5 Network Detection and Response (NDR) Case Studies

As cyberthreats against corporate networks increase, network detection and response (NDR) is a critical part of a company's cybersecurity strategy.

See below to learn organizations in different industries are using NDR to improve their security posture:

5 NDR case studies

Blackstone is an alternative asset manager with over 3,000 employees and a diverse portfolio, including private equity, public debt and equity, and real estate.

With an organization as widespread as Blackstone, having strong cybersecurity management systems in place is a necessity rather than a precautionary step. Ransomware attacks have been on the rise for asset management firms globally, and the company needed a solution that could maintain visibility into Azure AD and Microsoft 365.

Blackstone selected Vectra Detect to step up their network security. The NDR used artificial intelligence (AI) to pick up any suspicious behavior on Office 365, facilitating light detection engineering for the Blackstone cybersecurity team. The team was able to then map all cyber alerts according to the "MITRE ATT&CK" guidelines, providing comprehensive coverage of common attack patterns. Vectra worked by centralizing Blackstone's alert response capabilities.

"NDR is a way for us to ensure that we can measure our intake and everything coming in, which is really important, because if we can get everything in the same spot, we can prioritize it," says Kevin Kennedy, SVP of cybersecurity, Blackstone.

"All those metrics matter for us, because they give us a good sense of where our analysts are spending their time."

Industry: Financial services

Network detection and response provider: Vectra

Outcomes:

EarthMover Credit Union aims to provide personalized financial services to their customers. The organization has a membership base of around 25,000, six branch offices, and multiple ATMs.

EarthMover's secure IT infrastructure has allowed it to run its operations smoothly over the decades. Until a while back, EarthMover's vulnerability management efforts were administered manually with Microsoft update manager, fixing patches. However, as new vulnerabilities radically increased, EarthMover felt the need to look for a scalable cybersecurity solution with the latest patches in their ITS systems.

"As a financial institution, we need to protect our members’ data. It's a full-time job," says Shelley Johnson of EarthMover.

Qualys’ vulnerability management solution scanned EarthMover's network traffic to identify vulnerable areas and do patchwork on their systems every time a new threat showed up. The NDR also provided remediation steps for mitigating already qualified leads. Moreover, each step gate came up with multiple scans, so every time the system changed, a new scan was automated by Qualys without additional guidance from EarthMover. The same process is repeated for each vulnerability detection, system update, and patching configuration.

"The automatic scheduling helps us to save time, and we don't have to remember to manually run scans," Johnson says.

"The reporting automatically tracks the number and the severity of vulnerabilities over time, so we always know our level of security."

Industry: Financial Services

Network detection and response provider: Qualys

Outcomes:

CordenPharma supplies pharmaceuticals to some of the world's largest biotechnology firms. The organization operates 11 cGMP manufacturing facilities across the U.S. and Europe and employs over 2,600 people.

Most of CordenPharma's clients are involved in early stage clinical drug trials, a process that requires data protection. With the pharma sector becoming a major target for cyberattacks, CordenPharma's security team decided to upgrade their security measures, so no critical trial information is compromised during disasters. Given their limited size, the team realized the need to deploy an NDR that could increase their capacity.

Until now, the organization was using legacy tools with multiple flagging issues. Activities that vaguely met the predefined technical parameters were marked dangerous, often flooding the security team with many false positives and unnecessary labor hours. The process was time-consuming and often overlooked genuine vulnerabilities.

CordenPharma deployed Darktrace as an NDR for traffic analysis. Unlike legacy tools with the same rule set for everyone, Darktrace's Self-Learning AI Platform deployed AI algorithms to differentiate between normal and abnormal activities. This information allowed Darktrace to have an in-depth understanding of the specificities of CordenPharma's business and pick up on even slight anomalous activities indicative of a threat.

As soon as the NDR was deployed, CordenPharma was on the verge of a crypto attack. Darktrace deployed Passive Mode, detected compromised endpoints based on previous user activities, and came up with automatic mitigation steps for the security team.

Industry: Health care

Network detection and response provider: Darktrace, Darktrace Antigena

Outcomes:

The Life Insurance Association of the Republic of China (LIA-ROC) and 11 other insurance firms launched the Protection/Claims Consortium Blockchain in its pilot phase. The project was meant to be a one-stop platform for claim settlement and personal data updates.

Since the pilot execution would involve highly sensitive information, it was important for LIA-ROC to ensure their blockchain had robust mechanisms in place.

LIA-ROC needed to keep up a Level A information security score as their organizational standard and selected VMware NSX Network Detection and Response. VMware specializes in virtualization and that's what NSX used to create security infrastructure for LIA-ROC, creating a virtual environment with CPU, memory configurations, and duplicated user trails. That's how any malware entering the system will be recorded and neutralized before it interacts with the real LIA-ROC infrastructure.

NSX's API mechanisms and a standardized sample code allowed LIA-ROC to construct a deployment framework for integration with vendors and insurance parties in a limited timeframe. VMware used zero-trust architecture to screen entry-exit checkpoints for any vulnerability.

Industry: Insurance

Network detection and response provider: VMware

Outcomes:

Viasat provides internet services for a range of customers, including enterprises. The company has 7,000 employees across 60 offices.

As an internet service provider (ISP), Viasat had access to information on the kinds of attackers and cyberattack strategies used against customers.

So Viasat needed a cybersecurity management solution that could help the company gain greater visibility and understanding of threats to prevent ransomware attacks against their clients.

ExtraHop's NDR has an AI-configured network scanner to minimize brute force attacks, open port discovery, and ransomware payloads. The NDR segregated risks linked with any particular connection or IP address and used this information to effectively respond to potential threats.

"The network is the ground truth. It's what attackers can't avoid," says Lee Chieffalo of Viasat.

"You give yourself the ability to see everything on the network. You deploy a network detection tool, now you have the ability to see everything. Without that data, you’re operating partially or completely blind. There is no other technology outside of NDR that can give you that."

Industry: Internet services

Network detection and response provider: ExtraHop

Outcomes: