One of the key strengths of Clear NDRTM is its AI-based TLS beacon detection, which, when combined with organizational context, allows users to pinpoint security issues with a single glance.
Unlike traditional systems with static time constraints, Clear NDR’s AI detection continuously re-evaluates network activity, allowing security teams to retroactively analyze beaconing activity and scoring over specific time periods.
About this blog series:
This blog series explores the benefits of Clear NDR, focusing on how its multi-layered detection reduces the total cost of ownership while delivering unparalleled visibility.
Each article in the series highlights real-world examples from an actual Clear NDR deployment, demonstrating how its insights and threat detection capabilities benefited multiple teams across an organization—including Compliance, Security, and Network teams. Through a combination of automation, AI, and customization, Clear NDR provides actionable intelligence backed by strong evidence, enabling faster Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
No single detection algorithm is perfect. Every approach has strengths and weaknesses, excelling in certain areas while others fall short. That’s why Clear NDR takes a multi-layered detection approach, ensuring that no single method is solely responsible for uncovering threats.
The teams involved in the use cases shared in this blog series benefited from the data, visibility, and evidence that Clear NDR provided, enabling them to take remedial actions against policy violations, Zero Trust architecture gaps, misconfigurations, and other security risks. Ultimately, this led to reduced threat exposure and improved security posture.
Clear NDR AI-based Beacon Detection
In the example below, Clear NDR's AI automatically flagged an instance of beaconing activity with a high-risk score over a weekend. The TLS Server Name Indication (SNI) in question was: raw.githubusercontent.com:
While GitHub itself is not inherently malicious, its public and widely used infrastructure can be exploited by threat actors to host and distribute malicious code.
GitHub is a proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and also provides access control, bug tracking, software feature requests, task management, continuous integration, and wikis for every project. – Wikipedia
So, why did Clear NDR assign this activity such a high score?
With a single click, we reviewed all other assets within the organization that had used the same TLS SNI during that period.
Identifying the Affected Asset
Clear NDR automatically identified the asset involved—a Domain Controller—along with the services and roles running on it.
We then pivoted to the raw logs to examine all connections made, including specific TLS and flow details.
On the screenshot below we drilled down into the details for each connection:
Why This Domain Controller Activity is a Concern
A Domain Controller is critical infrastructure within an organization and should not be directly accessing the internet—let alone communicating with GitHub. This behavior is highly unusual and could indicate an attempt to exfiltrate data or download second-stage malicious payloads.
Once this suspicious activity was flagged and reported, the security team conducted further investigation and addressed the issue accordingly.
Why Evidence and Context are Essential
Providing correlated, actionable evidence is critical for any cyber detection, incident response, or threat-hunting operation.
An alert without context leaves security analysts with more questions than answers—requiring additional time, investigation, and tooling to gather logs, correlate evidence, and automate the detection process for the future.
Clear NDR solves this problem by automatically collecting and correlating all relevant evidence, making investigations faster and more efficient.
Conclusion
AI-powered detection and automation are essential for modern security operations, providing continuous analysis and reducing the burden on security teams. In this case, Clear NDR’s AI-driven TLS beacon detection uncovered unexpected activity that could have otherwise gone unnoticed, enabling teams to quickly identify the asset involved, investigate its behavior, and take corrective action. By combining AI with organizational context, Clear NDR ensures that security teams can rapidly detect, analyze, and respond to potential threats—minimizing risk while maintaining full visibility and control.
More Real-World Examples
This is just one example of how ClearNDR delivers precise and transparent evidence-backed threat detection. Stay tuned for the next blog in this series, where we’ll dive into another real-world security scenario and how ClearNDR made a difference.
For those organizations wondering if adding NDR to their security strategy is the right choice, the most effective way to discover that answer is by engaging in a POV with the experts at Stamus Networks.
To determine if NDR is right for your organization, use the button below to book a demo and speak to our team. We would love to hear about your network and see how Clear NDR can help. To stay updated with new blog posts and other news from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.
