BlogFriday, April 30, 2021, marked a watershed moment for the network detection and response category. Darktrace, one of the top three players in the category alongside ExtraHop and Cisco Stealthwatch according to IDC, debuted on the London Stock Exchange.
A few weeks ago, we wrote about how the impending Darktrace IPO was one of the leading indicators that the NDR category is poised to be the next breakout segment of the cybersecurity market. As my colleague Mark Bowling recently said when joining ExtraHop, "Nature hates a vacuum, and true to form, network detection and response is rushing in to fill a huge visibility gap left unaddressed by any other technology on the market today."
Growing Need for Advanced Cybersecurity
To understand the rapid growth of NDR, look to recent events. SUNBURST dominated the news cycle in late 2020, a year that was already marred by rising threats, many of which egregiously targeted vulnerable industries such as healthcare. The events of 2020 proved that advanced cyberthreats are getting bolder and more sophisticated, prompting organizations to rethink their approach to cybersecurity.
As we rolled into 2021, news broke that the REvil attack was responsible for the largest cyber ransom demand to date at $50 million USD. The attack also raised awareness for a jarring new ransomware tactic: Attackers are now combining data exfiltration and encryption to boost leverage, increasing the chances of a payout.
While REvil made history, the attack followed a trend: On average, the entire world is spending more per breach. Research by IBM and the Ponemon Institute found that the global average cost of a data breach is 3.86 million—a figure that has risen 10% over the last five years. To reduce risk, organizations are seeking out tools that can aid faster threat detection and response, helping avoid the high costs associated with a breach.
NDR on Cybersecurity Expert's Radar
As security teams sought out ways to outsmart advanced persistent threats, NDR proved that it's a technology worth its salt. At ExtraHop, we've seen this first hand. We saw how NDR detected SUNBURST indicators of compromise while allowing organizations to respond fast without wading through oceans of log data. We've also seen it effectively stop a ransomware attack very similar to the record-breaking REvil attack.
As an NDR provider, we're clearly biased—but it's not just us. Trusted organizations, including Gartner, have recognized the importance of NDR beyond their early 2019 report on the SOC visibility triad. A recent Gartner blog post named NDR as a defense against sophisticated supply chain attacks like SUNBURST. Gartner has also given NDR a benefit rating of "High" in their priority matrix according to the Hype Cycle for Security Operations, 2020.
Darktrace was among the first players in the NDR space, and have helped to drive awareness of the foundational importance of network intelligence in security—now a well-accepted notion among institutions from Gartner to the NSA, which recently noted that network monitoring is crucial to zero trust, among other security initiatives.
While Darktrace may be the first NDR vendor to go public, ExtraHop Reveal(x) 360 offers competitive advantages in several key areas. Our cloud-native approach provides visibility across hybrid and multicloud environments at the massive scale required by most large enterprises. Instead of relying on Encrypted Traffic Analytics (ETA), Reveal(x) offers deep-packet decryption so you can detect attacks that require traffic decryption and full protocol analysis, such as server side request forgery (SSRF), Golden Ticket, SQL injection over SSL/TLS, and cross-site scripting over HTTPs.
While Darktrace's machine learning (ML) offers strong detection capabilities, their on-box detection limits the quantity of traffic features their ML can utilize and creates a plateau beyond which their detection capabilities cannot scale. ExtraHop uses cloud-scale ML, providing more traffic features to utilize and greater scalability. Reveal(x) 360 captures and retains critical information, not just detection-oriented data, enabling advanced threat hunting and historical post-breach analysis. The result is a tool that is able to identify and scope previously unknown breaches, a critical capability as demonstrated by attacks such as SUNBURST.
ExtraHop Reveal(x) 360 also extends beyond NDR, with next-generation IDS capabilities that apply our advanced behavioral and ML-based detections to the device edge. Our platform also provides the strong network forensics capabilities with a minimum 90 days of lookback at network telemetry records. This approach enables our customers to dynamically detect, investigate, and respond to known and unknown threats from the data center, to the campus, to the cloud. We amplify the efficacy of our platform through integrations with leading partners like CrowdStrike, delivering a best-of-breed approach to XDR.
For the vendors in the category that offer enterprise scale and capabilities that extend beyond the parameters of NDR, the market opportunity is even greater. Large organizations from financial institutions to technology companies to government entities are quickly waking up to the need to include network intelligence as part of their advanced defense strategy. As these organizations accelerate adoption, NDR vendors that offer scale and visibility across hybrid environments will continue to see strong growth and increased valuations.
