Network Detection & Response (NDR) vs. Intrusion Detection Systems (IDS)

Network Detection & Response (NDR) is an emerging category of security product that uses network traffic analysis (NTA) to fulfill a critical part of Gartner's SOC Visibility Triad. In this blog series, we'll look at how NDR products compare to traditional security tools including SIEM and IPS.

Enterprise security. For some people, those words conjure up images of red-shirted crew members about to be zapped by creatures beefing with the United Federation of Planets. For others, enterprise security means finding ways to protect ever-expanding attack surfaces of their corporate networks and revenue-generating applications.

If you've landed here, you're probably at least in the latter group and interested in discovering how network detection and response (NDR) products stack up against intrusion detection systems (IDS) — so let's boldly go a little deeper.

NDR solutions analyze network communications to detect and investigate threats, anomalous behaviors, and risky activity like unmanaged honeypots in production environments. Intrusion detection systems monitor the perimeter of networks for intruders and can fire alerts if they detect an attack.

How NDR Works

Network Detection & Response (NDR) products are powered by network traffic analysis (NTA), or the real-time inspection of network communications in order to detect and investigate threats, anomalous behaviors, and risky activity from layer two through layer seven.

By analyzing every transaction and reconstructing every conversation on the network through full-stream reassembly, NDR products can provide more conclusive insights into security events, and forensic-level evidence that SecOps teams can use to understand and report the exact scope of incidents.

Fueled by rich wire data, NDR products use advanced machine learning to identify anomalous behaviors and security incidents, trigger automated investigations, fire alerts, and in some cases trigger automated responses through integrations with firewalls, SOAR products, and other in-line response solutions.

Watch the 4-minute video for an introduction to NDR with live examples of an NDR product's features and capabilities:

How IDS Works

Although younger than a certain space-themed TV show referenced earlier, a traditional intrusion detection system is pretty old-school tech by modern enterprise standards. Located behind the firewall, IDS products were created to detect vulnerability exploits in a target application or computer by comparing observations against a database of known malicious threats, similar to the way antivirus software detects malware. IDS threat databases must be constantly (and manually) updated, and IDS products only provide surface level insight into perimeter attacks with little to no investigation or response capabilities.

While a good IDS is still an important part of the Security Operations team's tool set, it covers only a limited range of the capabilities needed for proactive enterprise security.

What IDS Can Do

Intrusion detection systems serve as a listen-only monitoring tool, which means they can detect suspicious behaviors based on programmable signatures, plus provide data packets and fire alerts.

What IDS Can't Do

Intrusion detection systems are primarily focused on north-south traffic and detecting threats at the perimeter. They mostly lack visibility into internal traffic, meaning if even one attacker gets inside the network, the IDS is no longer any use for detecting them. Beyond that, IDS products usually can't detect new or evolving threats outside of their database of signatures, so rapidly innovating attackers can stay one step ahead with ease. In a sense, IDS is always fighting the previous war rather than the current one. IDS also cannot execute automated investigations or responses and requires a human administrator or partner platform such as an intrusion prevention system (IPS) to take action.

The Next Evolution of IDS

There have been great improvements in cybersecurity, such as endpoint detection and response (EDR) and security information and event management (SIEM) solutions. However, these technologies still lack the broad visibility needed to improve the quality of alerts and eliminate blindspots.

NDR products quickly decode dozens of protocols and extract thousands of machine learning features to pinpoint late-stage attack behaviors with context and evidence. Because NDR uses machine learning to create predictive behavior profiles rather than relying on signatures as a baseline for detection, it can find previously unseen security threats and detect low-and-slow tactics, techniques, and procedures that signature-based systems often miss.

When SOC analysts can see more, they know more clearly how to stop advanced threats. IDS is long overdue for an upgrade, and the next evolution should include key NDR capabilities to bolster a stronger security posture and maintain compliance requirements.