Sarah Hunt, Author at Datamation https://www.datamation.com/author/sarah-hunt/ Emerging Enterprise Tech Analysis and Products Tue, 25 Apr 2023 22:25:52 +0000 en-US hourly 1 https://wordpress.org/?v=6.2 EDR vs. NDR vs. XDR: Which Should You Use? https://www.datamation.com/security/edr-vs-ndr-vs-xdr Tue, 25 Apr 2023 22:25:52 +0000 https://www.datamation.com/?p=24059 Endpoint detection and response (EDR), network detection and response (NDR), and extended detection and response (XDR) are closely related categories of threat detection technology. Each of these tools can detect and respond to cyberattacks originating from a variety of sources, but they vary in their sophistication. 

This guide will help you understand how these tools often complement one another within an overarching network security approach. 

  • EDR is best suited for organizations that need to oversee many endpoints, though it is rarely used as a standalone network security solution.
  • NDR is best used when packet inspection is important to an organization, as this tool provides more context versus EDR and XDR.
  • XDR is best used in larger network architectures that could benefit from a centralized, unified approach to threat detection.
For more information, also see: Artificial Intelligence in Cybersecurity

Endpoint Detection & Response (EDR)

EDR, as the name implies, protects networks at each connected endpoint, reducing the risk of network breach and attacks that occur at these oft-targeted locations.These systems identify tangible changes at the endpoint level. In modern enterprise networks, there can be hundreds or even thousands of endpoints connected to networked devices, including IoT devices like sensors and communication devices deployed in the field. 

Advanced EDR systems utilize tools like machine learning and AI to uncover new threats and suspicious behavior and activity. 

EDR Pros

Better protection of endpoints improves organizations’ overall security postures. Bad actors frequently target endpoints, so more protection at these vulnerable network connections is an overall positive. As valuable as EDR tools are, however, most organizations will require additional network security tools as well. This is especially true with more employees working remotely and in hybrid setups.

XDR, outlined below, may provide the best solution for these situations. 

EDR Cons

One significant limitation of EDR is that the detection logs generated by these tools do not always trigger alerts. Organizations will need to perform periodic, manual reviews of endpoint data to prevent cyber attacks. Also, EDR on its own often cannot be deployed on all devices, including many BYOD and IoT devices or in environments like the public cloud. Threat actors seek out these gaps in visibility, looking for opportunities to exploit these vulnerabilities. 

EDR Deployment Methods

EDR is typically deployed in one of two environments: on premise and via the cloud. 

On premise deployment works best for relatively small organizations whose assets are all located in the same geography, especially those that want to keep their data within reach. However, this approach is limited in that EDR deployed on premise can’t support real-time behavioral analysis. Also, the updating process can become laborious and time-consuming. This is also the more expensive option. 

EDR deployed in the cloud offers several advantages over on premise deployment, including more scalability, integrity, flexibility and better overall manageability. However, cloud-based EDR may not offer the same level of security, especially related to industry regulations around data privacy. 

For more information, also see: What is Big Data Security?

EDR integrations

Top rated EDR vendors that provide EDR integration include:

EDR average price

EDR is usually priced per endpoint, per month, with fees starting around $10 per endpoint/per month. 

For more information, also see: Why Firewalls are Important for Network Security

Network Detection & Response (NDR)

NDR is unique to EDR and XDR in that it centers on the analysis of packet data located in network traffic versus endpoints or other data streams to uncover potential cyber threats. Packets contain a wealth of valuable information. 

NDR works by continuously monitoring and recording network traffic, in search of reliable patterns of expected network behavior. NDR uses that pattern to analyze packet data for anomalies of threats and then either alerts the security team or mitigates threats automatically.

Often, NDR solutions are packaged alongside other tools like security information and event management (SIEM) products and EDR, elevating the effectiveness of those cyber security tools by helping to reduce blind spots across a given network. 

NDR Pros

NDR increases security capabilities by equipping security teams with more network context and automated threat response. This contributes to better collaboration between network and security teams, and most important, quicker mitigation of threats and attacks. 

A key benefit of using NDR is the forensic information these systems can provide. Reports generated by NDR can help security determine how malware breached a network initially, information that can then be applied to mitigation solutions. 

NDR can uncover newer and more evolved malware, including polymorphic malware. It can also target so-called weaponized AI. 

NDR Cons

NDR does come with some limitations. First, these solutions can only analyze network logs — NDR cannot monitor or track endpoint events like process details, registry changes, or system commands. NDR is also unable to examine some cloud or identity data and some other sources of security information. 

These limitations underscore why NDR, like EDR, is not generally utilized as a stand alone security solution. It is a tool that can enhance an overarching security approach. 

NDR Deployment Methods

Like EDR, NDR can be deployed on premise and via cloud-based solutions, depending on organizational needs. 

On premise NDR deployment is better suited for organizations whose assets are all located in the same geography, especially those that want to keep their data within reach. Like EDR, updating NDR can become laborious and time-consuming and is the more expensive option versus cloud-based deployment. 

NDR can also be deployed in the cloud, which offers several advantages — more scalability, integrity, flexibility and better overall manageability. However, cloud-based NDR is, again, not as secure as on premise deployment and may not be well suited for organizations that need to adhere to various data privacy regulations. 

NDR integrations

Top rated NDR vendors that provide NDR integration include:

NDR Average Price

NDR is typically priced per user, per month, starting around $20 per user, per month for medium sized organizations. 

For more information, also see: What is Firewall as a Service? 

Extended Detection & Response (XDR)

Of the three threat detection approaches compared here, XDR is most advanced and, unsurprisingly, provides the most holistic protection against cyber attacks.

One way to think of XDR is that is, in many ways, an evolution of EDR and NDR that integrates network, application, and cloud data sources to respond quickly and effectively to threats, as they emerge. There are three main XDR platform categories:

  • Native XDR, which works exclusively with products from a single vendor.
  • Open XDR, which works with all vendors.
  • Hybrid XDR, which is capable of integrating data from some outside vendors, with limitations.

XDR Pros

XDR solutions are more proactive when it comes to threat detection and response. These platforms centralize visibility across multiple data streams, including endpoint data, network data, and cloud data. Used alongside tools like SIEM and security orchestration, automation, and response (SOAR), XDR is capable of addressing very complex threats. 

XDR Cons

While XDR is attractive to organizations seeking to centralize cyber security oversight across multiple data types, most will still want to tap into the context provided by tools like NDR. 

XDR solutions can be expensive, even beyond the actual platform and vendor agreement. Organizations may need to retrain employees or hire expert staff to run these tools because they are more complex to deploy and maintain. As the cyber threatscape evolves, XDR will need to be enhanced periodically as well, which will incur additional costs. 

XDR Deployment Methods

Like NDR and EDR, XDR can be deployed on premise, in the cloud, or via a hybrid arrangement. Most organizations investing in a solution like XDR will deploy into a hybrid environment. 

Top rated XDR vendors that provide XDR integration include:

XDR Average Price

Similar to NDR, XDR is usually priced per user (or license), per month, starting at around $60 per user/month. 

For more information, also see: How to Secure a Network: 9 Steps

Bottom line: EDR vs. NDR vs. XDR

While all three threat detection solutions do, in fact, work to detect threats, EDR, NDR, and XDR vary in their capabilities.

EDR can monitor and mitigate endpoint attacks, but is limited in scope. At the other end of the threat detection spectrum, XDR offers benefits like a more unified platform approach — however, XDR reporting often lacks the network context available through an NDR solution that offers real-time packet monitoring. 

Many large organizations need solutions that incorporate both network and endpoint data monitoring with other, overarching security tools in order to gain a true, real-time viewpoint of network behavior. A comprehensive enterprise security solution often includes NDR, EDR, XDR, SIEM, and SOAR. 

