2024 Global Cyber Confidence Index

Arrow pointing right
ExtraHop Logo
  • Productschevron right
  • Solutionschevron right
  • Why ExtraHopchevron right
  • Blogchevron right
  • Resourceschevron right

Arrow pointing leftBlog

Network Detection & Response vs. Network Traffic Analysis


Chase Snyder

September 12, 2019

What Is Network Detection & Response (NDR)?

Watch the 4-minute video for an introduction to NDR with live examples of an NDR product's features and capabilities:

Network detection and response(NDR) is a new category of security solutions that complement and go beyond the capabilities of log analysis tools (SIEM) and endpoint detection & response (EDR) products. NDR is an excellent first step toward a more proactive security posture as it yields immediate benefits and is generally easier to deploy and configure than SIEM and EDR.

NDR products monitor east-west traffic, or communications within the network itself, and apply advanced behavioral analytics like cloud-scale machine learning in order to rapidly detect, investigate, and respond to threats that would otherwise remain hidden. This is true whether the environment is on-premises, in the cloud, or a hybrid environment spanning both on-premises and cloud.

The recent release of traffic mirroring in the cloud for Azure and AWS customers cemented the pivotal role NDR plays in modern security operations. By granting customers real-time visibility into east-west cloud traffic, NDR products finally made Gartner's SOC Visibility Triad (a security infrastructure framework designed to help organizations secure cloud and hybrid environments) a viable reality for hybrid environments.

NDR solutions are the foundation of the triad, providing full visibility across the entire network with real-time threat detection while integrations with EDR and SIEM products enable seamless correlation of data. In this scheme, NDR solutions provide visibility into network or wire data, with EDR doing the same for endpoint data and SIEM primarily aggregating log data.

What Is Network Traffic Analysis (NTA)?

Gartner previously defined Network Traffic Analysis (NTA) as an emerging category of security product using network communications as the primary data source for threat detection and investigation within a network. Note the lack of "response" anywhere in that definition.

In February of 2019, Gartner published an inaugural Market Guide for Network Traffic Analysis, but shortly afterwards it became clear to the industry that this was just the beginning of a conversation on terminology in the analyst space about NTA and NDR.

In June of 2020, Gartner changed the category name and published their 2020 Market Guide for Network Detection and Response.

NDR vs. NTA: Why the Shift in Terminology?

When it became clear that network traffic analysis as a technological process would be a crucial factor in cloud and hybrid security—because without it, customers would have no fast and scalable way to see threats infiltrating their increasingly permeable networks, or to locate misconfigurations in real time—NTA received a lot of hype. And for good reason!

But as the industry blessed the category and vendors began to push the limits of their technology, particularly of the advanced behavioral analytics that make real-time, high fidelity threat detection possible, we also began to understand that detection and investigation are the beginning, not the end, of what's possible with network-based security analytics. Network-based solutions should not only detect threats, but enable confident and rapid responses.

To that end, NDR is an attempt to make room for the broader, full-spectrum potential of network traffic analysis. NDR products use NTA, but add historical metadata for investigations and threat hunting and automated threat response through intelligent integrations with firewalls, EDR, NAC, or SOAR platforms.

NDR Use Cases and Examples

There are a number of areas where NDR products provide unique value, and you can learn about a few of them below:

  1. Framework Support: Helping security teams use frameworks like MITRE ATT&CK and the CIS Top 20 Controls to greatest effect by detecting a significant amount of subtle attack tactics and techniques that SIEM and EDR products can't see.
  2. Insider Threat Detection: Detecting (and evaluating) shadow IT so organizations can secure their assets, monitor for misuse of unsanctioned apps, and give employees a chance to show them which tech they need to be successful. Read more.
  3. Security Hygiene: Spotting suspicious activity, subpar encryption practices, and "phoning home" from third-party vendors and making it far easier to maintain data security, privacy, and compliance. Read more.

You can get a hands-on feel for the benefits and use cases of NDR by exploring the fully working product demo of ExtraHop Reveal(x), our NDR solution powered by cloud-scale machine learning. Check that out here.

Explore related articles

Experience RevealX NDR for Yourself

Schedule a demo