Deep Dive Horizon NDR: Video, Slides, and Q&A

Share your Cyber Security Insights
On-Stage at CPX 2025

Learn More

Simplifying Zero Trust Security
with Infinity Identity!

Watch Now

CheckMates Toolbox Contest 2024
Make Your Submission for a Chance to WIN up to $300 Gift Card!

LEARN MORE!

CheckMates Go:
What's New in R82

LISTEN NOW

Create a Post

Slides are attached, Q&A for the session is below.

(view in My Videos)

What are the pros and cons of the physical vs virtual NDR? Can existing Quantum Gateway in production function as NDR also?

Physical deployment has dedicated resources for flows and has the possibility to be inline for immediate prevention. A virtual does not always has dedicated resource, but can be scaled to what you need at the point in time. Virtual, as it's KVM based, could be deployed to any private and public clouds, and at any time, so it's a quick and on demand deployment. Existing Quantum GWs sending logs to existing LogServer, which you could export logs to NDR SaaS.

Can you quarantine a device and take a forensic snapshot for analysis?

Yes, through integration with other tools. We also provide a "tiny" Harmony Endpoint client (installable via Infinity Portal) that can be deployed to infected machines to remediate them.

Is NDR SaaS the same as MDR? If not, where can I find info on it?

NDR and MDR are different.
NDR is a tool for SOC analysts to understand traffic patterns and perform Threat Hunting.
MDR is short for Managed Detection and Response, and is a managed service to augment a customer's own SOC by providing a complete SOC service staffed by experienced analysts at Check Point.
The NDR engines are usually deployed as a SaaS model, but it can also be deployed on-premises as a private solution.
Both NDR options give you the same tool and functionality, the difference is in where data is stored and processed."

This is quite intense...could it be best to combine it w/ MDR?

It is already. You could have Check Point MDR (SOC-as-a-Service) do the triage on the created Events. NDR SaaS and MDR go hand in hand. All youh have to do is submit a created event from the Insights to the MDR team natively from the NDR portal.

What is the IOC lifecycle?

IOC Feeds are pulled based on the schedule you set. You predefine expiration of the IOCs per feed and we will delete those IOCs when they expire. When the IOC is deleted from the feed source itself, we also delete from the DataSet once you pull on schedule. Additionally, you could combine multiple feeds into one or more DataSets, which are applied either automatically or manually as an IOC feed.

Is the Threat Intel curated to the industry my organization is in?

All traffic is cross-referenced against ThreatCloud, Check Point's global Threat Intel database. This isn't curated by sector.
Then there's the indicators generated by the NDR engines themselves. These are indicators based on threats seen in your own traffic, and are used to prevent more occurrences of the threats that target you.
On top of this, you can bring in dedicated industry-specific external feeds. If you have a recommendation from a government or industry body you can pull in their feed(s) and merge that with the ThreatCloud and NDR data to gain pre-emptive protection against threats that target your sector specifically.

If I understand you correctly, NDRaaS includes MDR?

MDR is not included in the NDR, it's an additional service which you have to purchase. Please discuss details with your Check Point account team.

6744 KB

0 Replies