis for protection:
- Detection of the network based on signatures serve as the first layer of protection due to its easy nature and rapid reaction. Leading industry signatures such as ProfofPoint ET Pro operating on Suricata engines can quickly detect known threats and attacks.
- Intelligence threats. Often consist of compromise (IOC) indicators, seek known network entities (such as IP -Drace, domain names, hash), which are observed in real attacks. As with signatures, the Ministry of Emergency Situations is easy to share, light weight and quickly unfold, offering faster detection.
A layer of malware
Think about Detection of malware As a waterproof barrier, protecting from the “drops” of useful loads of malware, revealing families of malware. Images such as Yara’s rules – a standard for analyzing static files in the malware analysis community – can identify the families of malware that shares the overall code structures. This is very important to detect a polymorphic malicious program that changes its signature, maintaining the main characteristics of behavior.
Adaptive layer
Created for developing conditions, the most difficult layers use the algorithms of behavior and machine learning that determine known, unknown and evil threats:
- Revealing behavior Determines such dangerous activities as domain generation algorithms (DGAS), communication and control, and unusual data expressive models. This remains effective, even if the attackers change their poppies (or even the components of the attack), because the main behavior does not change, which allows you to detect unknown threats.
- Ml The models that are controlled and unattended can detect both known attacks and abnormal behavior that can indicate new threats. They can focus on attacks that cover a large length of time and difficulty than behavior detection.
- Detection of anomaly Uses uncontrolled machine training to identify deviations from the basic network behavior. This warns SOCs about anomalies such as unexpected services, unusual customer software, suspicious entrances and malicious traffic. This helps organizations reveal the threats hiding in the usual network activity and minimize the attacker’s stay.
A layer of request
Finally, in some situations, there is simply no faster way to create alert than to request existing network data. Detection based on search . Search requests that generate alerts and detection-functions as a Snap-ON layer that is ready for a short-term, quick response.
Combined layers of detection threats from GDR
A real force in multilayer detection is how they work together. The best SOC deployed the detection and reaction of the network (NDR) to provide a single idea of threats across the network. NDR correlates the detection of multiple engines to ensure the complete threat -centralized network visibility and context that a forceful reaction of the incidents in real time.
Outside layers, Extended NDR solutions It can also offer several key advantages that increase the overall threat response opportunities:
- Identifying new vectors and new methods that have not yet been included in traditional EDR signature detection systems.
- According to the Fireee report, reducing false positive indicators by ~ 25%
- Cutting Response Time to incident using AI-TRAGE and automated workflow
- Complex lighting of network tools, methods and procedures MITER ATT & CK (TTPS)
- Use overall intelligence and detection caused by society (open source solutions)
Way forward for modern SoCs
The combination of increasingly complex attacks, expanding attack surfaces and additional resources restrictions requires transition to multi -layered detection strategies. In an environment where the attacks are successful in seconds, the NDR solution without a solution is closed quickly. SOC elite teams get this And they were already layered. The question is not whether it is necessary to implement a multilayer detection, it can make this transition quickly.
Detection and reaction of the Corelight network network
The built -in Corelight NDR open platform combines all seven types of network detection types, and built on the open source software like Zeek®, allowing you to engage in the intelligence of society. For more information: Corelight.
