Network Detection and Response (NDR) is a network security approach that identifies and stops network threats that have gone otherwise undetected by traditional network gatekeeping tools. NDR is sometimes called Network Traffic Analysis (NTA).
At a high level, NDR tools examine traffic for unusual or unexpected traffic and network behaviors that could indicate an imminent cybersecurity attack or data breach. NDR provides enterprises with the ability to broadly analyze network threats originating from many sources, including those that have no previous signature, including those appearing in cloud environments.
What Technology Is Used For NDR?
NDR products can utilize multiple technologies to analyze network traffic, but most frequently, machine learning and behavioral analytics. These technologies continuously analyze raw traffic and flow records to create models (or a “baseline”) of expected network behavior.
When NDR detects anomalous, unexpected network activity that goes against this expected baseline, these systems respond by transmitting a flag to network security teams for review. Depending on how filters are set up, the potentially analogous network traffic is either blocked or allowed to pass through and restricted or permitted after analysts review alert flags.
It is important to distinguish NDR as a network security tool from more traditional rules-based network security approaches like standalone SIEM (security information and event management), which strictly rely on predetermined rules.
Modern NDR analyzes raw network traffic logs versus “looking back” at the traffic that has already come across the network — as a result, modern NDR as a standalone product or used in conjunction with legacy network security tools can provide much more comprehensive coverage. NDR can also gather network traffic data from existing network infrastructure, including firewalls.
Some of the most noted NDR technologies:
- Vectra AI
- Cisco Stealthwatch
- Awake Security Platform
- ExtraHop Reveal(x)
- Blue Hexagon
- RSA NetWitness Network
- IronNet IronDefense
What Is The Environment Of Network Detection And Response Software?
NDR is well-suited for enterprise networking environments, including those that serve a distributed workforce across multiple locations. NDR helps to centralize and manage the unwieldy task of monitoring huge amounts of network traffic flowing in and out of an enterprise network at lightning-fast speeds.
Typically, NDR software is installed at the local level but managed cybersecurity providers are increasingly offering “as-a-service” products that are hosted and managed remotely. In either case, SOC teams must be able to respond to alerts and make or recommend frequent adjustments to NDR settings.
NDR Software Core Functionality and Benefits of NDR Software
At its heart, NDR is intended to further protect enterprise networks that are already being monitored and protected in other ways. NDR is rarely used on a standalone basis — instead, it is a core component of a unified network security approach that adds technology like machine learning and other AI-driven enhancements to the mix.
Advanced NDR solutions give enterprises insights into network traffic not available through traditional security tools, from all directions, not just ingress and egress traffic. In effect, NDR can detect anomalous network traffic behaviors that remain inside a network, too, as well as traffic entering and exiting cloud environments.
True NDR can be an improvement over NTA tools that trigger an excessive amount of false positive flags. Enterprises may find it is worth the investment to partner with a company that has the capability and knowledge to access advanced AI technology, which is better able to sift true threats from likely false positive threats. This can be a marked advantage for SOCs where analysts are spending precious time sorting through mountains of false positive flags.
One significant benefit of bringing an NDR solution on board is its ability to help protect against ransomware, which has emerged as one of the biggest, most difficult-to-overcome cyberthreats of this century. Today’s ransomware attackers don’t even need to be tech-savvy to deploy attacks, thanks to the advent of Ransomware-as-a-Service (RaaS).
Ransomware attackers can also easily leverage AI to overcome various network security protections. A system that can establish a baseline of expected network behavior and then compare any network traffic against it has a significantly higher chance of overcoming and preventing ransomware in general (though no current product on the market can claim to completely eliminate this threat).
While most NDR products fall short of providing authentic real-time protection, near-real-time NDR is becoming the norm.
Modern enterprise network security teams face a cyber security landscape where sophisticated attacks are constantly being refined by bad actors who are often well-versed in the latest tools available on the market. Enhanced NDR is much more robust than legacy tools leftover from years past and may well be an appropriate investment for future-facing enterprises, especially those with goals to scale in the coming years. These tools can be quite challenging for cybercriminals to overcome, making it all the more likely that a bad actor moves to an easier target.
Enterprises relying on legacy tools may not need to start from scratch in order to take advantage of the benefits of NDR. Many tools can be used in tandem with older systems, including those with on-premise hardware connected to cloud environments. These hybrid setups may benefit the most from the addition of complementary NDR.