Here we are, in 2023, and the impacts of a global pandemic that started three years ago continue to dog us. Some of us have returned to the office, some of us still work from home, and if ongoing labor shortages weren't challenging enough, fears of a possible recession have had corporate leaders scrutinizing 2023 spending for months.
The good news? Cybersecurity budgets have largely increased, despite troubling macroeconomic trends. According to a recent Gartner forecast, security and risk management budgets are expected to be up 11% globally in 2023. Nevertheless, security leaders will remain focused on demonstrating ROI from these investments, whether by consolidating toolsets, reducing security technology complexity, streamlining analyst workflows, and of course, preventing attacks.
The Role of NDR in the Cybersecurity Budget
Over the last 3–5 years, forward-thinking security leaders have begun allocating a line item in their budgets for network detection and response (NDR) solutions. They've turned to NDR to close visibility gaps that other security solutions like endpoint detection and response (EDR) and SIEM don't address and to detect the suspicious behaviors on their organization's network that often signal an early-stage attack. In the process of deploying certain NDR solutions, these leaders have discovered that the benefits extend far beyond high-fidelity network monitoring to directly impact the bottom line.
"The [NDR] ROI and justification is that in this day and age with ransomware, zero trust, etc., you want to make sure you're providing real-time reporting and be able to act on it."
– Scott Checkoway, CIO, MedeAnalytics
Reduce Security Toolsets with Network Detection and Response
Retire and Replace Legacy Tools
NDR complements a wide range of security technologies, but it can also allow organizations to replace and retire older solutions with limited use cases, which minimizes technology complexity and optimizes spending. The right NDR solution can take on the functions of both legacy solutions.
For example, behavior- and rules-based threat detection from NDR serves as an upgrade for legacy IDS systems that many organizations have long relied on for compliance. Similarly, the network visibility and device inventory capabilities of some NDR solutions can replace older, specialty network device inventory tools, vulnerability scanners, and network testing devices. NDR solutions that collect data at the packet level can also eliminate the need for additional PCAP solutions.
How NDR Increases ROI for Other Security Tools
While NDR can replace some specialty tools, it's not quite a security Swiss army knife. Other best-in-class solutions, including endpoint and log-based systems, are a necessary part of a successful security strategy, but organizations can use NDR to extend visibility and enhance the functions of these other solutions. Integrated data feeds and workflows from NDR, EDR, and SIEM helps make existing tools more effective at their core function, which helps CISOs derive greater value from their investments.
NDR platforms integrate with endpoint detection and response (EDR), SIEM, and SOAR tools to extend visibility and increase automation—a strategy that can be adopted as part of a best-in-class XDR solution. Integrated NDR can extend the quarantine and response capabilities of an EDR solution into unmanaged IoT devices, and it can enhance SOAR playbook accuracy by adding high-quality data feeds from hard-to-detect areas such as encrypted protocols. Finally, for network forensics, the ability to view and correlate log data along with network insights can add the context analysts need to quickly identify the root cause of an incident.
Complement Cloud-Native Detection Toolsets
As organizations increase cloud adoption, security teams have adopted specialty cloud security tools and services as part of their security strategy. SaaS-based NDR works well as a complement to these tools.
NDR coverage typically includes connected devices, cloud workloads, and services, enabling threat detection for all aspects of cloud and on-premises workloads in a single solution. These detection capabilities can aid both cloud workload protection platforms (CWPP), which monitor and detect threats in container and virtual machine workloads, and cloud access security brokers (CASB) which offer visibility between cloud applications and end users.
How NDR Reduces SecOps Workloads
Tool complexity has a clear impact on security outcomes: Among the top factors that slow response times, security leaders in the US and Europe cited "too much data to find real insights," according to the ExtraHop Cyber Confidence Index 2022. Integrated NDR alleviates this data overload, easing investigation and response workloads for SecOps analysts.
Even without integration, NDR solutions that focus on intuitive user interfaces make the process of root cause analysis or finding and mitigating hygiene gaps easier. A well-designed UI can even make more complex tasks, such as threat hunting, more accessible, upleveling the work of junior analysts to bridge the ever-present skills gap.
According to the 2021 SANS Modernizing Security Operations survey, staffing was the top reported challenge among respondents, just behind complexity. Churn is costly enough as it is, but overworked, understaffed security teams also pose a potentially costlier security risk: missing an attack in progress. By adopting toolsets that reduce complexity, security leaders can reduce pressure on their teams and help them work more efficiently and effectively, and ultimately, reduce spending over the next year and beyond.
Avoid the Unexpected Costs of a Breach
The most important and direct line to savings for NDR adopters is the ability to detect more threats—a savings of $4.35 million per attack, based on the average cost of a breach last year according to the IBM 2022 Cost of a Data Breach Report. After the costs of recovery, fines, or insurance hikes, expenses extend far beyond IT budgets into lost revenue and brand damage making breaches not only a security problem but a business problem.
Attackers are succeeding by evading perimeter defenses: Half of all intrusions involve obfuscation—a technique designed to evade EDR or firewall detection—according to the Mandiant M-Trends 2022 Report. The proof that these perimeter-evading techniques are working is in the numbers, as 85% of security and IT leaders in the U.S. and Europe suffered at least one ransomware attack in the past five years according to the ExtraHop Cyber Confidence Index 2022. Of those, 30% have suffered six or more, making these attacks a very expensive business problem.
NDR stops more breaches by extending visibility into all aspects of a network, including cloud, IoT, and (depending on the provider) encrypted traffic. This provides security teams with a last line of defense against threats that evade endpoint security tools, including agents, firewalls, and intrusion detection systems. By adding a last line of defense, security teams have the chance to detect signs of compromise along the kill chain, from privilege escalation to data staging.
Streamlined workflows from integration and reduced tool complexity will help reduce line items on a security budget, but overarching costs and ramifications from a successful breach have the capacity to severely stunt a business. For security leaders re-examining their 2023 budgets, adding NDR becomes a crucial cost-saving solution. Amid a slowing economy, it may even be a business-saving strategy.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.