On a related topic, also see: Top Cybersecurity Software

]]>
Firewall Placement: Where Firewalls Sit on a Network https://www.datamation.com/security/firewall-placement-where-firewalls-sit-on-a-network/ Mon, 17 Apr 2023 18:57:13 +0000 https://www.datamation.com/?p=24027 At a high level, firewalls are positioned to create a protective barrier between external, potentially dangerous traffic sources and internal networks as well as within the enterprise perimeter, between segmented parts of a network. Firewalls should be placed throughout these segmented networks to ensure comprehensive protection across large enterprise networks. 

Firewalls control traffic between:

  • External networks (the internet) and internal networks.
  • External networks (the internet) and DMZ (demilitarized zone) networks.
  • Between internal networks.

Firewalls apply predetermined rules to control network access and can vary greatly in their ability to manage specific network threats. Most enterprise networks will include a mix of firewall types, including basic and multilayer firewall systems with built-in redundancies and advanced security features. 

For more information, also see: Why Firewalls are Important for Network Security

Firewall Placement and Network Segmentation

Complex networks are typically considered in terms of network segments, smaller physical or logical components of a larger network. This allows security teams to quickly close off sections of a network if a threat arises and streamlines the management of sprawling enterprise network architecture.

For communication to flow between segments, traffic flows through routers or firewalls so that it can be inspected before passing through to other network segments. This strategy adds security redundancies throughout the system and strengthens overall network security. 

On a related topic, also see: Top Cybersecurity Software

Firewall Placement for Different Network Segments 

These guidelines cover the main types of network segments; most networks will include multiple instances of each of these network connection types. 

External networks (the internet) and internal networks

It is highly important to place strong controls on firewalls protecting the internal network from external connections. Not only can malicious attacks occur from outside sources, but data leakage is a significant concern.

As a general rule, net connections should not be allowed from external to internal networks — servers for external servers should reside in DMZs.

External networks (the internet) and DMZ networks

DMZs, or “perimeter networks,” are isolated from other network endpoints and typically contain servers that offer services primarily for external access. Here, firewalls control traffic in and out of each DMZ from both external and internal networks (typically, only a few, specified services must be allowed).

Servers in DMZs are frequently targeted for attacks, so connections between DMZs and internal networks must be strictly managed.

Between internal networks

While internal networks do handle confidential data, connections between these networks can be more permissive than network connections between internal and external traffic. Still, there are unique network threats to consider because sensitive data needs to be transmitted between users frequently. In each network segment, security teams can create a variety of boundaries with varying degrees of security protection. 

For more information, also see: Artificial Intelligence in Cybersecurity

Multi-layer firewall placement

As the cyberthreat landscape has become more complex, it’s important for organizations to take a multi-layer firewall approach. This proactive, layered security strategy helps to bridge gaps between network segments to catch threats like malware as they are delivered versus a reactive approach in response to already-deployed attacks. 

Multilayer firewalls can add protection from attacks launched through email attachments, adware, links, apps, and file attachments, including malware that frequently changes identifiable characteristics like file name and type. Multilayer firewalls also typically include DNS-level security that protects against network level threats.

Multilayer firewalls rely on dynamic packet filtering to examine incoming data across a network’s active connections. This is a step up from simple packet-scanning firewall protection — note that some firewalls within a multilayer firewall structure may be simple packet-scanning firewalls, but the multilayer firewall is focused on dynamic packet filtering. 

A multilayer firewall approach is a convenient, efficient approach that brings multiple firewall technologies together. 

Firewall Placement Best Practices

Within a segmented network structure, SOCs identify various security zones, groups of servers and systems with similar security requirements. Organizations typically have a secure internal network zone and an external (untrusted) network zone and intermediate security zones in between. 

Firewalls control traffic to and from hosts and these security zones at the IP, port, or application levels. As all organizations require their own unique network architecture, there is no single configuration that would apply to all businesses and networks, but there are best practices that can be applied generally to help guide firewall placement within a segmented network:

  • Keep internet-facing servers in separate zones (for example, web servers and email servers) – this can help minimize damage if an internet-facing server is compromised.
  • Maintain only one-way traffic between internal zones and demilitarized zones (DMZ) (for example, DMZs used for proxy, email, and web servers).
  • Keep web servers and database servers on separate machines – ideally, these should be kept separate and placed in different DMZs.
  • Enable direct internet access for users on the internal network through an HTTP proxy server located in the primary DMZ.
  • Disallow direct traffic to the internal zone from the internet.

Security teams will also need to establish best practices around firewall maintenance, which can become quite complex and vulnerable to neglect. Every firewall connection should be routinely checked for up-to-date settings and effectiveness. If certain network segments experience unexpected spikes in traffic, it may become necessary to upgrade firewalls protecting those segments to handle the traffic spike while maintaining system performance. 

For more information, also see: How to Secure a Network: 9 Steps

Bottom Line: Firewall Placement

Network segmentation is a fundamental security approach to network infrastructure design that adds layered protection throughout large enterprise network environments. Most organizations will install firewalls throughout these segments to handle various connection types (internal communications, internal-to-external traffic, and DMZ traffic).

This comprehensive multi-layered approach adds system-wide protection against a wide range of network threats, including external cyber threats. 

As firewalls are placed throughout a segmented network, security teams should follow a standard set of best practices to ensure uniformity throughout. While these practices will vary by organization, it’s best practice that standards focused on how each firewall is part of the overall security architecture should be applied. 

Firewalls are one tool in the network security toolbox, and in some ways, these are relatively simple, fundamental elements of a larger network security approach. They are, however, integral and have outsized roles to play even within network security environments that include advanced tech features like AI and network traffic monitoring services. A large percentage of network security vulnerabilities can be stopped at the firewall level. 

For more information, also see: What is Big Data Security?

]]>
How to Perform a Vulnerability Scan: 4 Steps https://www.datamation.com/security/how-to-perform-a-vulnerability-scan-4-steps/ Wed, 05 Apr 2023 18:41:49 +0000 https://www.datamation.com/?p=23992 Network vulnerability scanning is the process of pinpointing weaknesses and vulnerabilities across a network, including evaluating network assets like computers and other devices — any potential target that could be exploited by threat actors should be included in these scans. 

The basic steps for performing a network vulnerability scan are:

  1. Plan and define the scope of the scan
  2. Identify vulnerabilities
  3. Perform analysis
  4. Mitigate identified vulnerabilities

Notably, vulnerability scans are also frequently used by attackers seeking vulnerabilities to exploit. Even when attackers are unable to access a network internally, vulnerability scans can be conducted from the outside. This is the key reason organizations often choose to perform scans while logged in as network users and without access to a network. 

For more information, also see: Why Firewalls are Important for Network Security

How Does a Vulnerability Scan Work?

Typically, vulnerability scans are conducted by an organization’s IT department, although some organizations outsource this process to a third-party security service provider. Organizations that operate within sectors like finance and banking often perform vulnerability scans through approved vendors to adhere to industry regulations.

In most instances, organizations will deploy a vulnerability scanning tool to automate much of the vulnerability scanning process. These scanners start from the endpoint of the person inspecting the attack surface being examined. The scanner compares details about the target attack surface to a known security hole database, attempting to exploit each vulnerability as it is discovered. 

Vulnerability scans fall into two overarching categories: authenticated and unauthenticated. During an unauthenticated scan, testers behave like an intruder who does not have trusted access to the network. This reveals vulnerabilities that attackers can exploit without needing to log into the network. 

Authenticated vulnerability scans are conducted while logged into the network as a trusted user (or an attacker who has gained access by pretending to be a trusted user). 

Within these two categories, a variety of different network vulnerability scans can be conducted, including:

  • Network based assessments scan wired and wireless networks.
  • Database scans look at databases in an effort to prevent attacks like distributed denial of service (DDoS), SQL injection, and brute force attacks.
  • Web application scans evaluate web applications and their source codes.
  • Host-based scans examine server workstations and other network hosts, including related ports and services.

