About ThreatSync+ NDR
Applies To: ThreatSync+ NDR
This feature is only available to participants in the ThreatSync+ NDR Beta program.
ThreatSync+ NDR (Network Detection and Response) is a cloud-based, network-centric threat detection and response solution that helps organizations identify, detect, and respond to network-based cyberattacks through an advanced, layered approach. ThreatSync+ NDR uses advanced artificial intelligence (AI) and machine learning capabilities to deliver enterprise-level cyber defense across hybrid networks.
ThreatSync+ NDR continuously monitors and analyzes data flows and provides:
- Detection and response for your physical and private networks.
- Network analysis of both north-south traffic (traffic that enters or exits your network) and east-west traffic (traffic within your network).
- An open solution for multivendor networks, including WatchGuard Fireboxes, third-party switches, and third-party firewalls.
- Executive Summary and Ransomware Protection reports.
- An optional Compliance Reporting license adds continuous compliance reporting for cyber networks.
ThreatSync+ NDR deploys across multiple locations and quickly integrates with your existing environment. Automation eliminates the need for threat hunters and forensic analysts.
ThreatSync+ NDR monitors:
- Authentication threats, such as password and credential attacks.
- Network and cloud risks, including firewall rule failures and unsecured ports.
- Cyberattacks, including ransomware and supply chain attacks.
- File and data threats, such as the movement of sensitive files to public clouds or open file shares.
ThreatSync+ NDR correlates these events and delivers actionable intelligence in the form of a network threat score that helps you to prioritize remediation actions. For more information, go to Network Threat Score.
For more information about ThreatSync+ NDR, go to these sections:
Licensing
ThreatSync+ NDR is licensed for each user. A user can have up to three devices associated with the license.
(Optional) WatchGuard Compliance Reporting License
WatchGuard Compliance Reporting provides additional defense goal reports for various cybersecurity regulations and standards. ThreatSync+ NDR provides the data required by these reports.
WatchGuard Compliance Reporting is licensed for each user and provides access to the reports in WatchGuard Cloud.
Data Collection
To gain visibility into all areas of your network, you should monitor IP traffic across all the devices in your network. Cloud-managed and locally-managed Fireboxes with cloud reporting that run Fireware v12.10.3 and higher automatically send network traffic data to WatchGuard Cloud and ThreatSync+ NDR. (For locally-managed Fireboxes with cloud reporting, you must enable the Firebox to send log messages for reports in each packet filter policy.) This data feed provides the information required for ThreatSync+ NDR to identify and detect potential threats and suspicious activities, such as lateral movements, DNS tunnels, fast and slow scans, and data exfiltration.
For Fireboxes that run lower versions of Fireware or third-party firewalls or switches, on-premise collection devices called collectors are used to monitor network traffic. Collectors take data feeds such as NetFlow and sFlow from third-party switches and firewalls, and forward them through a secure connection to WatchGuard Cloud. These data feeds include information on the traffic that flows through the switch or firewall to network devices. We recommend that you configure your switches and firewalls to relay network traffic data through these collectors to be forwarded to WatchGuard Cloud. For information on how to install and configure collectors on Windows computers and servers, go to Configure Collectors for ThreatSync+ NDR (Windows Computers).
In addition to the Firebox, you can also install agent-based collectors on third-party switches and firewalls to relay NetFlow, sFlow, VPN, and Active Directory or DHCP logs to WatchGuard Cloud through a secure IPSec tunnel. If there are segments of the network where you cannot generate NetFlow logs, then the agent-based collector listens to your packet traffic and generates the NetFlow data.
Reports
Reports are a critical part of monitoring your organization for threats. ThreatSync+ NDR provides reports that enable you to track the health of your network.
ThreatSync+ NDR includes these default reports:
- Executive Summary Report
- Ransomware Prevention Defense Goal Report
To add more reports, plus the ability to generate custom reports, we recommend you add a WatchGuard Compliance Reporting license. WatchGuard Compliance Reporting provides additional defense goal reports for cybersecurity regulations and standards, as well as the ability to generate custom reports for specific defense goals.
The WatchGuard Compliance Reporting license includes these reports:
Cyber Essentials Certification
This report provides an overview of your network defense and shows whether you are in compliance with the objectives and controls outlined by the National Cyber Security Centre Cyber Essentials certification. This certification helps you to protect your organization against the most common cyber attacks.
FFIEC
This report provides an overview of your network defense and shows whether you are in compliance with the objectives and controls outlined by the Federal Financial Institutions Examination Council (FFIEC) guidelines. These guidelines help financial institutions operate safely, mitigate risk, comply with applicable regulations, follow legal requirements, and adequately manage cybersecurity risks.
ISO 27001 – Information Security, Cybersecurity and Privacy Protection
There are two versions of the ISO 27001 Defense Goal report — one for the 2013 version of the standard and one for the 2022 version.
These reports provide an overview of your network defense and show whether you are in compliance with the objectives and controls outlined by ISO 27001. This standard provides companies with guidance to establish, implement, maintain, and improve information security management systems.
