The example outlined in this blog article demonstrates Clear NDR’s value in delivering visibility to Security, IT, and NOC teams through its ability to identify misconfigured devices and applications. With immediate operational insights, Clear NDR provides full protocol logs of communication between these devices or applications, allowing teams to quickly detect unknown or improperly configured systems operating within the internal network.
About this blog series:
This blog series explores the benefits of Clear NDRTM, focusing on how its multi-layered detection reduces the total cost of ownership while delivering unparalleled visibility.
Each article in the series highlights real-world examples from an actual Clear NDR deployment, demonstrating how its insights and threat detection capabilities benefited multiple teams across an organization—including Compliance, Security, and Network teams. Through a combination of automation, AI, and customization, Clear NDR provides actionable intelligence backed by strong evidence, enabling faster Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
No single detection algorithm is perfect. Every approach has strengths and weaknesses, excelling in certain areas while others fall short. That’s why Clear NDR takes a multi-layered detection approach, ensuring that no single method is solely responsible for uncovering threats.
The teams involved in the use cases shared in this blog series benefited from the data, visibility, and evidence that Clear NDR provided, enabling them to take remedial actions against policy violations, Zero Trust architecture gaps, misconfigurations, and other security risks. Ultimately, this led to reduced threat exposure and improved security posture.
Detecting Anomalous Modbus Activity
In the screenshot below, we see Modbus communication occurring. In essence, Modbus provides a reliable and straightforward way for industrial devices to exchange data, making it a fundamental technology in automation and control systems.
Modbus or MODBUS is a client/server data communications protocol in the application layer. It was originally designed for use with programmable logic controllers (PLCs), but has become a de facto standard communication protocol for communication between industrial electronic devices in a wide range of buses and networks. - Wikipedia
While Modbus traffic itself may not necessarily be a concern, combining it with contextual organizational data—such as its location within a regular office environment, connection times, and duration—reveals the presence of misconfigured operating devices that require attention.
A further detailed drill down of each connection helps determine the actual devices involved and their location:
Misconfigured SMTP Application
In another instance, Clear NDR identified a misconfigured SMTP application and its communication endpoints. As shown in the screenshot below, the Hunt and evidence interface reveals outbound SMTP communications in clear text, along with their repetition and occurrence. This visibility is crucial for security teams, as it allows them to detect potential misconfigurations that could lead to unencrypted sensitive data transmission or other vulnerabilities.
What is also identifiable, thanks to the in-depth analysis, detection logic, and evidence transparency of Clear NDR, is not only the endpoints but also the specific email communication configuration details. This includes information such as sender, recipients, and other SMTP-relevant data from the misconfigured application, providing a clearer understanding of the issue.
Misconfigured Windows Machines
Clear text (unencrypted) communication is a common occurrence and, by itself, is not necessarily a security threat. However, Clear NDR enables quick identification of unintended misconfigurations in clear text—such as Windows clients performing unencrypted public updates, which could expose sensitive data to potential risks.
In the screenshot below, with just one click, we can search for any files transferred in clear text, specifically over HTTP. The results highlight a group of hosts engaging in downloading and transferring executable and archived (zip/xz) files via HTTP—potentially exposing these systems to unnecessary risk.
Further investigating the details of these transfers, Clear NDR’s detection logic, data transparency, and evidence clarity make it easy to determine that the communications are directed to well-known Microsoft update services:
- windowsupdate.com
- microsoft.com
- office.net
- ubuntu.com
This insight allows security teams to quickly assess whether the unencrypted transfers are legitimate activities, such as routine software updates, or if they could be indicative of a misconfiguration or security issue.
This information is more than sufficient to identify the misconfigured hosts and transition them to the correct configuration that ensures encrypted updates. By doing so, the organization can minimize the risk of exposure or potential security incidents, while maintaining the integrity and security of the update process.
Conclusion
Clear NDR's ability to uncover misconfigured devices and applications is a game-changer for network security. Its multi-layered detection provides a comprehensive view of network traffic, enabling organizations to gain in-depth insights into their network's behavior. This enhanced visibility is critical for identifying unauthorized devices, applications, and activities that could pose security risks. By quickly pinpointing misconfigurations and potential vulnerabilities, Clear NDR allows security teams to take immediate action, preventing exploitation and minimizing threats. Furthermore, this level of visibility not only strengthens security but also supports network performance optimization by identifying bottlenecks and areas of congestion, ensuring a well-optimized, secure network infrastructure.
More Real-World Examples
This is just one example of how Clear NDR delivers precise and transparent evidence-backed threat detection. Stay tuned for the next blog in this series, where we’ll dive into another real-world security scenario and how Clear NDR made a difference.
For those organizations wondering if adding NDR to their security strategy is the right choice, the most effective way to discover that answer is by engaging in a POV with the experts at Stamus Networks.
To determine if NDR is right for your organization, use the button below to book a demo and speak to our team. We would love to hear about your network and see how Clear NDR can help. To stay updated with new blog posts and other news from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord (links below).