For more information, also see: Data Security Trends

How to Perform a Vulnerability Scan in 4 Steps

There are many viable options for performing a vulnerability scan. These four steps are likely to be a part of any properly run vulnerability scan, but you may need to adjust some aspects of these steps (or add additional steps) based on your unique organizational needs. 

1. Plan and define the scope of the scan

Before you start to conduct a vulnerability assessment of your network, it’s a good idea to define the parameters of the scan. These steps can help narrow the scope of your scan:

  • Identify where your most sensitive data is stored across the network
  • Hunt down hidden sources of data
  • Identify the servers that run mission-critical applications
  • Determine which systems and networks you want to assess
  • Check for misconfigured ports
  • Check for misconfigured processes
  • Create a map of the entire network infrastructure, including digital assets and connected devices
  • Select an automated vulnerability scanning tool that offers the features you need — for example, reporting capabilities

Be sure to create a centralized place for information sharing information across your security team.

2. Identify vulnerabilities

As you work through the process of scanning the network for vulnerabilities, take careful notes. Your list should include as much detail as possible about any underlying security threats.

The easiest and quickest way to identify specific vulnerabilities is through the use of an automated vulnerability scanning tool, though some organizations also opt to conduct a manual penetration test, a step that can help you validate findings (and reduce false positives). 

3. Perform analysis

Utilize the reporting features built into your automated vulnerability scanning tool. Ideally, these reports should include risk ratings and vulnerability scoring that allows you to prioritize which vulnerabilities to address first. A common scoring system used by these tools is the common vulnerability scoring system (CVSS), which assigns a numerical value to each identified risk. 

Depending on the automated scanning tool you are using, you may need to run multiple scans across different network segments. This is especially true when the network is large or contains a mix of internal and external endpoints. 

4. Mitigate or remediate identified vulnerabilities 

Once you have identified and prioritized vulnerabilities, it’s time to determine how best to mitigate these risks. Mostly, you’ll want to address vulnerabilities through either remediation or mitigation. 

Remediation

Remediation is a process for fully eliminating a vulnerability to prevent exploitation by threat actors. Sometimes, remediation is as simple as refreshing security tool protocols or updating products. Other conditions call for the skills of advanced security analysts.

Mitigation

In cases where the solution for fixing or patching a vulnerability is not clear, mitigation tactics can be applied to at least reduce the likelihood of an attack. Later, as tools evolve or more information becomes available, these vulnerabilities can be completely remediated. 

Typically, a mitigation approach will involve additional tools like antivirus software, real-time antivirus scanners, additional firewalls, or tools used within advanced security solutions like predictive AI threat detection. Each of these tools can help bridge the gap between known and unknown network risks. 

For more information, also see: How to Secure a Network: 9 Steps

When Should you Perform a Vulnerability Scan?

IT teams are advised by many oversight bodies to scan internal and external systems at least quarterly, but ideally, monthly assessments should be considered, even if they are not comprehensive in scope. Assessing parts of the network that house particularly sensitive data on a regular basis is a good best practice. 

Bottom line: How to Perform a Vulnerability Scan

By following these four steps, you’ll have a much better sense of the vulnerabilities located throughout your network. Vulnerability scans can help you prioritize risks to ensure your team is tackling the most urgent exploit risks sooner, rather than later. 

Whether you perform quarterly or monthly scans, you can feel certain that the vulnerability scanning process is worthwhile. Without the insight provided by this process, security teams are less equipped to adequately assess an organization’s actual risk.

On a related topic, also see: Top Cybersecurity Softwar

]]>
How to Perform a Firewall Audit: 6 Steps https://www.datamation.com/security/how-to-perform-a-firewall-audit Tue, 04 Apr 2023 21:26:41 +0000 https://www.datamation.com/?p=23989 A firewall audit is a multistep process that gives organizations insight into the status and effectiveness of the firewalls installed throughout their network. These audits provide visibility into potential vulnerabilities and the health of connections going to and from firewalls. They also uncover information about firewall changes since the last audit. 

Firewalls are critical elements within a larger network security structure, serving as gatekeepers for incoming, outgoing, and internal network traffic. As traffic flows across the network, firewalls located at each network segment evaluate traffic packets, blocking traffic that does not meet pre-established security parameters. While firewalls are effective network security tools, they must be kept up-to-date and routinely monitored. That’s where the firewall audit process comes in. 

On a related topic, also see: Top Cybersecurity Software

Why is a Firewall Audit Important?

The primary reason to invest time and resources into firewalls audits is the inherent nature of firewalls — they need constant updating to remain effective against rapidly evolving threats.

It’s also an important best security practice to monitor firewall rules to ensure they have been properly configured. Improperly configured rules can weaken firewalls and attract unauthorized access. If firewalls are unable to identify, isolate, and reject malicious traffic packets, an entire enterprise network can be put in significant danger. 

Firewall audits are also important for maintaining compliance with various industry regulations focused on network security and data protection. By performing in-house audits, organizations can feel assured they will be ready for an unexpected network audit by a regulatory body.

Firewall audits address the fact that firewall management can be complex and time-consuming. Having a step-by-step process for working through the review process helps to make sense of what can feel like an overwhelming task. 

For more information, also see: What is Big Data Security?

How to Perform a Firewall Audit: 6 Steps

These 6 steps will help you develop a firewall audit plan. For organizations operating in sectors like finance and banking, healthcare, and other industries where sensitive public data needs to be protected, you may need to seek out additional checkpoints to include in your firewall audit process. 

1. Gather Information Ahead of the Firewall Audit

Before you launch your firewall audit, it’s important to ensure you have good visibility into your network, including a good handle on hardware, software, policies, risks, and how users interact with the network. Gather the following information:

  • Information from prior audits, especially documents and reports covering firewall objects, policy revisions, and most importantly, details about firewall rules that have been applied.
  • List of every internet service provider (ISP) and virtual private network (VPN) used by the organization.
  • Security policy documentation (including updates that have been communicated but not added to official documentation yet).
  • Firewall log reports (at least at a high level — make sure you know how to quickly access more detailed information you may need later).
  • Firewall vendor information like OS version, default configurations, and reporting on the latest patches that have been provided onsite or remotely.

At this stage, be sure to centralize this information in a place where other people involved in the firewall audit can access it. This will make it much simpler to keep everyone on the same page and to avoid situations where time is being wasted tracking down redundant information. Establishing a “single source of truth” goes a long way toward conducting a good firewall audit. 

2. Evaluate the Organization’s Change Management Approach

A firewall audit is a good opportunity to determine the effectiveness of the organization’s change management processes. Before making firewall changes, it’s a good idea to make sure the process is well-documented and uniform. The goal should always be to have a stable, reliable change management process. When changes are made in haphazard ways, myriad issues can arise. Consider these questions as you evaluate the change management process:

  • Who is implementing changes? It should be easy to determine who “owns” every change made to a firewall. 
  • Are changes being tested? Documentation about testing should be available to review during a firewall audit. 
  • Who is approving requested changes? Ideally, there should be a reliable “chain of command” when it comes to making substantial changes to any firewall across the organization’s network. 

Ultimately, firewall changes should be governed by a formal, documented process that maintains integrity. Every category of firewall changes should be handled in the same way, every time. 

For more information, also see: Data Security Trends

3. Audit the Operating System and Physical Security of the Firewall.

This step relates to the rate of responsiveness an organization has for neutralizing cyber threats. Can your organization quickly isolate and stop attacks before they spread throughout the wider network? A close examination of each firewall’s physical and software security perspectives can help to answer this fundamental network security question. Here are a few ways to perform these evaluations:

  • Introduce controlled access to secure firewall and other relevant servers.
  • Determine if the operating system conforms to standard hardening checklists.
  • Examine device administration procedures to ensure they are robust enough.
  • Verify that vendor patches and updates are being implemented fully and in a timely manner.
  • Review a list of authorized users who can physically access firewall server rooms.

