Legacy Administrator Guide
LogRhythm NDR Overview
LogRhythm NDR (Network Detection and Response) operates on different types of ground truth data: network, OS, and a variety of information gathered by other third-party equipment.
For monitoring network traffic, traffic taps from the customer network infrastructure is a basic means to feed into LogRhythm NDR. For accurate threat detection, all traffic flowing in the network should be tapped, including all North-South and East-West communications. The horizontally scalable LogRhythm NDR allows monitoring of all traffic. It passively monitors traffic and does not affect the regular traffic flow.
The LogRhythm NDR hardware has traffic ports to receive traffic from networking taps. The Management port in the LogRhythm NDR hardware is used for communication with LogRhythm NDR running in a central location and other sites.
Depending on the security needs of the enterprise, the complete East-West and North-South traffic can be fed to LogRhythm NDR. Some enterprises may start first with only North-South traffic. LogRhythm NDR Nodes are typically deployed in each site of the enterprise, connecting to the core switch SPAN (Switch Port Analyzer) port or to a network TAP (Test Access Port). LogRhythm NDR must receive all bidirectional traffic flows for accurate threat detection.
The core switch provides traffic visibility for North-South traffic. The access switch provides traffic visibility for East-West traffic.