What is NDaaS?

March 6, 2019


What is NDaaS?

NDaaS is Network Defense as a Service.  CyGlass’ NDaaS solution is the culmination of more than two years of data science, cyber threat analysis, and network data research and development. Since we’re going to start offering our solution more broadly, we wanted to explain in this blog post how we arrived at NDaaS and why we think its the right solution for companies of all sizes looking for a solution in the Network Traffic Analytics (NTA) market.

CyGlass Mission

CyGlass came out of government research projects for finding anomalies in IP-based networks using artificial intelligence and machine learning.  The mission of CyGlass is to make advanced threat analytics accessible for companies of all sizes – not just large enterprises and government agencies.  


Lessons Learned

In support of our nearly 100 deployments over the past 2 years, we’ve had 1000’s of conversations and with people across the entire spectrum of cybersecurity.  We’ve discussed the challenges of applying advanced analytics to computer networks with Secretaries of Defense, Admirals, CEOs, CISOs, CIOs, Security Architects, Network Architects, SOC Analysts, Sys Admins, and IT Operators.  Here’s what we’ve learned:

There is a gap between security and networking teams.
This has been called the SOC/NOC gap.  This gap goes beyond the physical operations centers themselves.  It extends to organizational boundaries between the teams. Even if the security team is enthusiastic for the benefits of improved visibility and detection capabilities in their network, getting the network team to make the simple yet necessary changes can be a struggle.   This dynamic in practice can add weeks or even months to the start of a project.


Explainability/Usability is key.
CyGlass uses some very sophisticated algorithms to spot threats.  These algorithms use a learned baseline of over 25 key network features.  These are NOT simple rules. As such, in order to validate the results, there needs to be a simple repeatable procedure.    This procedure needs to be achievable by a first line SOC analyst – not a Ph.D. data scientist, and not by a cyber hunter.


Automated/AI driven remediation is still a hypothetical use case.
Only 1 person asked for CyGlass to fully automate the remediation process with no humans in the loop.  In every other case, there is an expectation that CyGlass will alert, pinpoint the anomaly, and then connect to either a NAC (Network Access Control), SIEM (Security Information and Event Management) or a SOAR (Security Orchestration and Automated Response) system.  CyGlass is always learning and we look forward to the day when we can make recommendations as to remediation actions to take.

Relevant Market Trends

Cloud Adoption Continues.
Companies continue to shift more and more of their critical infrastructure to the cloud.  Not every company is Netflix, and many companies have simply “lifted and shifted” their infrastructure firewalls and all to AWS.  Increasingly companies are comfortable with Cloud-based security platforms like CrowdStrike, Radid7, and Okta. Companies do not want to deploy appliances (physical or virtual) unless they absolutely have to.

Increasing Privacy Regulations.
Many jurisdictions are increasing privacy regulations and in turn reducing the effectiveness and scope of some existing security controls.  This is the digital equivalent of the police not being able to search a house without a warrant. Tools that respect privacy regulations but give the “digital police” the evidence they need to get a search warrant are going to be the most effective.

MSPs transitioning to MSSPs.
Managed Service Providers (MSPs) are looking to expand their offerings to include more security services since there is such high demand.  Since most MSPs use some sort of RMM (Remote Machine Management) solution, deploying an EDR solution was very straight forward. They could simply turn it on.  Managed firewall is another common first MSP to MSSP service. These are good first steps, but ultimately their end customers want a more comprehensive solution that includes monitoring and alerting.  The last thing service providers want is to make an additional on-site service call to schedule the installation of yet another security device.

Lack of skilled cyberSecurity resources.
Companies (especially small and medium enterprises) can’t hire, train, or retain enough skilled cybersecurity professionals.  Those who work in SOCs are particularly stressed and susceptible to burn out from the dreaded “alert overload”. The market has spoken. And they want solutions that will help their productivity, effectiveness and overall make their lives easier.

Focus on Critical Assets.
Companies have to prioritize their cyber defenses around their most critical business assets.  Sophisticated cyber attacks will only become increasingly more common, and companies must ensure that their most critical assets are well defended.


NDaaS – Deconstructed

Network Defense as a Service (NDaaS) is an affordable, scalable and easy to use advanced network analytics service.


Network data is the ultimate source of truth.  The biggest advantage defenders have is the ability to know what “normal” on their network looks like, whereas the attackers do not.  Attackers need to execute the steps of the cyber kill-chain and many of those steps (probing and reconnaissance, command and control, exfiltration, etc.) can be seen best from the network. EDR doesn’t work for printers, IP cameras, smart TVs or other IoT.  It certainly won’t work on guest or rogue devices.


In terms of the NIST CSF (Cyber Security Framework) NDaaS is focused on the Identify, Detect and Respond functions.  

Identify: NDaaS identifies the assets and asset groups on a network.  It builds baselines of normal traffic for those assets.

Detect: NDaaS detects policy violations, anomalies, and threats to the network.  Alerts are generated and a SOC analyst is able to make a determination if the alert is valid.  A low false positive rate and explainable results are extremely important to keep SOC analysts productive and engaged.  

Respond: Once an alert is raised, even to another system like a SEIM, the NDaaS needs to provide tools for analyzing and understanding the alert by diving into the underlying network traffic.  The NDaaS must be able to learn from the result of the incident in order to produce more accurate results going forward. The network data should be archived so that historical traffic can be analyzed to understand the impact of newly discovered vulnerabilities or attacks.


Companies of all sizes are looking for an easy to deploy and easy to scale solution that provides visibility of the network through a security/risk lense.  Companies can’t hire enough cyber analysts so they want tools that their existing SOC analysts can pick up right away. NDaaS is part of a layered security architecture and as such, it must have the ability to integrate will all of the other surrounding technologies including SEIM, NAC, NPMD, EDR, and SOAR.  Companies want reports that they can use to prove that they are in fact monitoring their network thus proving compliance with the relevant audit and regulatory rules.



CyGlass’ NDaaS is now generally available.  You can start a 30-day free trial by clicking HERE.  In subsequent posts, we’ll discuss some of the technical and architectural choices that we’ve made to deliver on NDaaS, the best use cases for NDaaS, and how NDaaS fits into the overall Network Traffic Analytics (NTA) market.

Back To Blog
Why CyGlass Product Resources