4. Take a Hard Look at Firewall Rule Settings

One big advantage of performing a firewall audit is the opportunity to clean things up and optimize the rule base that determines which traffic a given firewall will allow or deny. As you examine firewall rules, here are a few questions to consider:

  • Are there rules in the mix that don’t serve a purpose?
  • Can you disable any unused or expired objects and rules? 
  • Are firewall rules related to performance and effectiveness prioritized correctly?
  • Are there any unused connections, including irrelevant routes?
  • Are objects labeled according to standard object-naming conventions?
  • Are VPN parameters up-to-date? Are there any expired or unattached groups, expired or unattached users or unused users? 
  • Do firewall logs reveal whether policies are being applied adequately? 
  • Are permissive rules still relevant or do these need adjusting or updating?
  • Are there similar rules that could be merged into single rules?

5. Perform a Risk Assessment and Address Issues that are Uncovered

Risk assessment is a major component of any firewall audit. After all, your main goal is to determine whether the organization’s network is sitting vulnerable due to firewall inadequacies. Take your time to determine whether firewall rules truly comply with internal policies and evolving industry regulations and standards. 

This step will be unique to each organization, so be sure to apply the industry standards and best practices that apply to you. Every organization also carries its own determination of acceptable risk (a financial services company may have a much lower tolerance for risk versus a small outbound call center, for example, though both rely on up-to-date firewall protection). 

As you evaluate the list of rules, consider whether:

  • The rule permits risky services from your demilitarized zone (DMZ) to the internal network.
  • The rule permits risky services inbound from the internet, in general.
  • The rule permits risky services outbound from the internet.
  • The rule contains “ANY” in any user field.
  • The rule runs afoul of corporate security policy.
  • The rule falls short of corporate security policy requirements.

It’s also a good idea to review firewall configurations and rules against any regulatory standards that may apply, including:

  • J-SOX
  • FISMA
  • Basel-II
  • NERC CIP
  • ISO 27001
  • SOX
  • PCI-DSS

6. Make a Plan for Conducting Ongoing Audits

Keep the momentum going. Once you’ve had success with your first firewall audit, make a goal of continuous compliance. These steps can help:

  • Create a process that can be replicated in the future, and make sure the process is well-documented so that any analyst can conduct the audit based on the materials.
  • Consider smart automation that could be integrated into the process, with a goal of eliminating error-prone manual tasks.
  • Be sure any significant changes impacting firewall policy and rule changes are communicated to the point person or team responsible for conducting firewall audits so that these modifications can be considered during the next audit.

For more information, also see: Artificial Intelligence in Cybersecurity

Bottom Line: Firewall Audits

By creating a process for conducting ongoing firewall audits, you’ll have a better handle on your organization’s overall security posture. Firewalls are integral to any network security approach, so it is vital they are maintained and monitored as thoroughly as any other network asset. 

While this process can feel overwhelming, having a firewall audit checklist like this can help keep things organized and straightforward. 

]]>
5 Types of Firewalls: Differences Explained & When to Use Each https://www.datamation.com/types-of-firewalls Mon, 27 Mar 2023 23:01:46 +0000 https://www.datamation.com/?p=23969 Firewalls are network security devices that monitor and filter traffic as it flows to, from, and across networks based on a given enterprise’s pre-established security policies.

Ideally, firewalls block dangerous traffic and allow non-threatening traffic. While virtually every networked organization should have some level of firewall control, not every network will require the most expensive, state-of-the-art firewalls on the market. This guide will help you determine which level of firewall protection may be right for you. 

There are five basic categories of firewalls:

For more information, also see: What is Firewall as a Service?

Packet Filtering Firewalls

Packet filtering firewalls are among the earliest types of firewalls. As such, this firewall type is more limited in the level of protection it can provide. On their own, packet filtering firewalls are not sufficient for protecting enterprise network architectures. 

Packet filtering firewalls are placed at junctions within enterprise networks where routers and switches are located. Unlike some other firewall types, packet filtering firewalls do not route packets. Instead, this type of firewall compares packets to a set of pre-established criteria that typically includes attributes like:

  • IP address
  • Packet type
  • Port number
  • Packet protocol header aspects

When a packet does not pass muster according to the pre-established rules (called access control lists), it is flagged and usually, dropped (not forwarded on to other network segments). 

Packet filtering firewalls are implemented on the network layer of the Open Systems Interconnection (OSI) model. 

Common use cases for packet filtering firewall

Packet filtering firewalls are best suited for situations where a lower level of security is acceptable. They are also an adequate solution for budget-constrained, smaller organizations to provide at least a basic level of protection against known threats, a significant advantage over having no firewall protection at all. 

Within larger enterprise networks, packet filtering firewalls can be integral components of a multilayered defense strategy, especially between internal departments. 

Packet filtering firewall advantages

The main advantage of using packet filtering firewalls as part of a larger network security approach is that they are quite fast and nearly transparent to users. They are also affordable versus more advanced firewalls. 

Packet filtering firewall disadvantages

As the earliest widely used type of firewalls, packet filtering firewalls are quite limited in their ability to provide network protection. They are easy to bypass if the firewall is not kept up-to-date and easy to trick by hackers who manipulate headers to get around pre-established rules. 

Packet filtering firewall average price

Packet filtering firewalls start at around $20 USD. 

For more information, also see: Artificial Intelligence in Cybersecurity

Circuit-Level Gateways

Circuit-level gateways monitor the common TCP handshake protocol and other network protocol session initiation messages as they are established between local and remote hosts. When sessions are determined to be illegitimate, these gateways block the connection. Unlike packet filtering firewalls and other firewall types, circuit level gateways do not inspect packets even at a high level. 

Common use cases for circuit-level gateways

A step up from packet filtering firewalls, circuit-level gateways are still insufficient to provide comprehensive network protection. As such, these firewalls are typically used alongside other systems like application-level gateways, which gives organizations benefits of both packet filtering firewalls and circuit-level gateways. 

Circuit-level gateway advantages

The primary advantage of using circuit-level gateways is that they are easy to set up and manage. It is also easy to block most traffic as only requested transactions are processed. Circuit-level gateways are lower in cost and do not tend to impact system performance. 

Circuit-level gateway disadvantages

On their own, circuit-level gateways offer no protection against data leakage from devices within the firewall. They also cannot monitor the application layer and require ongoing updates — if these firewalls are neglected, they can go out of date and be easily bypassed by bad actors. 

Circuit-level gateway average price

Packet filtering firewalls start at around $200 USD. 

Application-Level Gateways

Also called proxy firewalls, application-level gateways function as the only endpoint into and out of a network. These firewalls filter packets according to destination port rules, but by characteristics like HTTP request strings. These gateways provide a much stronger defense against data loss, but can have a marked negative impact on network performance. 

Common use cases for application-level gateways

The most common use case for application-level gateways is to protect organizations from web application threats. These firewalls can block access to harmful sites and can prevent sensitive information from being leaked from within a firewall. 

Application-level gateway advantages

Application-level gateways provide a deeper level of network protection over simpler packet filtering firewalls. These firewalls check not just IP addresses, port, and TCP header information, but the actual content, before allowing traffic to pass through the proxy. These firewalls can be fine-tuned to, for example, allow users to access a given website, but only specific pages. Application-level gateways also provide a level of user anonymity.

Application-level gateway disadvantages

The most significant disadvantage of using an application-level gateway is that this technology is resource-intense, putting network performance at risk. These firewalls are also more expensive than some other options. Also, application-level gateways do not work with all network protocols.

Application-level gateway average price

Application-level gateways start at around $1,000 USD, with many units in the $3,000-$6,000 range. 

On a related topic, also see: Top Cybersecurity Software

Stateful Inspection Firewalls

Stateful inspection firewalls (or “state-aware” firewalls) examine not only each packet, but they can also track whether or not the packet is part of an established TCP or other network protocol session. These firewalls require a larger investment over packet filtering and circuit-filtering firewalls, but do drag down network performance. 

