What is our primary use case?
NDRs are specifically used for up-leveling the network defense over and above traditional firewall and IDS and IPS. They are very context aware of what's happening on each connection. They learn the behaviors of connections coming in and going out of your enterprise, as well as east to west.
We are a very large IT house that reaches about 10 million customers and with 100,000 employees. To that extent, we have every security tool conceivable: EDR, NDR, network defense. You mention it, we have it.
What is most valuable?
They can provide you with very contextual alerts on if something bad is happening—coming into your network or going out of your network. As part of that, they gather a lot of threat intelligence and map your connections against that. The larger benefit is that they give you a risk rating on their findings. The biggest problem any software team deals with is the number of false alerts they get and the amount of time they spend chasing them. They are not significant from a track perspective.
So, if they give you a risk rating from low, to medium, to high, they can focus their efforts more on the high ones and ignore the low ones, at least temporarily. That's a huge benefit.
They also do content scanning for all your malware making way through your files and executables. One large theory is that if any attack comes from outside the network, it has to pass through the network. That is the most opportune observing point so that you can catch them before they get deployed or they start rooting into your enterprise. So that's where NDRs are used, and they do that in a passive mode. You don't deploy them. You can simply pick the traffic and watch the traffic as is.
What needs improvement?
It's kind of difficult to quantify areas for improvement. In the larger picture, one challenge is that the NDR space is very crowded today. I can mention half a dozen names just off the top of my head. There are at least 12 to 20 different players. All of them are well-known brand names, and it's difficult to compare them. They all claim to be giving you the same network difference capability: catching malware, dealing with all the minor taxonomy of attack, all that. Still, it's very difficult to compare them side by side because they all do things a little differently, and they all have different presentations and output.
We haven't deployed it, so I can't give you what we felt about it exactly. But in the larger perspective, the critical feature is really giving a clear separation between a low, high, and medium criticality. You need a rating that is really true to the actual attack.
There's one other capability we are evaluating them for, and it's for custom alerts detection. A lot of these products are trying to profile the threats that are already out there in the industry. They're very well known and published. Today, there are targeted acts being played against organizations, so you have to be sensitive to how your firewalls, protocols, and your HTTP are all operating. You might have some fine-tuned threats that are targeting you, and you should be able to build custom defenses. They should have some openness in terms of how you specify your threats. You get a standard library of threats. On top of it, every organization builds its own.
For how long have I used the solution?
We didn't deploy the solution. We did about a two to three month evaluation.
What do I think about the stability of the solution?
We have had no issues with the stability of Blue Hexagon.
What do I think about the scalability of the solution?
We have had no issues with scalability.
How are customer service and support?
This was not a production deployment. We didn't need support. This was more of an evaluation, so we had support all along. When you are in an evaluation cycle, they're ready to help you all the time. We didn't purchase it, so there is always readiness to help. You can't complain about it.
How was the initial setup?
Initial setup was easy. Many of these tools are relatively easy. These days, they work on a SaaS-based model. If you tap your traffic on whatever observation point you want, they'll tap the traffic and they will take it to their analytics engine. Typically, they're all relatively easy to deploy these days.
What's my experience with pricing, setup cost, and licensing?
It's difficult to state the setup cost. All the NDRs range anywhere between $500,000, plus or minus, to $2 million. There's a spread of pricing here, depending on who you are talking to. Obviously the major brand names want more money. They typically bundle it with their other offerings. With Cisco, for example, you don't just buy an NDR. So, typically it gets rolled into the cost.
What other advice do I have?
I would rate this solution 8 out of 10. My challenge is actually comparing offerings from different vendors across a threat spectrum that is very large. We are talking about millions of threats. How are you confident that Blue Hexagon is catching all one million of them and Palo Alto is doing the same thing? They all have their strengths. Within that, Blue Hexagon might cover 990,000 of them. Palo Alto might cover another 990,000. It's a bit difficult to compare them and say, "Oh, are they catching the same 990,000?" I don't know.
*Disclosure: I am a real user, and this review is based on my own experience and opinions.
