What is network detection and response?

Why are enterprises adopting network detection and response (NDR) solutions?

In the fast-changing cybersecurity environment, organizations are finding worrisome gaps in their security solution stack that can be filled by NDR solutions. These sophisticated products monitor and analyze network traffic data to detect and respond to threats.

A number of cybersecurity trends are driving adoption of NDR products:

• Extension of corporate networks into the cloud, leading to decentralization
• Enormous volumes of data – including sensitive information – traversing networks and attracting cybercriminals
• An increase in edge computing, a model that moves storage and processing closer to the source of the data
• Risks posed by undetected and/or unmanaged endpoints, like shadow IT, Internet of Things (IoT), and operational technology (OT) devices

Using AI, machine learning, and behavioral analytics, NDR systems analyze aggregated traffic and metadata within internal networks and between internal and external networks in real time. Based on this information, they create and apply a baseline model of normal network behavior to each potential abnormality and threat in order to spot deviations. If NDR finds an anomaly, such as unusual remote access or use of restricted ports or protocols, the tool can issue alerts or take actions automatically, such as changing firewall rules to block suspicious traffic.

This process enables NDR tools to take a proactive approach to network security. What’s more, they can adapt to changes in network activity by incorporating information about detected threats, input from security analysts, and threat intelligence feeds.

NDR is part of the SOC visibility triad, which also includes endpoint detection and response (EDR) and security information and event management (SIEM). This model, developed by Gartner, delivers comprehensive visibility into an organization’s network and endpoints.

How NDR developed

The precursor to NDR is network traffic analysis (NTA), which focuses on inspecting network traffic patterns to identify anomalies. NDR adds advanced threat detection capabilities, behavioral analysis, and real-time response. Gartner renamed the category from NTA to NDR in 2020.

Today, organizations are looking for the sophisticated analytics and response capabilities provided by NDR solutions to address “known unknown” and “unknown unknown” network threats. Although NDR is considered an emerging technology, this market is growing by double digits and may approach $9 billion by 2032, according to Business Research Insights.

NDR tools can identify a variety of security risks and threats within network infrastructure. They are especially helpful in detecting internal threats and lateral movement by malicious actors. Following are examples:

• Malware, including ransomware, Trojans, viruses, and spyware. Phishing attacks can be identified via suspicious emails.
• Advanced persistent threats (APTs), where attackers establish a long-term presence on the network to acquire sensitive data
• Insider threats from employees and contractors who seek to steal data, change access permissions, or install malware
• Data exfiltration and theft of sensitive information, which may be indicated by unusual patterns in data quantity, destination, or timing
• Botnets that can be used for denial of service (DOS/DDOS) attacks, spam distribution, etc.
• Risky user behavior, such as sharing accounts or exposing sensitive data to unauthorized users
• Command and control communications with a server controlled by a malicious actor

In contrast to traditional technologies that depend on known threat signatures, NDR uses non-signature-based analytical methods, such as machine learning, to detect new, evolving, or hidden threats.

Also, because they analyze network behavior metadata rather than files, NDR solutions can operate with encrypted as well as unencrypted communication protocols.

Network detection and response products comprise several different tools and features for identifying, analyzing, and mitigating threats to the network. They include deep packet inspection capability, threat detection and behavioral analysis engines, and integration with threat intelligence feeds.

NDR solutions monitor and collect incoming and outgoing network traffic on a continuous basis to provide a comprehensive view that encompasses north-south and east-west traffic. In addition to internal networks, NDR can monitor public cloud services such as IaaS, and other external environments.

An NDR tool analyzes raw network telemetry in real time and compares it to a benchmark for normal traffic flow that it develops using AI, machine learning, and behavioral analytics. This benchmark can be enhanced with data from threat intelligence feeds. Comparison with the baseline allows NDR to identify patterns, anomalies, and suspicious behavior, and determine how threats have moved laterally across the environment. Plus, the tool learns and adapts constantly to reflect new threat information.

Once NDR detects a potential threat, the technology can generate an alert prioritized according to severity, or deliver an automated response such as blocking traffic, isolating an affected system, or terminating a network connection.

NDR systems continually refine their network activity models by incorporating input from security analysts and threat intelligence feeds. This process improves their accuracy and speed in identifying and responding to novel and changing threats.

As mentioned above, NDR helps enterprises close gaps in network security, particularly those involving unmanaged devices and unknown threats. Following are IT security and business reasons for deploying NDR.

Comprehensive network visibility across all ports and protocols gives security teams the ability to oversee the full network infrastructure, including cloud environments and unmanaged endpoints such as IoT devices. This big picture facilitates in-depth analysis of network traffic to provide context for threats, as well as insights into their type and scope.

Real-time monitoring and analysis accelerate threat and vulnerability detection in expanding and highly distributed networks. Besides identifying anomalies inside the network, some NDR solutions can detect threats hiding in encrypted traffic without decrypting it. Early detection helps security teams respond more rapidly to incidents so they can minimize impacts.

Non-signature-based threat detection enables NDR tools to uncover new or unknown threats, such as zero-day vulnerabilities, which lack unique signatures or resemble legitimate behavior.

Advanced technologies, including AI and machine learning, permit NDR products to adapt to changes in the threat landscape, helping security teams stay ahead of new threats.

Improved efficiency for SOC teams can be achieved through NDR’s automated monitoring, analysis, and alerting capabilities, covering huge data volumes. Further, analysis by NDR solutions can reduce false positives, freeing the team to focus on actual security issues.

Threat hunting support is provided by certain NDR tools that incorporate a specific platform. Data and analysis from such tools help guide hunters to threats and suspicious activities within the network.

Scalability enables NDR solutions to monitor and analyze large and growing volumes of data in expanding network environments.

Seamless integration with other tools in the security stack, such as firewalls and SIEM systems, allows NDR to share data and analytics.

While they all provide cyberthreat detection and response, these three solutions focus on different sources of possible threat activity.

As we’ve discussed, NDR tools monitor and analyze raw network traffic, and provide a holistic view of activity across internal and external networks. Endpoint detection and response (EDR) products monitor endpoints, from laptops, desktops, and peripherals to Internet of Things (IoT) and operational technology (OT) devices. While some EDR solutions integrate with NDR products, basically the two are complementary, standalone tools because NDR does not cover endpoints and EDR does not cover networks.

To bring these capabilities together in one solution, extended detection and response (XDR) technology was developed. It is the latest addition to the detection and response toolkit. XDR unifies multiple layers of security and integrates data from a broad range of sources: endpoints, identities, networks, cloud environments, and security tools. Like NDR, XDR uses machine learning, AI, and threat intelligence for data analysis, and can provide automated alerts and predetermined responses to threats.

Should you deploy NDR, EDR, or XDR?

Part of the answer depends on the scale, complexity, and focus of your IT environment. A distributed workforce or heavy use of IoT/OT sensors may call for EDR, while reliance on cloud services may require NDR or XDR.

Another consideration is the threat landscape for your industry. EDR focuses on threats to endpoint devices and machine sensors; NDR focuses on network incursions, lateral movement, and insider threats; and XDR covers attacks encompassing multiple vectors, as well as advanced persistent threats (APTs).

Keep in mind that XDR is generally more expensive than EDR or NDR because it is more comprehensive and uses advanced technologies. It also may require significant resources and staff training to deploy and manage.

Finally, determine whether these tools will integrate easily with your existing security stack.