Common use cases for stateful inspection firewalls

Stateful inspection firewalls are popular network security tools for most larger enterprises. They provide a more robust gateway between computers and other connected assets within firewall perimeters as well as resources that exist outside the organization. They are also frequently used to defend network devices against specific attacks like distributed denial of service (DDoS) attacks. 

Stateful inspection firewall advantages

The primary advantage of using a stateful inspection firewall is that these tools monitor the entire session for the state of connections, while checking IP addresses and payloads. Users have a higher degree of control over the content that is allowed in or out of the network. These firewalls do not need to open multiple ports to control traffic flow. Users can also access detailed logs generated by stateful inspection firewalls.

Stateful inspection firewall disadvantages

The main disadvantage to stateful inspection firewalls is that they require a great deal of resources, which interferes with the speed of network communications. These firewalls are also significantly more expensive over less advanced firewall technology. Finally, stateful inspection firewalls cannot provide authentication capabilities, leaving networks vulnerable to potentially spoofed traffic sources. 

Stateful inspection gateway average price

Stateful inspection gateways start at around $3,000 per hardware unit. 

Next-Generation Firewalls

Next-generation firewalls (NGFWs) combine packet inspection with stateful inspection. They also include deep packet inspection capabilities and incorporate network security systems like malware filtering, antivirus, and intrusion detection systems (IDS) and intrusion prevention systems (IPS). 

Traditional firewalls inspect packets, but only examine the protocol header. Deep packet inspection looks at the data within each packet. These firewalls can even track a web browsing session in progress, and are capable of telling if a packet payload – when assembled with other packets in an HTTP server reply – is a legitimate HTML-formatted response. 

Common use cases for next-generation firewalls

Next-generation firewalls are commonly used by organizations in the healthcare and finance sectors, which are heavily regulated. Any organization that manages highly sensitive data, especially data protected by various data-protection regulations, benefit from the added security and logging capabilities available with next-generation firewalls. 

Next-generation firewall advantages

Primarily, next-generation firewalls are advantageous because they are more advanced, combining deep packet inspection and other controls to filter traffic. Next-generation firewalls track all traffic from Layer 2 to the application layer. Also, security teams can configure these firewalls to be updated automatically. 

Next-generation firewall disadvantages

As with other firewall approaches, next-generation firewalls are best used within a larger security infrastructure, which can become complicated and time-consuming to manage. These firewalls are also expensive, putting them out of reach for many organizations. 

Next-generation firewall average price

Stateful inspection gateways start at around $4,000 per hardware unit. 

Choosing the Right Firewall Type for You

Every organization will require its own unique approach to network security. Smaller organizations with fewer resources to protect may feel well protected without moving into the more expensive categories of firewalls like stateful inspection and next-generation models. On the other hand, organizations tasked with protecting and managing sensitive data will want to explore options within the next-generation firewall category. 

Bottom line: Types of Firewalls

Firewall technology has evolved rapidly since these network security devices were first introduced in the 1980s. Still, even the most rudimentary firewall approaches, packet filtering, are often still a part of an overarching, comprehensive security umbrella. To protect against modern threats such as those presented by web applications, users will want to consider firewalls that provide higher levels of protection. Often, security teams will deploy a variety of firewall types to protect different network segments. 

For more information, also see: Why Firewalls are Important for Network Security

]]>
What is Network Detection and Response (NDR)? Ultimate Guide https://www.datamation.com/security/what-is-network-detection-and-response-ndr-ultimate-guide/ Tue, 28 Feb 2023 22:37:47 +0000 https://www.datamation.com/?p=23894 Network detection and response, or NDR, is a cybersecurity tool that continuously scans traffic for potential risks by using machine learning and artificial intelligence (AI). When risks are encountered, NDR systems initiate an immediate counterattack and begin to repair any damage.

Enterprise networks that rely solely on legacy network security tools like firewalls are much more vulnerable to attack or infiltration than they would be with a solution that includes NDR. The key benefit is the continuous nature of NDR oversight.

While a firewall (perhaps the most commonly used network security tool) can stop unwanted traffic, filtering is limited to parameters established manually by a security team member. Often, firewalls can only examine specific elements like IP addresses, protocols, and port numbers. NDR, on the other hand, evaluates traffic within a larger context and makes adjustments as it “learns” about network behavior patterns.

For more information, also see: Artificial Intelligence in Cybersecurity

How Does NDR Work?

At a high level, an NDR works much like a security camera. These platforms constantly scan the network environment to find intruders who have slipped through the gates. In addition, NDR analyzes the environment and traffic patterns to uncover potential problems and develops automated responses to thwart those attacks.

More specifically, NDR employs non-signature-based techniques like machine learning to uncover unknown attacks alongside signature-based techniques to find known attacks. NDR ingests data from sensors, firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS), metadata like NetFlow, and other network data sources. Traffic flowing in and out of the network can be monitored by NDR in physical and virtual environments. Collected data is stored and analyzed.

Response is perhaps the most critical piece of this security solution. NDR can automate responses. For example, ordering a firewall to drop specific suspicious traffic or sending high-priority alerts to specific SOC analysts.

What are NDR Features? 

NDR utilizes advancements made in artificial intelligence and data analytics to evaluate network traffic. These features are commonly found in NDR platforms, though specifics vary by provider:

  • Cognitive Modeling: This AI-driven process helps the NDR system monitor and analyze tactics, techniques, and procedures (TTP) by simulating and predicting network behavior. Over time, cognitive modeling can lead to better predictions and deeper analysis.
  • Real-Time and Historical Traffic Insight: NDR is a significant step up from legacy cybersecurity solutions that are limited by what is known about past behaviors.
  • Context Awareness: Context-driven visibility enables NDR to take deep analytical dives and identify suspicious network behavior, based on the system’s expectations for baseline network behavior.
  • Integrations: Modern NDR can often be integrated with other network security tools like endpoint detection and response (EDR), security information and event management (SIEM), security orchestration, automation, and response (SOAR), and firewalls.
  • Data Analytics: NDR platforms gather and analyze data — information that can be used to guide security operations center (SOC) decision-making and overall business operations.
  • Dashboard Interface: NDR platforms include centralized dashboards where security teams can evaluate flagged network traffic, make adjustments to configurations, and create reports reflecting trends, evolving problems, and other notable network behavior patterns.

For more information, also see: Why Firewalls are Important for Network Security

Why NDR?

Adopting NDR technology brings two key overarching benefits.

Greater Visibility

The inherent nature of NDR as a real-time monitoring tool adds significantly greater visibility into network security for enterprises that have been relying on less advanced security solutions, including perimeter security like network-based firewalls.

Today’s cybersecurity threats all but guarantee a breach at some point. But enhanced visibility ensures that, when a threat is surfaced, it can be knocked down or isolated quickly. NDR systems look beyond the perimeter and into the network itself.

Less Noise

Traditional perimeter security approaches aren’t sophisticated enough to sort threats confidently. Instead, these systems flag any and all potentially problematic traffic and turn it over to human analysts who must sift through an ever-growing mountain of what turns out to be mostly false positive flags.

SOCs spend an incredible amount of time threat hunting related to legacy cybersecurity solutions. NDR utilizes machine learning AI to establish an expected baseline of network behavior to develop a more accurate picture of true anomalies. When threats are detected by NDR, a network response happens automatically and immediately.

NDR Market

Industry research reports that the global NDR market size is worth an estimated $2.49 billion USD in 2022. By 2028, the market is expected to grow to a value of $5.37 billion USD — a compound annual growth rate (CAGR) of 13.7% during this period.

The rise in cloud networking is contributing significantly to the growth of the global NDR market, making up about a 65% share. The largest industry adopter for NDR technology is the banking financial services and insurance (BFSI) sector, followed by the communications field and industrial applications.

North America is the largest geographic market for NDR with a share of around 70%. Europe and Asia-Pacific make up most of the rest of this market.

