- My objective
- The role of NDR in SOC workflows
- Starting up the NDR system
- How AI complements the human response
- What else did I try out?
- What could I see with NDR that I wouldn’t otherwise?
- Am I ready to be a network security analyst now?
My objective
As someone relatively inexperienced with network threat hunting, I wanted to get some hands-on experience using a network detection and response (NDR) system. My goal was to understand how NDR is used in hunting and incident response, and how it fits into the daily workflow of a Security Operations Center (SOC).
Corelight’s Investigator software, part of its Open NDR Platform, is designed to be user-friendly (even for junior analysts) so I thought it would be a good fit for me. I was given access to a production version of Investigator that had been loaded with pre-recorded network traffic. This is a common way to learn how to use this type of software.
While I’m new to threat hunting, I do have experience looking at network traffic flows. I was even an early user of one of the first network traffic analyzers called Sniffer. Sniffers were specialized PCs equipped with network adapters designed to capture traffic and packets. These computers were the foundation on which more advanced network monitoring platforms were built. Back in the mid-1980s, these tools were expensive and required a lot of training. Interpreting the terse, cryptic data they produced was challenging, and knowing how to translate those insights into actionable next steps took patience and expertise. Now, almost forty years later, I wanted to see how security teams are conducting everyday network hunting when complex, fast attacks are the norm—and how quickly I could pick up the new tools.
The role of NDR in SOC workflows
Before I jump into my experience, let me explain how NDR integrates with the SOC.
NDR systems are most frequently used by mid- to elite-level security operations. In these environments, NDR is a key part of incident response and threat hunting workflows. The systems provide deep visibility across networks while also detecting intrusions and anomalies. This visibility is important not just for spotting more complex attacks, but also for uncovering misconfigurations or vulnerabilities that can lead to breaches or outages. NDR helps analysts triage events and can provide direction and related insights to determine the right response.
Integrating NDR with the SOC’s Security Information and Event Managers (SIEMs), endpoint detection and response (EDR) solutions, and firewalls enables analysts to gather, enrich, and correlate network data with widespread events. Together, these integrations let analysts respond faster and more efficiently by connecting network insights with alerts and actions from other tools, especially when finding more advanced attacks that can evade EDR, for example. Knowing NDR is a central component of the SOC, I was eager to see how the workflows functioned.
Starting up the NDR…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