Motion Picture Association Content Security Program
This report provides an overview of your network defense and shows whether you are in compliance with the objectives and controls outlined by the Motion Picture Association (MPA) Content Security Program. This program is a set of voluntary content security best practices to protect intellectual property against theft, piracy, and tampering.
NIST 800-53 – Security and Privacy Controls for Information Systems and Organizations
This report provides an overview of your network defense and shows whether you are in compliance with the objectives and controls outlined by the National Institute of Standards and Technology (NIST) guideline 800-53. NIST 800-53 provides a catalog of guidelines that support the development of secure and resilient federal information systems. These guidelines include operational, technical, and management safeguards to maintain the integrity, confidentiality, and security of federal information systems.
NIST 800-171 – Protecting Controlled Unclassified Information in Non-federal Systems and Organizations
This report provides an overview of your network defense and shows whether you are in compliance with the objectives and controls outlined by the National Institute of Standards and Technology (NIST) guideline SP 800-171. NIST SP 800-171 sets standards for safeguarding sensitive information on federal contractor IT systems and networks.
NIST CSF – Cybersecurity Framework
This report provides an overview of your network defense and shows whether you are in compliance with the objectives and controls outlined by the National Institute of Standards and Technology (NIST) cybersecurity framework (CSF). The CSF provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It includes a taxonomy of high-level cybersecurity outcomes that organizations can use to better understand, assess, prioritize, and communicate their cybersecurity efforts.
For more information, go to About WatchGuard Compliance Reporting.
Executive Summary Report
The Executive Summary Report provides a high-level overview of the threats and vulnerabilities that ThreatSync+ NDR detects. The report includes an overall network threat score and shows you changes in the trend of the threat score over time. Lower scores indicate that your network might not be fully protected.
The included metrics reflect the range of detection and response capabilities provided by ThreatSync+ NDR. The overall network threat score is calculated from metrics across three areas of protection: Threat Detection, Network Visibility, and Policy Assurance.
Follow the recommendations in the report to improve your threat score and protect your network.
For more information, go to ThreatSync+ NDR Executive Summary Report.
Ransomware Prevention Defense Goal Report
The Ransomware Prevention Defense Goal Report monitors your network for vulnerabilities that can make you more susceptible to ransomware. This report presents a summary of the controls ThreatSync+ NDR monitors to help you prevent the spread of ransomware. Each control included in the report is based on a ThreatSync+ NDR policy.
The Ransomware Prevention Defense Goal Report provides you with a network defense overview and shows whether you are in compliance with the objectives and controls for a specified time period. This report, in addition to continuous monitoring of your policy alerts and closing Smart Alerts, can prove compliance for audit or cyber insurance purposes.
For more information, go to Ransomware Prevention Defense Goal Report.
ThreatSync+ NDR UI
To configure and monitor ThreatSync+ NDR, you use the ThreatSync+ NDR UI in WatchGuard Cloud. To connect to WatchGuard Cloud, go to cloud.watchguard.com and log in with your account credentials.
Monitor ThreatSync+ NDR
ThreatSync+ NDR automatically collects data from your Fireboxes in WatchGuard Cloud and includes default policies and Smart Alerts to help you monitor potential issues in your network.
To monitor ThreatSync+ NDR, select Monitor > ThreatSync+ NDR.
Use these pages to monitor ThreatSync+ NDR:
- Network Summary — Provides an overview of trends in your network and includes links to detailed information about Smart Alerts, policy alerts, device risks, and network traffic. For more information, go to About the ThreatSync+ NDR Summary Page.
- Smart Alerts — Shows open Smart Alerts that indicate an attack might be in progress on your network and provides guidance to help you remediate the threat. For more information, go to About Smart Alerts.
- Policy Alerts — Shows alerts for policy violations on your network. For more information, go to About Policy Alerts.
- Discover — Shows subnets and important servers and network devices that ThreatSync+ NDR automatically identifies. For more information, go to ThreatSync+ NDR Asset Discovery.
- Network Audit Logs — Shows details of any configuration activity performed for ThreatSync+ NDR policies and zones on your network. For more information, go to ThreatSync+ NDR Network Audit Logs.
Configure ThreatSync+ NDR
You can configure ThreatSync+ NDR specifically for your organization and network.
To configure ThreatSync+ NDR, select Configure > ThreatSync+ NDR.
You can use these pages to configure ThreatSync+ NDR:
- Executive Summary Report — Configure settings for your Executive Summary Report. For more information, go to Configure the Executive Summary Report.
- Compliance — Manage your network defense goals and objectives for defense goal reports. For more information, go to Manage Network Defense Goals.
- Subnets and Organizations — Configure subnets and ranges of IP addresses to label your internal networks and important systems to help identify rogue devices. For more information, go to Configure Subnets and Organizations.
- Devices — Manage devices on your network and add or import new devices. For more information, go to Manage Devices.
- Policies — Manage default policies and add policies with custom policy definitions for your network. For more information, go to Configure ThreatSync+ NDR Policies.
- Zones — Manage zones in your network and create custom zones. For more information, go to Manage ThreatSync+ NDR Zones.
- Alerts — Specify which policy alerts and Smart Alerts generate email notifications. For more information, go to Configure ThreatSync+ NDR Alerts and Notification Rules.