For more information, also see: What is Big Data Security?

Top 10 NDR Providers

  1. Blue Hexagon
  2. Cisco
  3. ExtraHop
  4. Fidelis Cybersecurity
  5. FireEye
  6. Gigamon
  7. IronNet Cybersecurity
  8. Plixer
  9. Corelight
  10. Vectra AI

Bottom Line: Beyond Enhanced Network Security

NDR is a significant improvement over legacy network security solutions that focus primarily on the perimeter of a network environment. NDR looks beyond endpoints and specific types of traffic to analyze what is happening across the network in real time. The data insights delivered by NDR can be used to inform both network security decisions and business operations decisions in general.

NDR offers benefits beyond enhanced network security. For example, because NDR analyzes traffic within the context of expected network behavior, these systems reduce the number of false positive flags that SOC analysts need to examine. At a time when trained cybersecurity professionals are scarce, freeing analysts from this tedious task can drastically improve efficiency and the overall security posture since analysts have more time to dig into true threats.

When shopping for an NDR solution, it’s important to look for a provider that can integrate a solution into your existing security approach, if possible. These systems are sophisticated enough to evaluate network traffic wherever it exists, including in the cloud, but disparate components must be able to communicate with one another to ensure full effectiveness.

]]>
What Is Managed Detection and Response (MDR)? Ultimate Guide https://www.datamation.com/security/what-is-managed-detection-and-response-mdr-ultimate-guide/ Tue, 28 Feb 2023 22:11:42 +0000 https://www.datamation.com/?p=23891 Managed detection and response (MDR) adds an additional layer of protection and elevates the security postures of organizations relying on legacy solutions.

Managed detection and response is becoming more popular as organizations look to outsource some elements of their cybersecurity approach. As bad actors become more adept at bypassing traditional network security platforms, managed services like MDR play an important – and growing – role in protecting the enterprise.  

How Managed Detection and Response Works

When enterprises partner with MDR providers, they can expect a service that includes continuous network traffic monitoring. MDR, often a part of a broader endpoint detection and response (EDR) platform, is built to manage tasks like threat hunting, monitoring, and response from the outside. Managed services like MDR can be thought of as a security guard station where different parts of a property are being monitored around the clock. Instead of security guards, MDR is managed by advanced cybersecurity analysts.

Much like other popular cybersecurity platforms, MDR employs techniques like supervised and unsupervised machine learning and artificial intelligence (AI) to crawl across networks in search of suspicious behavior. When threats are uncovered, advanced analytics and forensic data are sent on to human analysts, who triage risks and determine appropriate responses.

Organizations have varying tolerance levels for cyber risk, which should be reflected in the MDR service agreement. Some enterprises may prefer detailed analytical reports about network traffic, while others feel comfortable with a more hands-off approach.

Ultimately, the goal of MDR is to find and respond to threats before they cause damage. Core MDR functions include:

Managed Prioritization

Offsite MDR partners configure their security platform to apply automated rules to help prioritize which risks are most urgent. Human analysts review alerts according to priority, sorting benign events and false positives from authentic threats.

Threat Hunting

Threat hunting is the primary function of MDR, through both automated, AI-driven methods and human analysis. An ideal MDR partner company includes cybersecurity experts who are at the top of their field — access to these high levels of expertise are one of the main draws to investing in MDR.

Investigation

MDR usually includes detailed reporting about security events with additional context to help companies understand and mitigate vulnerabilities. With MDR, enterprises can better understand what happened, when, who was affected, and the extent of infiltration or damage or loss.

Guided Response

This MDR component includes the actionable advice given to the organizations being managed on the most effective ways to contain and remediate specific threats. Together with investigative background information, guided response from an MDR provider gives organizations specific steps to follow. In the event of an attack, the guided response will include step-by-step instructions on recovery.

Remediation

Remediation is the recovery support an organization can expect from an MDR provider. Arguably, this is the most critical component of an MDR partnership. After all, if remediation is not handled well, an organization’s entire investment in endpoint protection could be at risk.

MDR partners should be able to help an organization recover to a pre-attack state by removing malware, cleaning the registry, ejecting network intruders, and mitigating vulnerabilities throughout a network.

Why Use MDR?

There are many benefits of MDR, but perhaps the chief benefit is that MDR offers protection that is both preventative and reactionary in nature. Not only does MDR provide insights into network behaviors that might develop into full blown problems, but it is also capable of quickly knocking down attacks that do occur. MDR platforms scan for possible breaches and eliminate issues as soon as they occur to minimize damages.

AI Plus Human Intelligence is the Best of Both Worlds

MDR platforms make use of both artificial and human intelligence, a significant advantage when it comes to mitigating the risks of the modern cyber threatscape. Today, attacks are becoming more and more complex. Often, it’s not just a matter of recognizing threats but making a judgment call on the next best step.

That’s where humans come in. The expert cybersecurity analysts who manage MDR platforms are experienced in dealing with a wide array of threats in multiple environments. That means they are well-equipped to help organizations bat down sophisticated attacks and to offer insight informed by real world experience. Automation is a must, but expert human analysis adds measurable value.

MDR: Proactive Approach, Not Just a Reactive One

While MDR providers offer different levels of services, with some focusing more on the “right of boom” scenarios (after an attack has occurred), a comprehensive MDR platform is also proactive.

AI-enhanced MDR is especially well-equipped to monitor potentially problematic network behavior, since these platforms continuously review systems, searching for known threats as well as potential threats.

MDR-provided reports often reveal potential problem areas not only for cybersecurity worries, but compliance issues. Regulatory guidance for data management, especially, often dictates that companies have a comprehensive view of where data is stored, how it is accessed and used, and how it is protected. MDR reports can add insights to help enterprises make proactive decisions about regulatory compliance adherence.

MDR is Quick and Methodical

Today’s cyber threats are sure to evolve into tomorrow’s, and that’s why MDR is a powerhouse network monitoring approach. MDR as part of EDR is a unified approach, where endpoint management is centralized, making quick work out of team-based threat hunting and mitigation. Legacy cybersecurity approaches are much slower, a marked disadvantage when it comes to reducing damage when an attack occurs.

Another efficiency advantage lies in the fact that MDR can drastically reduce false positive alerts, freeing up agent time for true threat hunting and response.

Top 5 Features of MDR

While MDR providers often offer more than one level of service with associated features, these five features are typical to most MDR platforms.

Intrusion Detection and Prevention

Every MDR platform includes some version of intrusion detection and prevention. Some service providers use MDR platforms in addition to the network security in place at a given organization, while others provide almost complete network protection off-site.

Some MDR platforms can monitor a mix of endpoints, including cloud-based and connections to field sensors and other IoT devices. In any case, intrusion detection and prevention is a must.

Data Analytics

As MDR hunts for threats across a network, it gathers data along the way. Information gathered includes insights into network behavior, including how employees are accessing the network; which endpoints are open and closed; where traffic originates and travels; and a whole host of other data points.

MDR providers offer different levels of data analytics as part of their service packages. Not only are these analytical reports helpful for improving an enterprise security posture, but they can help enterprises make more informed operational decisions.

Round-the-Clock Support

Continuous monitoring is a key feature for MDR and a big reason many enterprises opt for these managed services. An off-site security team is on standby at all times, ready to jump in and tackle issues even when they occur outside normal business hours.

Staying Current on Evolving Threats

It can be challenging for SOCs to keep every element of a network security approach updated to the latest parameters. New viruses and malware emerge constantly. A managed approach takes away much of this burden, since part of MDR oversight agreements include keeping systems up-to-date.

For more information, also see: Why Firewalls are Important for Network Security

Top MDR Providers

These 10 MDR providers are among the most popular and best rated.

