About ThreatSync+ NDR

Applies To: ThreatSync+ NDR

This feature is only available to participants in the ThreatSync+ NDR Beta program.

ThreatSync+ NDR (Network Detection and Response) is a cloud-based, network-centric threat detection and response solution that helps organizations identify, detect, and respond to network-based cyberattacks through an advanced, layered approach. ThreatSync+ NDR uses advanced artificial intelligence (AI) and machine learning capabilities to deliver enterprise-level cyber defense across hybrid networks.

ThreatSync+ NDR continuously monitors and analyzes data flows and provides:

  • Detection and response for your physical and private networks.
  • Network analysis of both north-south traffic (traffic that enters or exits your network) and east-west traffic (traffic within your network).
  • An open solution for multivendor networks, including WatchGuard Fireboxes, third-party switches, and third-party firewalls.
  • Executive Summary and Ransomware Protection reports.
  • An optional Compliance Reporting license adds continuous compliance reporting for cyber networks.

ThreatSync+ NDR deploys across multiple locations and quickly integrates with your existing environment. Automation eliminates the need for threat hunters and forensic analysts.

ThreatSync+ NDR monitors:

  • Authentication threats, such as password and credential attacks.
  • Network and cloud risks, including firewall rule failures and unsecured ports.
  • Cyberattacks, including ransomware and supply chain attacks.
  • File and data threats, such as the movement of sensitive files to public clouds or open file shares.

ThreatSync+ NDR correlates these events and delivers actionable intelligence in the form of a network threat score that helps you to prioritize remediation actions. For more information, go to Network Threat Score.

For more information about ThreatSync+ NDR, go to these sections:

Licensing

ThreatSync+ NDR is licensed for each user. A user can have up to three devices associated with the license.

(Optional) WatchGuard Compliance Reporting License

WatchGuard Compliance Reporting provides additional defense goal reports for various cybersecurity regulations and standards. ThreatSync+ NDR provides the data required by these reports.

WatchGuard Compliance Reporting is licensed for each user and provides access to the reports in WatchGuard Cloud.

Data Collection

To gain visibility into all areas of your network, you should monitor IP traffic across all the devices in your network. Cloud-managed and locally-managed Fireboxes with cloud reporting that run Fireware v12.10.3 and higher automatically send network traffic data to WatchGuard Cloud and ThreatSync+ NDR. (For locally-managed Fireboxes with cloud reporting, you must enable the Firebox to send log messages for reports in each packet filter policy.) This data feed provides the information required for ThreatSync+ NDR to identify and detect potential threats and suspicious activities, such as lateral movements, DNS tunnels, fast and slow scans, and data exfiltration.

For Fireboxes that run lower versions of Fireware or third-party firewalls or switches, on-premise collection devices called collectors are used to monitor network traffic. Collectors take data feeds such as NetFlow and sFlow from third-party switches and firewalls, and forward them through a secure connection to WatchGuard Cloud. These data feeds include information on the traffic that flows through the switch or firewall to network devices. We recommend that you configure your switches and firewalls to relay network traffic data through these collectors to be forwarded to WatchGuard Cloud. For information on how to install and configure collectors on Windows computers and servers, go to Configure Collectors for ThreatSync+ NDR (Windows Computers).

In addition to the Firebox, you can also install agent-based collectors on third-party switches and firewalls to relay NetFlow, sFlow, VPN, and Active Directory or DHCP logs to WatchGuard Cloud through a secure IPSec tunnel. If there are segments of the network where you cannot generate NetFlow logs, then the agent-based collector listens to your packet traffic and generates the NetFlow data.

Reports

Reports are a critical part of monitoring your organization for threats. ThreatSync+ NDR provides reports that enable you to track the health of your network.

ThreatSync+ NDR includes these default reports:

  • Executive Summary Report
  • Ransomware Prevention Defense Goal Report

To add more reports, plus the ability to generate custom reports, we recommend you add a WatchGuard Compliance Reporting license. WatchGuard Compliance Reporting provides additional defense goal reports for cybersecurity regulations and standards, as well as the ability to generate custom reports for specific defense goals.

The WatchGuard Compliance Reporting license includes these reports:

Cyber Essentials Certification

This report provides an overview of your network defense and shows whether you are in compliance with the objectives and controls outlined by the National Cyber Security Centre Cyber Essentials certification. This certification helps you to protect your organization against the most common cyber attacks.

FFIEC

This report provides an overview of your network defense and shows whether you are in compliance with the objectives and controls outlined by the Federal Financial Institutions Examination Council (FFIEC) guidelines. These guidelines help financial institutions operate safely, mitigate risk, comply with applicable regulations, follow legal requirements, and adequately manage cybersecurity risks.

ISO 27001 – Information Security, Cybersecurity and Privacy Protection

There are two versions of the ISO 27001 Defense Goal report — one for the 2013 version of the standard and one for the 2022 version.

