Episode 63: Jack Chan, VP of Product and Field CTO at Fortinet
35
Companies
53
Key Quotes
4
Topics
🎯 Summary
Secure Networks Podcast: Differentiating and Evolving Network Detection and Response (NDR)
This episode of Secure Networks features Jack Chan, VP of Product and Field CTO for Asia Pacific at Fortinet, discussing the critical role, differentiation, and future evolution of Network Detection and Response (NDR) solutions in complex enterprise environments.
Key Takeaways for Technology Professionals
1. Differentiating Quality NDR Solutions
A great NDR solution must move beyond basic detection by focusing on data depth and investigation workflow. Key differentiators include:
- Data Retention and Dwell Time: The ability to retain and query historical network metadata (e.g., six months back) is crucial for investigating prolonged attacks or lateral movement that may have gone undetected initially.
- Investigative Drill-Down: Users must be able to easily drill down into the collected metadata to understand the context of an alert, moving beyond simple alerts to actionable forensics.
2. Balancing Detection with Response Efficiency
The industry suffers from “alarm fatigue” due to an overabundance of detection technologies (IPS, EDR, NDR, etc.). The focus must shift from pure detection volume to response efficiency:
- Summarization: Effective NDR must summarize complex events into human-readable narratives.
- Integration for Context: Solutions that integrate NDR findings with endpoint data (EDR) help analysts prioritize which incidents warrant immediate investigation by confirming cross-platform detection.
3. The Advanced Role of AI/ML in NDR
AI and Machine Learning are no longer just buzzwords; they are essential for modern NDR:
- Behavioral Modeling: Advanced ML models can identify malicious traffic patterns (e.g., beaconing, ransomware initiation) even when attackers use novel infrastructure (like ephemeral Azure IPs) that are not yet on traditional threat intelligence blacklists.
- Generative AI for Accessibility: GenAI is poised to lower the barrier to entry for deep investigation by allowing security analysts to query complex metadata using natural language, reducing the need for every analyst to be an expert in advanced SQL-like query languages.
4. Unique Insights Beyond Firewalls and SIEMs
NDR provides visibility where traditional perimeter and log-centric tools fail:
- East-West Traffic Monitoring: NDR excels at monitoring internal network segmentation and lateral movement, often leveraging SPAN ports or packet brokers.
- Detecting Internal Attacks: NDR is superior at spotting attacks like DC Sync (where an attacker tries to sync credentials from a compromised PC to Domain Controllers via legitimate protocols like LDAP/SMB), which firewalls and SIEMs often miss because the traffic appears legitimate.
5. Handling Encrypted Traffic
With most traffic encrypted, detection accuracy hinges on advanced techniques that avoid performance-heavy SSL inspection:
- Metadata Analysis: NDR uses ML/AI to model encrypted Command and Control (C2) traffic based on characteristics like packet size, time-to-live, and connection intervals.
- TLS Fingerprinting: Techniques like JA3/JA4 hashes and the emerging JARM hashes allow NDR to fingerprint the client/server handshake to identify known malicious encryption profiles without decrypting the payload.
6. Threat Intelligence Integration and Alert Prioritization
- Multi-Source Correlation: A successful NDR integrates multiple threat intelligence feeds (e.g., VirusTotal, FortiGuard) and must have logic to prioritize conflicting intelligence (“better safe than sorry” approach when feeds disagree).
- Avoiding the “Christmas Tree” POC: Buyers should be wary of solutions that generate excessive alerts during Proofs of Concept (POCs). The goal is to see fewer, higher-fidelity alerts that the SOC team can actually handle, rather than being overwhelmed by noise.
7. Scalability and Deployment Strategy
Scalability involves balancing on-prem compute limitations against cloud benefits:
- Cloud Benefits: SaaS offerings leverage superior cloud compute for advanced ML/AI processing and offer long-term data retention (e.g., one year).
- Strategic Placement: Organizations should prioritize deploying NDR in strategic locations where network weaknesses or high-risk activity is expected to maximize ROI, as increased data volume to the cloud directly impacts cost.
8. Future Evolution: Towards XDR and Human-Centric Security
- NDR as an Input to XDR: NDR will solidify its role as a core data source feeding into Extended Detection and Response (XDR) frameworks, correlating network events with endpoint, email, and firewall data to build a complete attack narrative.
- The Human Element is Paramount: Chan’s final advice is to step back from technology silos and focus on the human element—the starting point for most breaches (e.g., phishing clicks, patching delays).
- Shifting Left: Security must integrate earlier in the development lifecycle through DevSecOps practices (SAST/DAST scanning) to fix vulnerabilities at the source rather than relying solely on post-deployment controls like IPS.
🏢 Companies Mentioned
CSPM solution
✅
tech/cybersecurity
DevSecOps type products
✅
tech/cybersecurity
SIEM
✅
tech/cybersecurity
Mandiant
✅
tech
Metasploit
✅
tech
The SIEM
✅
unknown
Because NDR
✅
unknown
Our SaaS
✅
unknown
The NDR
✅
unknown
HTTPS SSL
✅
unknown
Because I
✅
unknown
So NDR
✅
unknown
But I
✅
unknown
But NDR
✅
unknown
If EDR
✅
unknown
💬 Key Insights
"I think the other aspect I would touch on here is shifting left. ... So start fixing at the source. Don't fix it or don't install IPS because I've got a vulnerability in my web app or once I've done it, right?"
"I would basically focus on the human, quite funny enough. I'm helping one of my other PMs to do a human-centric security presentation, you know, because everything starts with the human, you know, the clicking on the links, right?"
"I think the industry will have to wear machine learning AI will be used not just in the solution, but to summarize a whole lot of this data so that the NDRs don't need to do all this manual correlation between different technologies."
"I call it the Christmas tree. The NDR uses some vendors will light up like a Christmas tree in a POC, and this gets users so excited. But users, please do think when the solution is in your production environment, you have to deal with all those Christmas tree glares and lights every day."
"Based on the machine learning and AI modeling... we can predict that we actually don't need to decrypt the traffic."
"There are some traditional means like JA3 or JA, now moving to JA4s as well, looking at the hashes between the encrypted connections. And the world is moving to JARM hashes as well, so there are different ways to do it without breaking that traffic."
📊 Topics
#artificialintelligence
36
#generativeai
3
#investment
2
#aiinfrastructure
1