  • Cynet
  • SecurityHQ
  • Rapid7
  • Cybereason
  • SentinelOne Vigilance
  • CrowdStrike
  • eSentire
  • Expel
  • Secureworks
  • Fidelis Cybersecurity

Improve Network Security With Managed Detection and Response

It’s become the norm that enterprises are dealing with sprawling, complex networks that include a mix of on-premises, cloud-based, IoT endpoints, and more. Outsourcing at least some of the oversight of these networks in terms of cybersecurity can help alleviate staffing concerns, connect enterprises with high-caliber cybersecurity professionals, and greatly increase network security.

A comprehensive MDR solution will include round-the-clock coverage, modern tech enhanced with AI, data analytics, and a mix of features that fit a given enterprise’s unique needs.

For more information, also see: Artificial Intelligence in Cybersecurity

]]>
How Network Detection & Response (NDR) Works https://www.datamation.com/security/how-ndr-works/ Mon, 23 Jan 2023 20:05:08 +0000 https://www.datamation.com/?p=23519 Network Detection and Response (NDR) is a network security approach that identifies and stops network threats that have gone otherwise undetected by traditional network gatekeeping tools. NDR is sometimes called Network Traffic Analysis (NTA).

At a high level, NDR tools examine traffic for unusual or unexpected traffic and network behaviors that could indicate an imminent cybersecurity attack or data breach. NDR provides enterprises with the ability to broadly analyze network threats originating from many sources, including those that have no previous signature, including those appearing in cloud environments.

What Technology Is Used For NDR?

NDR products can utilize multiple technologies to analyze network traffic, but most frequently, machine learning and behavioral analytics. These technologies continuously analyze raw traffic and flow records to create models (or a “baseline”) of expected network behavior.

When NDR detects anomalous, unexpected network activity that goes against this expected baseline, these systems respond by transmitting a flag to network security teams for review. Depending on how filters are set up, the potentially analogous network traffic is either blocked or allowed to pass through and restricted or permitted after analysts review alert flags.

It is important to distinguish NDR as a network security tool from more traditional rules-based network security approaches like standalone SIEM (security information and event management), which strictly rely on predetermined rules.

Modern NDR analyzes raw network traffic logs versus “looking back” at the traffic that has already come across the network — as a result, modern NDR as a standalone product or used in conjunction with legacy network security tools can provide much more comprehensive coverage. NDR can also gather network traffic data from existing network infrastructure, including firewalls.

Some of the most noted NDR technologies:

  • Darktrace
  • Vectra AI
  • Cisco Stealthwatch
  • Awake Security Platform
  • ExtraHop Reveal(x)
  • Blue Hexagon
  • RSA NetWitness Network
  • IronNet IronDefense

What Is The Environment Of Network Detection And Response Software?

NDR is well-suited for enterprise networking environments, including those that serve a distributed workforce across multiple locations. NDR helps to centralize and manage the unwieldy task of monitoring huge amounts of network traffic flowing in and out of an enterprise network at lightning-fast speeds.

Typically, NDR software is installed at the local level but managed cybersecurity providers are increasingly offering “as-a-service” products that are hosted and managed remotely. In either case, SOC teams must be able to respond to alerts and make or recommend frequent adjustments to NDR settings.

NDR Software Core Functionality and Benefits of NDR Software

At its heart, NDR is intended to further protect enterprise networks that are already being monitored and protected in other ways. NDR is rarely used on a standalone basis — instead, it is a core component of a unified network security approach that adds technology like machine learning and other AI-driven enhancements to the mix.

Advanced NDR solutions give enterprises insights into network traffic not available through traditional security tools, from all directions, not just ingress and egress traffic. In effect, NDR can detect anomalous network traffic behaviors that remain inside a network, too, as well as traffic entering and exiting cloud environments.

True NDR can be an improvement over NTA tools that trigger an excessive amount of false positive flags. Enterprises may find it is worth the investment to partner with a company that has the capability and knowledge to access advanced AI technology, which is better able to sift true threats from likely false positive threats. This can be a marked advantage for SOCs where analysts are spending precious time sorting through mountains of false positive flags.

One significant benefit of bringing an NDR solution on board is its ability to help protect against ransomware, which has emerged as one of the biggest, most difficult-to-overcome cyberthreats of this century. Today’s ransomware attackers don’t even need to be tech-savvy to deploy attacks, thanks to the advent of Ransomware-as-a-Service (RaaS).

Ransomware attackers can also easily leverage AI to overcome various network security protections. A system that can establish a baseline of expected network behavior and then compare any network traffic against it has a significantly higher chance of overcoming and preventing ransomware in general (though no current product on the market can claim to completely eliminate this threat).

While most NDR products fall short of providing authentic real-time protection, near-real-time NDR is becoming the norm.

Bottom Line

Modern enterprise network security teams face a cyber security landscape where sophisticated attacks are constantly being refined by bad actors who are often well-versed in the latest tools available on the market. Enhanced NDR is much more robust than legacy tools leftover from years past and may well be an appropriate investment for future-facing enterprises, especially those with goals to scale in the coming years. These tools can be quite challenging for cybercriminals to overcome, making it all the more likely that a bad actor moves to an easier target.

Enterprises relying on legacy tools may not need to start from scratch in order to take advantage of the benefits of NDR. Many tools can be used in tandem with older systems, including those with on-premise hardware connected to cloud environments. These hybrid setups may benefit the most from the addition of complementary NDR.

]]>
5 Internet of Things (IoT) Edge Computing Trends https://www.datamation.com/networks/internet-of-things-iot-edge-computing-trends/ Mon, 06 Dec 2021 16:42:09 +0000 https://www.datamation.com/?p=22085 Internet of Things (IoT) edge computing trends reflect the recent increase in the adoption of both edge computing and IoT among enterprises and individual consumers. 

Gartner predicts that 75% of enterprise-generated data will be processed outside a traditional data center or cloud by 2025, and IDC reports that more than half of new enterprise IT infrastructure will be found “at the edge” by 2023. 

In its report, Internet of Things (IoT) Market, 2021–2028, Fortune Business Insights estimates that the global IoT software market size was $309 billion in 2020. The research firm expects the market to grow to more than $1.8 billion by the end of 2028 — a compound annual growth rate (CAGR) of 25.4%. Fortune Business Insights attributes much of this growth to increased consumption of video and virtual reality content and the growth of IoT sensors. 

IBM defines edge computing as “a distributed computing framework that brings enterprise applications closer to data sources, such as IoT devices or local edge servers.” 

Closing the gap between applications and data sources allows for faster data processing, less latency, and better bandwidth. In an edge computing setup, data is delivered to users through a decentralized network of servers and data repositories located closer to the end user’s current geographic location. 

This article will examine five current IoT edge computing trends driving growth in this sector.

See more: The Internet of Things (IoT) Edge Computing Market

Trends in Internet of Things (IoT) Edge Computing

1. Wearable IoT Popularity

Use cases such as medically issued health monitoring devices are driving much of the growth in the IoT edge computing sector. The wearables IoT category also includes a wide range of consumer applications, including smart clothing, wearable cameras, smart glasses and watches, and activity trackers. 

One prominent example of a successful wearable IoT endeavor is a partnership between Google and the health wearables company Fitbit. Since 2018, Fitbit has used Google’s Cloud Healthcare API, and more recently, Google Distributed Cloud Edge, to integrate its data into health care applications. 

Data from Fitbit wearables can be connected to electronic medical records (EMRs) to provide insights into overall health for end-users and their medical providers. Ideally, the data can be used to personalize care and spot potential health risks. Google VP of Healthcare for Google Cloud Dr. Gregory Moore said the partnership is part of the company’s vision to “transform the way health information is organized and made useful.”  

2. Industrial and Agriculture IoT Usage

Industrial and agriculture professionals are benefitting from modern edge computing in several ways. 

An edge computing approach can bring much-needed bandwidth to remote and dangerous locations in all kinds of weather. Farmers, for example, use IoT sensors and edge technology to track how much water is being consumed by livestock, monitor fertilizer effectiveness, analyze the quality of soil for planting specific crops, maintain tractors more efficiently, and other important indicators related to farming and agriculture operations. 

