Modern IT infrastructure, whether traditional or hybrid, faces persistent challenges: staff shortages, frequent turnover, and the constant introduction of new applications. These factors can lead to gaps in institutional knowledge, making it difficult to answer even basic questions like: What’s really happening in my network? and Is this behavior expected?
In this blog, we walk through a real-world example where Clear NDR detected and auto-escalated a continuous Zero Trust violation. The case highlights why ongoing monitoring of network infrastructure is critical. Not just for detecting threats, but for evaluating and auditing your communication security controls in real time.
Let’s dive into the example and explore how Clear NDRTM brings clarity to complexity.
Clear NDR helps identify, automate and escalate continuous Zero Trust violations and provide automated escalation for such occurrences. In this blog we will demonstrate a simple example that was automatically escalated by the platform and showcases the need for continuous network infrastructure monitoring as one of the best ways to constantly evaluate and audit communication security controls.
Two of the major challenges facing IT infrastructure teams today are:
- Security and IT staff rotation and shortages
- Constant application adoption and change
In modern IT operations this is the norm and, while it is not necessarily bad, it is just the reality of it. This is due to the fact that it is not uncommon in an organization to lose a lot of “local infrastructure” knowledge due to knowledge transfer initiated gaps. Often enough there is no straightforward answer to the questions:
- What is going on in my infrastructure?
- Is this behaviour expected?
Let's take a very basic and simple example.
While File Transfer Protocol (FTP) is still commonly used in certain environments - particularly with legacy systems - any FTP activity originating from an unknown or previously unseen host should raise immediate concern. This type of anomalous behavior represents a basic security policy violation and must be escalated and reviewed. More importantly, it serves as a critical checkpoint for continuously validating your Zero Trust implementation.
FTP presents significant security vulnerabilities that clash with the principles of a Zero Trust security model. Below you will find some key points that highlight the issues:
Cleartext Transmission:
- A fundamental flaw of FTP is that it transmits data, including usernames and passwords, in cleartext (unencrypted).This means that anyone who can intercept network traffic can easily read sensitive information. This directly violates the Zero Trust principle of "always verify.”
Basic Credentials:
- FTP typically relies on clear text username and password authentication, which can be easily compromised through brute-force attacks or credential theft.
Regulatory Requirements:
- Many industries have strict compliance requirements for data protection (e.g., GDPR, HIPAA). FTP's lack of encryption and security features makes it difficult to meet these requirements.
Incompatibility with Zero Trust Principles
- Never Trust, Always Verify
- Zero Trust dictates that no user or device should be inherently trusted. FTP's inherent security weaknesses directly contradicts this principle.
- Least Privilege
- Zero Trust also emphasizes least privilege, meaning users should only have the access they absolutely need. FTP often lacks the granular access controls needed to enforce this.
The challenge isn’t just detecting an FTP connection - it’s going beyond that to analyze and synthesize the data in a way that answers key security questions:
- Who initiated the connection?
- When was the host first and last seen?
- What other activity occurred on that host?
To properly evaluate the incident, analysts need a complete picture, including logs, PCAPs, and all related evidence, ready to review and act on. This level of visibility is essential for making informed decisions and enforcing Zero Trust principles.
In one deployment, Clear NDR automatically detected and escalated an FTP-related violation, providing transparent evidence – including log data, PCAP files, and detection logic—all within a single view. This streamlined visibility made the SOC team’s job significantly easier, helping to reduce both the time to detect and the time to respond.
In the screenshot below we can see the escalated event, the policy violation that constituted the escalation, the host involved, and first and last time the violation was seen:
For more information and to view all the evidence we click on the “Investigate Events” button, as shown on the screenshot above.
Investigate Events brings us to one pane, where the security violation is presented alongside all relevant network forensics data for the investigation. Clear NDR automatically correlates detection events with protocol details, file transaction logs, PCAPs and detection logic - giving analysts everything they need to investigate and understand the incident in one place.
Clicking on related protocol data evidence (“Related FTP” tab), shows us that this was a test done by a “test” user - shown on the screen below:
To further investigate what hosts were involved, we can switch to the Hosts Insights view provided by Clear NDR - each Host Insights page gives an overview of the network activity of the selected host IP. Host Insights tracks over 60 security-related network transactions and communication attributes of a host. This provides a single place to view many aspects of the network activity relative to a given host.
This can help analysts gain valuable insights into the network services, hosted by the IP, application layer services used, HTTP user agents, SSH client/server agents/software and version used, encrypted connections fingerprinting, the username that was used to log in, the hostname, ML beacons detection and sightings observed, and much more.
On the screenshot below we can see the two hosts involved:
One is automatically identified as a host outside the organization having proxy services running:
On the host that triggered the policy violation, Clear NDR’s Sightings feature (which highlights first-time-seen activity) revealed additional suspicious behavior. Notably, there were downloads from “kali.downloads” – a known penetration testing distribution – originating from a part of the network where such activity is highly unlikely. Additionally, the use of clear-text SMTP services was observed, further indicating abnormal and potentially risky behavior worth investigating. Shown on the screenshot below:
The Kali download is immediately identifiable, complete with context such as the originating host (Patient Zero) and the exact time it occurred – all accessible with a single click that brings you to the detailed view shown below.
With its supporting metadata and logs:
And with a readily correlated evidence and PCAP for the actual transfer:
The incident was auto-escalated and, with all relevant evidence collected, promptly reported to the SOC team.
Conclusion
In this blog, we’ve demonstrated the importance of continuous security monitoring within a Zero Trust framework—showing how Clear NDR not only detects and escalates violations in real time, but also provides automatically correlated evidence to expose malicious or unauthorized activity, even from unexpected parts of the network.
Given FTP’s well-known security weaknesses (especially its lack of encryption), it remains a high-risk protocol in Zero Trust environments. Organizations should prioritize transitioning to secure alternatives like SSH File Transfer Protocol (SFTP) or FTP Secure (FTPS).
Clear NDR empowers security teams by surfacing these risks proactively, reducing the burden on analysts, and accelerating incident response. With its automatic detection, escalation, and investigation capabilities, Clear NDR helps organizations confidently enforce Zero Trust policies and maintain visibility across their evolving infrastructure.
For those organizations wondering if adding NDR to their security strategy is the right choice, the most effective way to discover that answer is by engaging in a POV with the experts at Stamus Networks.
To determine if NDR is right for your organization, use the button below to book a demo and speak to our team. We would love to hear about your network and see how Clear NDR can help. To stay updated with new blog posts and other news from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord (links below).
