What is Network Detection and Response (NDR)?


What Is NDR?

Network detection and response (NDR) is a field of cybersecurity that detects malicious activity through the analysis of network traffic. Like endpoint detection and response (EDR), NDR security solutions do not prevent malicious activity. Instead, they aim to stop attack activity in progress before it can result in harm. NDR is distinct from EDR in that it does not use an agent to gain insight into malicious activity, relying instead on a network or virtual tap for analysis of traffic across on-premises and cloud workloads.

According to Gartner and IDC, NDR was the second-fasting growing segment of the security market in 2020, growing at a 25 percent compound annual growth rate (CAGR).

What the industry is saying: read the reports from Gartner and IDC

NDR solutions analyze network traffic to detect malicious activity inside the perimeter—otherwise known as the east-west corridor––and support intelligent threat detection, investigation, and response.

Using an out-of-band network mirror port or a virtual tap, NDR solutions passively capture network communications and apply advanced techniques, including behavioral analytics and machine learning, to identify both known and unknown attack patterns. This data can also be used to perform real-time investigation into post-compromise activity and to forensically investigate incidents. While not all NDR solutions decrypt network traffic, the most advanced solutions provide secure decryption capability to help identify threats hiding within encrypted traffic.


Why NDR?

Threats Are Increasingly Sophisticated

When news first emerged detailing the scale and sophistication of the SUNBURST attacks, many global security teams faced an uncomfortable reality. How could a threat, albeit a state-sponsored one, fly under the radar of so many organizations, and linger for so long without detection?

Sunburst Attack Graphic

Here was an attack that circumvented most of the tools that security leaders rely on: perimeter defenses, endpoint detection, and antivirus. The SUNBURST attacks highlighted the deficiencies of rules- and signature-based detection methods, and exposed the security blind spots left by logging and agent-based approaches.

But even supply chain attacks as sophisticated as SUNBURST cannot hide from the kind of network-based spotlight NDR shines on malicious activity.

Cybercrime Is on the Rise

In the context of the SolarWinds campaign, today's enterprise IT security leaders are increasingly concerned about the threat from nation states. But financially motivated cyber crime is still a more fearsome threat. Backed by an underground economy said to be worth over $1.5 trillion annually, cyber criminals have the tools and the know-how to get what they want. The line is blurred between the activity of cyber criminals and that of state-backed operatives.

Some recent ransomware campaigns increasingly leverage APT-style tools and tactics—including the compromising of Remote Desktop Protocol (RDP) endpoints, credential theft, and lateral movement, and abuse of legitimate Windows tools to hide their activity. Attackers use these techniques to deploy ransomware, as well as to steal data used to guarantee extortion payments are made.

The Attack Surface Is Expanding

The job of cyber defense is made that much harder by the nature of modern IT environments. The traditional notion of a network perimeter perished with the advent of cloud applications, bring your own device (BYOD) policies that opened the door to ubiquitous mobile devices, third-party services, and IoT devices. The latter are particularly problematic as manufacturer updates may be slow and endpoint security is difficult to apply.

A 2019 study claimed that 84% of risk professionals believe their organization will suffer an IoT breach in the following two years. The IoT security challenge is set to explode as 5G networks come online, ushering in a new era of enterprise IoT devices with new risks and vulnerabilities, and dramatically increased traffic to monitor and secure.

Digital transformation efforts encompassing cloud, mobile, and IoT are both expanding the corporate attack surface and making it harder for security teams to gain visibility into suspicious traffic. Cloud is an area of particular opacity—from unnoticed misconfigurations to the unique challenges of cloud forensics. In discussing shared responsibility between cloud providers and cloud customers, Gartner claims that, through 2025, 99% of cloud security failures will be the customer's fault.

The challenge is compounded by the push for "encryption everywhere". Various sources estimate that the vast majority of traffic today is being encrypted, making it difficult to inspect that traffic. Adversaries can disguise their own malicious activity within the encrypted traffic (like in the Chinese hacking of the US Office of Personnel Management) to cross the perimeter or move laterally inside networks. Some 91% of organizations are concerned about losing security visibility due to encryption and cloud adoption.

Darkspace Infographic

All of this comes amidst a massive and potentially permanent shift in the workforce itself which has driven a proliferation of new remote endpoints to protect. Organizations are understandably concerned about home workers taking additional risks online that they might not take in the office, sharing devices and networks with others, and exposing themselves to phishing attempts. Threat actors also stepped up attacks on RDP servers and VPN infrastructure, while many IT teams struggled to prioritize a response at the height of the pandemic.


How NDR Works

NDR evolved from network traffic analysis (NTA), a category of security product which uses network communications as the primary data source to detect and investigate threats. Over time, it became clear that detection and investigation were the beginning, not the end, of what was possible with network-based security analytics. Network security tools not only detect threats, but enable confident and rapid responses.

The category of NDR encompasses the broader, full-spectrum potential of using the network as a key data source for security. NDR products use NTA, but add important layers on top—like historical metadata for investigations and threat hunting and automated threat response through intelligent integrations with firewalls, EDR, NAC, or SOAR platforms.

The Pitfalls of Traditional Tools

Signature-based tools like legacy IDS may have been right for an age when malware was simpler and most threats could be stopped at the perimeter. Neither is true today, and attackers are increasingly adept at blending in by using legitimate credentials and approved services. Using behavioral detection and incorporating signature-based detection, NDR can catch stealthy attacks while still fulfilling the use cases previously covered by intrusion detection systems.

Further, as advanced threats like SUNBURST show, endpoint detection and response (EDR) agents can simply be avoided by sophisticated cyberattackers, while logging-based tools like SIEM can be turned off or have data altered or destroyed. Due to cost reasons, they may also lack the breadth of coverage and historic detail needed for effective detection and response, or forensics.

NDR Advantages

NDR solutions support rapid investigation, internal visibility, intelligent response, and enhanced threat detection across on-premises, cloud, and hybrid environments. Detecting attacks at the network layer works so well because it's extremely difficult for threat actors to hide their activity. While they might switch off or evade endpoint or log data, attackers can't tamper with network information, and they have no way of knowing if they're being observed. Any device that communicates across the network can be immediately discovered.

What's more, while attackers may be able to fool firewalls and traditional IDS by masquerading as legitimate users and services and avoiding signature-based detection, they can't escape NDR. That's because it's almost impossible for them to avoid certain key activities on the network, which NDR can detect. It enhances rules-based detection with machine learning technology to model the behaviors of entities on the network and contextually identify anything that resembles known attack techniques. That means even legitimate-seeming processes may be flagged if their appearance seems unusual.

However, not all machine learning systems are created equal. Those which leverage the speed and scalability of the cloud to execute machine learning models will have an advantage over those that use limited local compute resources.


What's NDR Worth to Your Organization?

With NDR in place alongside EDR and SIEM your organization can achieve Gartner's SOC Visibility Triad).

Visibility Triad Infographic

But what does this mean in practice? The business and IT benefits include:

  • Reduce exposure to risk and the financial and reputational damage associated with serious data breaches and ransomware-related outages
  • Empower under-pressure SOC teams with optimized threat detection and response
  • Enhance IT efficiency with a single workflow for threat detection, response and forensics
  • Close compliance gaps
  • Save money with a single, powerful detection and response tool that works across on-premises, cloud, and hybrid environments
  • Monitor threats to IoT devices which don't have endpoint security installed
  • Support digital transformation projects with the confidence that they will be built on secure foundations