These reports provide an overview of your network defense and show whether you are in compliance with the objectives and controls outlined by ISO 27001. This standard provides companies with guidance to establish, implement, maintain, and improve information security management systems.

Motion Picture Association Content Security Program

This report provides an overview of your network defense and shows whether you are in compliance with the objectives and controls outlined by the Motion Picture Association (MPA) Content Security Program. This program is a set of voluntary content security best practices to protect intellectual property against theft, piracy, and tampering.

NIST 800-53 – Security and Privacy Controls for Information Systems and Organizations

This report provides an overview of your network defense and shows whether you are in compliance with the objectives and controls outlined by the National Institute of Standards and Technology (NIST) guideline 800-53. NIST 800-53 provides a catalog of guidelines that support the development of secure and resilient federal information systems. These guidelines include operational, technical, and management safeguards to maintain the integrity, confidentiality, and security of federal information systems.

NIST 800-171 – Protecting Controlled Unclassified Information in Non-federal Systems and Organizations

This report provides an overview of your network defense and shows whether you are in compliance with the objectives and controls outlined by the National Institute of Standards and Technology (NIST) guideline SP 800-171. NIST SP 800-171 sets standards for safeguarding sensitive information on federal contractor IT systems and networks.

NIST CSF – Cybersecurity Framework

This report provides an overview of your network defense and shows whether you are in compliance with the objectives and controls outlined by the National Institute of Standards and Technology (NIST) cybersecurity framework (CSF). The CSF provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It includes a taxonomy of high-level cybersecurity outcomes that organizations can use to better understand, assess, prioritize, and communicate their cybersecurity efforts.

For more information, go to About WatchGuard Compliance Reporting.

Executive Summary Report

The Executive Summary Report provides a high-level overview of the threats and vulnerabilities that ThreatSync+ NDR detects. The report includes an overall network threat score and shows you changes in the trend of the threat score over time. Lower scores indicate that your network might not be fully protected.

The included metrics reflect the range of detection and response capabilities provided by ThreatSync+ NDR. The overall network threat score is calculated from metrics across three areas of protection: Threat Detection, Network Visibility, and Policy Assurance.

Follow the recommendations in the report to improve your threat score and protect your network.

For more information, go to ThreatSync+ NDR Executive Summary Report.

Ransomware Prevention Defense Goal Report

The Ransomware Prevention Defense Goal Report monitors your network for vulnerabilities that can make you more susceptible to ransomware. This report presents a summary of the controls ThreatSync+ NDR monitors to help you prevent the spread of ransomware. Each control included in the report is based on a ThreatSync+ NDR policy.

The Ransomware Prevention Defense Goal Report provides you with a network defense overview and shows whether you are in compliance with the objectives and controls for a specified time period. This report, in addition to continuous monitoring of your policy alerts and closing Smart Alerts, can prove compliance for audit or cyber insurance purposes.

For more information, go to Ransomware Prevention Defense Goal Report.

ThreatSync+ NDR UI

To configure and monitor ThreatSync+ NDR, you use the ThreatSync+ NDR UI in WatchGuard Cloud. To connect to WatchGuard Cloud, go to cloud.watchguard.com and log in with your account credentials.

Monitor ThreatSync+ NDR

ThreatSync+ NDR automatically collects data from your Fireboxes in WatchGuard Cloud and includes default policies and Smart Alerts to help you monitor potential issues in your network.

To monitor ThreatSync+ NDR, select Monitor > ThreatSync+ NDR.

Screenshot of the Summary page on the Monitor menu

Use these pages to monitor ThreatSync+ NDR:

  • Network Summary — Provides an overview of trends in your network and includes links to detailed information about Smart Alerts, policy alerts, device risks, and network traffic. For more information, go to About the ThreatSync+ NDR Summary Page.
  • Smart Alerts — Shows open Smart Alerts that indicate an attack might be in progress on your network and provides guidance to help you remediate the threat. For more information, go to About Smart Alerts.
  • Policy Alerts — Shows alerts for policy violations on your network. For more information, go to About Policy Alerts.
  • Discover — Shows subnets and important servers and network devices that ThreatSync+ NDR automatically identifies. For more information, go to ThreatSync+ NDR Asset Discovery.
  • Network Audit Logs — Shows details of any configuration activity performed for ThreatSync+ NDR policies and zones on your network. For more information, go to ThreatSync+ NDR Network Audit Logs.

Configure ThreatSync+ NDR

You can configure ThreatSync+ NDR specifically for your organization and network.

To configure ThreatSync+ NDR, select Configure > ThreatSync+ NDR.

Screenshot of the Summary page on the Configure menu in WatchGuard Cloud.

You can use these pages to configure ThreatSync+ NDR:

Related Topics

Quick Start — Set Up ThreatSync+ NDR

Configure ThreatSync+ NDR

Monitor ThreatSync+ NDR