What is Network Detection and Response?

What does an NDR solution do?

NDR solutions continuously monitor and analyze raw enterprise network traffic to generate a baseline of normal network behavior. When suspicious network traffic patterns that deviate from this baseline are detected, NDR tools alert security teams to the potential presence of threats within their environment.

Why do you need an NDR solution?

Networks are extending into the cloud and continuously growing in both size and complexity. This has led to an unprecedented volume of data traversing the distributed network and created a perfect environment for malicious actors to hide in. NDR solutions solve this problem by collecting telemetry from network devices and applying analytical techniques like machine learning to detect threats that other tools miss.

How does NDR enhance your security?

NDR solutions and tools can:

• Detect anomalous network traffic that traditional tools miss by applying non-signature-based detection techniques such as behavioral analytics and machine learning.
• Model a baseline of what normal network behavior looks like and alert security teams on any suspicious traffic that falls outside of that normal range.
• Monitor all traffic flows—whether entering and exiting the network or moving within the network—so that teams have the extended visibility needed to identify and mitigate security incidents, regardless of where a threat originates.
• Analyze raw network telemetry in real-time or near real time and provide timely alerts to allow teams to improve incident response times.
• Attribute a malicious behavior to a specific IP address and perform forensic analyses to determine how threats have moved laterally within an environment. This allows teams to see what other devices might be infected, leading to faster incident response and threat containment, and better protection against unfavorable business impacts.
• Provide response capabilities that can enhance manual incident response and threat hunting efforts or streamline operations and save teams time through automation.

What to look for in an NDR solution

Contextual networkwide visibility

Without contextual networkwide visibility, security teams are essentially blind. NDR solutions must provide a comprehensive view into all enterprise devices, entities, and network traffic. They must monitor and analyze all traffic flows in real time and monitor and analyze not only traffic that enters and exits the environment, but also all traffic that moves laterally across the network.

Deploying an NDR tool with context-rich visibility provides a full picture of network activity. Security teams can see which users are on their network, what devices they are interacting with, where they are accessing the network from, and what kind of data they are sharing. This visibility enables them to not only detect threats but also determine their source, where else they may have propagated, and which users have been compromised. It also provides other useful forensic information such as a user's location, device type, event time stamps, and more.

As organizations move to a cloud-first strategy, NDR solutions should also provide visibility in multiple cloud environments.

Behavioral, non-signature-based detection techniques

Non-signature-based advanced analytical techniques, such as machine learning and behavioral modeling, establish a baseline of what normal network activity looks like. NDR tools should be able to quickly identify and issue alerts related to suspicious traffic deviating from the normal range that traditional signature-based tools miss. Examples include if an attacker is using lost or stolen credentials to gain access or if a malicious employee is involved in hoarding and/or exfiltrating sensitive data.

With nearly 75 percent of all network traffic being encrypted, NDR solutions also should be able to analyze encrypted traffic without decryption and detect threats that attempt to cloak themselves in encrypted traffic. In addition, NDR solutions should correlate global threat intelligence to local threats to thwart attackers that attempt to infect multiple victims with the same malware.

Accelerated threat response

By combining context-driven, enterprisewide visibility and advanced analytical techniques, NDR tools should be able to pick up on early signs of attacks. Their advanced threat detection capabilities should, for example, identify unusual remote access, port scanning, the use of restricted ports or protocols, etc.

Best-in-breed NDR solutions provide high-fidelity alerts prioritized by severity, automated response capabilities to save teams time, and manual response capabilities to enhance threat hunting and incident response efforts.