We live in a post-compromise world. Nation-states and advanced persistent threat organizations have proven adept at thwarting traditional security measures. Growing recognition of this new reality has forced a massive shift in enterprise security budgets as security operations teams focus increasingly on detection and response.
But threat detection and response can take many forms. Much of the focus has centered around more traditional approaches including endpoint detection and response (EDR) and SIEM, but the need for visibility across multicloud and hybrid environments, distributed workforces, and IoT deployments demands a new approach.
Gartner has just released their 2020 Market Guide for Network Detection and Response, which has (again) included ExtraHop as a Representative Vendor*. From our view, Gartner provides analysis of the category, including how network detection and response is being used today, recommendations for implementation, and predictions for the future of the category.
So what exactly is NDR? Here's is Gartner's official definition:
"NDR solutions primarily use non-signature-based techniques (for example, machine learning or other analytical techniques) to detect suspicious traffic on enterprise networks. NDR tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NDR tools detect suspicious traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NDR solutions can also monitor east/west communications by analyzing traffic from strategically placed network sensors."
"Response is also an important function of NDR solutions. Automatic responses (for example, sending commands to a firewall so that it drops suspicious traffic) or manual responses (for example, providing threat hunting and incident response tools) are common elements of NDR tools. In 2019, Gartner named this market 'network traffic analysis.' This year, we renamed it 'network detection and response,' because this term more accurately reflects the functionality of these solutions."