NDR Configuration and Overview

[Egor Erastov]

Generally, NDR is a set of features for protecting the enterprise network by detecting attacks, suspicious activities and other risks.

Earlier versions of KATA Platform provided KATA functionality, which is intended to protect the perimeter of an organization by analyzing the external traffic for attacks, intrusions, and malicious objects/emails/URL links.

NDR expands the above functionality and allows you to protect the corporate LAN.
Specifically, KATA is more for north-south traffic (flowing into and out of an organization), and NDR is more for east-west traffic (flowing among devices within an organization).
NDR can analyze data from the following sources: network traffic (SPAN traffic from Sensors) and network events from Endpoint Agents (so called "NDR telemetry").

In case of network traffic, NDR obtains it from Sensors (SPAN) and scans it for indicators of attacks, malicious activity, anomalies, and the use of hack tools.

On the Endpoint Agents' side, NDR collects information about endpoint protection (EPP) detections, network events, user accounts, and executable files.

To use NDR features in Endpoint Agents, KES 12.7 or KESL 12.2 or later versions must be used.
A built-in NDR component in KES sends NDR telemetry to Integration Servers. To add an Integration server, you need a working Sensor. You can use a built-in sensor on the Central Node (Embedded sensor) or an external Sensor for this purpose.

The procedure for adding an Integration Server is simple and described in the documentation.

In case of KES for windows, make sure that "Network Detection and Response (KATA)" component is installed and enabled in KES policy.

         

You need to select the NDR component in KESW installation package properties in KSC. You can also use "Change application components" task to add NDR to an existing KES installation.

            

 

In the case of KES for Linux, you don't need to explicitly select the NDR component, since KESL installs all protection components by default.

The next step is to connect the NDR component with the Integration Server (IS). For this you need to obtain Integration Server's certificate by clicking on "Get communication data package for clients" button in Integration Server properties

Then you need to add the IS certificate in KESW/KESL policy and also specify its IP address

To use NDR to scan traffic, you need to activate the Central Node with a "KATA+NDR" license.
To use integration with Endpoint Agents (KES), an "NDR Add-on" license must also be added to KES (for example, via KSC).

            

Please note that NDR functionality can be used independently from KEDR.

 

NDR presents its detections in the form of Alerts and Network traffic events.
If malicious activity is detected in traffic, an Alert will be shown in the Alerts section, showing "NDR: IDS" in the technology column. Aggregated alerts and alerts based on the information received from external systems are shown as "NDR: EA" alerts.

 

            

 

If you open an NDR alert and then click Show related -> Events, it will open the "Network traffic events" section and show you NDR events that correspond to the alert.

The "Network traffic events" section is where NDR stores its events with detailed information on each event: malicious/suspicious activity (triggered rule), source and destination IP and MAC addresses, network protocol, severity level, registration technology, etc.

 

Other new useful features of NDR are Network interactions map and Network sessions monitoring.
NDR analyzes network packets, discovers interactions between devices and draws a network map showing the devices and links between them.

More detailed information about network interactions of devices is presented in the "Network sessions" tab.
Here you can review detailed information on discovered network sessions: devices names, IP/MAC addresses, transport and application protocols, port numbers, speed, number of packers, etc. You can also download traffic for the selected network sessions.

 

Other new features include Risks monitoring and NDR Reports.
Asset management is also new in KATA 7 and specifically with NDR license 4 additional tabs appear inside "Assets" section: Executable files monitoring, Users monitoring, Address spaces, and Active polling jobs.