Saturday, November 26, 2022

How Network Detection & Response (NDR) Works

Network detection and response (NDR) is network security software that identifies and stops network threats that have gone undetected by traditional network gatekeeping tools. 

NDR software examines traffic for unusual or unexpected traffic and network behaviors that could indicate an imminent cybersecurity attack or data breach. NDR is sometimes called network traffic analysis (NTA). See below to learn all about how NDR solutions work:

How does NDR work?

What technology is used for network detection and response?

NDR products can utilize multiple technologies to analyze network traffic, but most frequently, machine learning and behavioral analytics. These technologies continuously analyze raw traffic and flow records to create models (or a “baseline”) of expected network behavior. When NDR detects anomalous, unexpected network activity that goes against this expected baseline, these systems respond by transmitting a flag to network security teams for review. Depending on how filters are set up, the potentially analogous network traffic is either blocked or allowed to pass through and restricted or permitted after analysts review alert flags. 

It is important to distinguish NDR as a network security tool from more traditional rules-based network security approaches like standalone SIEM (security information and event management), which strictly rely on predetermined rules. Modern NDR analyzes raw network traffic logs versus “looking back” at traffic that has already come across the network — as a result, modern NDR as a standalone product or used in conjunction with legacy network security tools can provide much more comprehensive coverage. NDR can also gather network traffic data from existing network infrastructure, including firewalls. 

Along with SIEM and Endpoint Detection & Response (EDR), NDR is one of the three pillars of Gartner’s “SOC Visibility Triad.” When all three approaches are used together effectively, enterprise security is vastly improved. 

What is the environment for network detection and response software?

NDR is well-suited for enterprise networking environments, including those that serve a distributed workforce across multiple locations. These tools are highly valuable for organizations handling hundreds or thousands of endpoints, as is often the case for organizations relying on data inputs from IoT sensors and monitors or communications tools used in the field. NDR helps to centralize and manage the unwieldy task of monitoring huge amounts of network traffic flowing in and out of an enterprise network at lightning fast speeds.

Typically, NDR software is installed at the local level, but managed cybersecurity providers are increasingly offering “as-a-service” products that are hosted and managed remotely. In either case, SOC teams must be able to respond to alerts and make or recommend frequent adjustments to NDR settings. 

What is the core functionality of network detection and response software?

At its heart, NDR is intended to further protect enterprise networks that are already being monitored and protected in other ways. NDR is rarely used on a standalone basis — instead, it is a core component of a unified network security approach that adds technology like machine learning and other AI-driven enhancements to the mix. 

Advanced NDR solutions give enterprises insights into network traffic not available through traditional security tools, from all directions, not just ingress and egress traffic (though egress traffic analysis can uncover threats originating from inside bad actors). In effect, NDR can detect anomalous network traffic behaviors that remain inside a network, too, as well as traffic entering and exiting cloud environments. 

True NDR can be an improvement over NTA tools that trigger an excessive amount of false positive flags. Enterprises may find it is worth the investment to partner with a company that has the capability and knowledge to access advanced AI technology, which is better able to sift true threats from likely false positive threats. This can be a marked advantage for SOCs where analysts are spending precious time sorting through mountains of false positive flags. 

One significant benefit of bringing an NDR solution on board is in its ability to help protect against ransomware, which has emerged as one of the biggest, most difficult to overcome cyberthreats of this century. Today’s ransomware attackers don’t even need to be tech savvy to deploy attacks, thanks to the advent of Ransomware-as-a-Service (RaaS). Ransomware attackers can also easily leverage AI to overcome various network security protections. A system that can establish a baseline of expected network behavior and then compare any and all network traffic against it has a significantly higher chance of overcoming and preventing ransomware in general (though no current product on the market can claim to completely eliminate this threat). 

While most NDR products fall short of providing authentic real-time protection, near-real-time NDR is becoming the norm. 

Bottom line

As distributed networks have become more common, “signature-based” tools like intrusion detection systems (IDSs) and prevention systems (IPSs) have become less effective. NDR provides enterprises with the ability to more broadly analyze network threats originating from many sources, including those that have no previous signature, including those appearing in cloud environments. 

Similar articles

Latest Articles