Similarly, industrial and manufacturing companies are taking advantage of IoT and edge computing technologies. Industrial IoT enhanced by edge computing is being used at the company Texmark, for example, to add automation to its petrochemical refinery plant through its partnership with Hewlett Packard Enterprise. 

The Texmark plant is outfitted with thousands of IoT sensors that send data to edge servers, where it is analyzed; should unexpected activity or downtime occur, the system creates a flag for intervention. 

3. 5G Edge Computing and IoT

As 5G connectivity gradually grows to become the default for enterprises, IoT-driven data analysis has become much more robust, accurate, and quicker to process and access — the low latency of 5G can deliver sub-millisecond response times. 

Sophisticated IoT applications like autonomous vehicle technologies rely on zero latency to ensure passenger safety. For example, obstacle avoidance is an action self-driving cars need to be able to perform virtually instantly. While 4G and LTE are unable to offer this level of immediacy, 5G — working with edge computing data — can deliver vital real-time insights.

The marked improvement in connectivity has spurred new investment in enterprise infrastructure, especially across manufacturing and health care sectors. In order to actually take advantage of all that 5G offers, companies often need to upgrade significant portions of their network architectures. 

4. Low-Power Connectivity

Some IoT sensors and devices operate outside the range of local wireless networks or mesh networks and do not always have easy access to power. Operators have gotten by with cellular connectivity in these situations, which does not provide reliable coverage in remote or less populated areas. Low power connectivity options are linking difficult-to-reach IoT sensors to edge networks through radio technologies. 

Companies like SigFox and many of those affiliated with the LoRa Alliance use low power, low bandwidth technologies to connect edge devices that don’t require high data rates, which includes millions of IoT sensors used for tasks like monitoring oil refinery operations thousands of miles out at sea. 

5. IoT, Edge Computing, and the Customer Experience

Increasingly, customer experiences include digital components. Quick service and fast-food restaurants, for example, have moved to IoT kiosk-based ordering, where in-person customers place their orders on a touch screen instead of interacting with human workers. Edge computing reduces latency and ensures less downtime for these processes. 

In the world of retail, speed matters. Deloitte Digital reports that a 100-millisecond improvement in mobile retail website speed increases customer conversion by more than 8%. And a recent Oracle report, “The Impact of Emerging Technology on CX Excellence,” revealed that 45% of organizations are already currently using IoT in a customer experience context. 

Companies like Disney are using IoT and edge computing to power immersive experiences throughout their parks. As Forbes reports, Disneyland’s Rise of the Resistance attraction, for example, uses more than 15,000 IoT sensors to transmit data about performance along the ride’s track. Adjustments are made behind the scenes to keep rides and attractions up and running with minimal disruptions, improving the guest experience. 

See more: Best IoT Platforms & Software

]]>
5 Internet of Things (IoT) Sensor Trends https://www.datamation.com/networks/internet-of-things-iot-sensor-trends/ Mon, 06 Dec 2021 16:03:20 +0000 https://www.datamation.com/?p=22084 Internet of Things (IoT) sensor trends reflect a rapidly expanding IoT market.

Emergen Research reports that the global sensors in the IoT devices market will reach a market size of $205 billion in 2028, a compound annual growth rate of 30.8%. The firm attributes much of this growth to increased adoption of technologies like wearable medical devices and the evolution of smart factories and manufacturing automation. 

IoT sensors are used to monitor a wide range of qualities related to a virtually endless list of potential applications, from heart rate monitoring to livestock health in the agricultural sector. Among other qualities, IoT sensors can monitor:

  • Temperature
  • Humidity
  • Pressure changes in gases and liquids
  • Proximity (for example, monitoring and reporting on the number of open rest area spaces for semi-trucks)
  • Levels of fluids and other materials
  • Acceleration
  • Velocity
  • Chemical presences 
  • Infrared health sensors that monitor blood pressure and other health markers
  • Optical sensors in smartphones, autonomous vehicles, and more 

This article will take a look at five IoT sensor trends helping to drive this sector’s growth:

See more: The Internet of Things (IoT) Sensor Market

IoT Sensor Trends

1. Artificial Intelligence of Things (AIoT)

artificial intelligence (AI) of things (AIoT) combines the technologies of AI and IoT by embedding AI into IoT components. Connected sensors and actuators that include AI help reduce network latency, improve privacy, and deliver real-time AI-driven insights to the cloud and edge computing servers.

AI-enhanced IoT goes beyond providing data; this kind of IoT can actually trigger actions as sensors deliver data. Examples include robots used in manufacturing, autonomous vehicles, real-time retail analytics, and smart thermostats.

As reported by Deloitte, IDC predicts that soon, AI will support all “effective” IoT initiatives and that without AI enhancements, data from IoT deployments will hold only limited value. 

See more: The Artificial Intelligence Market

2. Smart factories

IDC reports that the manufacturing segment has invested nearly $200 billion in IoT spending — a figure twice as high as the second-largest IoT vertical market, consumer IoT. Smart factories play a significant role in these investments.

IoT-enabled “smart” manufacturing (sometimes referred to as Industry 4.0) gives operators and producers much more visibility into their assets, processes, and resources. Data from sensors and machines are communicated to the cloud by IoT sensors and devices and then analyzed by IoT software platforms. Ultimately, these insights can help companies improve overall revenue. 

3. Wearable Medical IoT

Known collectively as “healthtech,” wearable medical devices deliver sensor-gathered data insights about patients to their medical providers. This technology gained more traction with patients and medical professionals alike during the widespread COVID-19 pandemic lockdowns in 2020 and 2021. 

Insider Intelligence reports that more than 80% of consumers are willing to wear fitness or medical technology. 

Among the many dozens of medical wearable IoT devices, blood pressure monitors have emerged as especially effective. Omron Healthcare, for example, launched its HeartGuide wearable in 2018. 

Modeled after smartwatch designs, the device measures blood pressure and activities like steps taken and calories burned. The information is stored in memory and later transferred to a corresponding medical app, where the data can be shared with medical providers. 

IoT wearable healthtech devices are changing how we receive health care and how medical professionals, health insurance companies, and service providers make decisions.

See more: The Internet of Things (IoT) in Health Care

4. Emergence of Next-generation IoT Sensor Chips

Advances in microprocessor technology allow IoT sensor manufacturers to create smaller, cheaper, and faster chips for use in connected devices. One prominent example is Qualcomm’s investment in this technology sector. 

The company has released seven new next-generation IoT sensor chips to meet the needs of a broad range of IoT processes. Qualcomm’s highest-end chips can support ultra-high-resolution cameras and handle advanced actions like camera panning, tilting, and zooming. 

Other potential uses for next-generation chips produced by Qualcomm and other companies include the retail sector. The chips can power multi-payment solutions like touchless, smart carts, self-checkout, and mobile payments. In the manufacturing field, newer chips can support advanced functions related to operator safety and minute changes that can potentially impact productivity.

Some high-end IoT sensor chips can even run robots that pull items in warehouse environments. 

5. Edge Computing Advances

The newest IoT sensors are helping companies manage the massive volumes of data required to perform business intelligence (BI) and big data analytics by communicating with edge computing servers. This is an improvement over cloud-based IoT, where servers are often located far from sensors, resulting in higher levels of latency and much slower data processing. 

IoT sensors can deliver analytics algorithms to edge servers, enabling data processing to occur locally or to aggregate data before sending it on to a centralized site for deeper analysis or storage. 

Sensors working within edge computing environments are vital for use cases requiring autonomous decision-making in real time (like health monitoring devices and self-driving cars). Thus, latency can introduce potentially dangerous real-world consequences. 

IoT sensors connected to edge servers can also keep systems up and running, even when a network connection is lost because of the distributed nature of edge computing, where no single server is integral to continuous connectivity.

]]>