MistNet NDR Overview
MistNet NDR (Network Detection and Response) operates on different types of ground truth data: network, OS, and a variety of information gathered by other third-party equipment.
For monitoring network traffic, traffic taps from the customer network infrastructure is a basic means to feed into MistNet NDR. For accurate threat detection, all traffic flowing in the network should be tapped, including all North-South and East-West communications. The horizontally scalable MistNet NDR allows monitoring of all traffic. It passively monitors traffic and does not affect the regular traffic flow.
The MistNet NDR hardware has traffic ports to receive traffic from networking taps. The Management port in the MistNet NDR hardware is used for communication with MistNet NDR running in a central location and other sites.
Depending on the security needs of the enterprise, the complete East-West and North-South traffic can be fed to MistNet NDR. Some enterprises may start first with only North-South traffic. MistNet NDR Nodes are typically deployed in each site of the enterprise, connecting to the core switch SPAN (Switch Port Analyzer) port or to a network TAP (Test Access Port). MistNet NDR must receive all bidirectional traffic flows for accurate threat detection.
The core switch provides traffic visibility for North-South traffic. The access switch provides traffic visibility for East-West traffic.