What Is Network Detection and Response (NDR)?

Network detection and response (NDR) refers to cybersecurity products that ingest and analyze network traffic to detect malicious activity. Where endpoint detection and response (EDR) tools collect and analyze endpoint data and behavior, network detection and response solutions work off of wire data from network packets traversing the east-west and north-south corridors.

According to Gartner®, “Network detection and response (NDR) products detect abnormal system behaviors by applying behavioral analytics to network traffic data. They continuously analyze raw network packets or traffic metadata within internal networks (east-west) and between internal and external networks (north-south). NDR products include automated responses, such as host containment or traffic blocking, directly or through integration with other cybersecurity tools. NDR can be delivered as a combination of hardware and software appliances for sensors, some with IaaS support. Management and orchestration consoles can be software or SaaS.

Retired NSA Director Rob Joyce called passive network monitoring systems an attacker’s “worst nightmare” during a talk in 2016. Specifically, he said, “...one of your worst nightmares [as an attacker] is that out-of-band network TAP that’s really capturing all the data, understanding anomalous behavior going on, that somebody’s paying attention to.”

How Does NDR Work?

Network detection and response solutions work by taking a copy of an organization’s network traffic–whether through a SPAN port (aka port mirroring), a TAP, or a packet broker–and sending it to an appliance that rebuilds copies of the “conversations” taking place among devices connecting to a network. The appliance pulls and stores all the useful information from those conversations, including MAC addresses, IP addresses, the ports that devices are connecting to, and more.

NDR solutions then apply machine learning to distinguish normal network behavior from suspicious network behavior. Some NDR solutions perform machine learning on the appliance. Others do it in the cloud. The benefit of doing machine learning in the cloud is that machine learning is a compute-intensive process, and the cloud can scale on the fly to handle much higher volumes of data. If machine learning is performed on the appliance and the appliance gets overloaded, it’s not a quick or easy process to install another appliance to handle the increased load.

NDR solutions also perform behavioral analysis and analyze signatures for known indicators of compromise (IoCs). By conducting machine learning, behavioral analysis, and signature analysis, NDR solutions are capable of detecting both known and novel threats.

Most NDR solutions sit out of band (i.e., outside the path of network traffic). The benefit of an out-of-band NDR solution is that it won’t degrade network performance, and it doesn’t see, interfere with, or manipulate any of the original network traffic.

Critical Capabilities for NDR Solutions

To provide the best detection coverage possible, NDR solutions need two critical capabilities:

1) the ability to securely decrypt encrypted network traffic

2) the ability to decode a wide variety of network, application, database, and internet protocols.

More than 85% of attacks now use encrypted channels across various stages of the cyber kill chain to evade detection by traditional security tools, including EDR and SIEM, making true decryption–as opposed to encrypted traffic analysis–essential to modern cybersecurity practices. Encrypted traffic analysis can’t detect attacks leveraging encrypted Microsoft protocols such as MSRPC and Kerberos.

The more protocols an NDR solution can decode and the greater the visibility it can provide into encrypted network traffic in real-time, the better equipped it will be to fire high-fidelity detections and reduce false positives.

Why is network data so important to cybersecurity and to threat detection in particular?

Notably, the network provides security teams with the highest fidelity data source for early threat detection and forensic investigation. The network can’t be compromised or disabled by attackers the way logs and endpoint agents can. It’s an immutable source of truth. Every user and device has to communicate over the network, so with NDR, you have an appliance silently recording a copy of all of that traffic.

As one ExtraHop customer, a security executive for a large insurance company, put it, “I’ve always been an advocate for looking at network-level data, and I’ve always said that from an attacker’s perspective, the one place where they can’t change what’s going on is on the network. Once an attacker compromises a host, you can’t trust what you see, but anything that passes the network is 100% real, and that’s how you catch attackers and figure out what they’re doing.”

What are the benefits of NDR?

The primary benefit of NDR is that it provides security teams with threat visibility into the network traffic (north-south and east-west) flowing across the hybrid enterprise that they can’t get from IDS, NGFW, or any other tool.

Risk mitigation is another significant benefit of NDR that stems from the visibility it provides. NDR helps organizations mitigate risk in a couple of different ways. For one, certain threat actor behaviors that take place in the early stages of an attack, such as command and control beaconing, network discovery and enumeration, lateral movement, and domain escalation, are best detected on the network.

For another, industry-leading NDR tools are capable of automatically discovering and classifying all assets connecting to and communicating with the network. This gives security and IT teams visibility into shadow IT and unmanaged devices, along with a much clearer picture of their organization’s attack surface and risk exposure. You can’t manage what you can’t see.

What Use Cases Does NDR Address?

NDR solutions provide frictionless coverage for a wide range of use cases, from threat hunting and ransomware detection to network forensics and more. Here are a few examples of the use cases best-in-class NDR solutions can address, and the capabilities you should look for in an NDR solution to handle each scenario effectively.

NDR for Ransomware Detection and Response

Advanced ransomware attacks use sophisticated post-compromise tactics to accelerate propagation of malware across the victim’s infrastructure. To mitigate ransomware, NDR solutions should provide:

• Visibility into which clients received malicious files or connected with suspicious IP addresses
• AI-powered detection of post-compromise malicious behavior
• Fast investigation and response to enable tactical isolation of only the compromised systems

Learn why network visibility is essential to early ransomware detection and mitigation: Watch the video.

NDR for Secure Cloud Migration

Migrating to the cloud can lead to all kinds of unforeseen hurdles, like poor user experience, unknown dependencies, and an expanded attack surface. To support secure cloud migration, NDR solutions should provide:

• Automatic discovery, classification, and mapping of all assets (inclusive of devices, protocols, certificates, and dependencies)
• L2–L7 monitoring to compare performance before, during, and after migration
• Real-time detection and threat intelligence from across the hybrid attack surface

Learn how a financial organization used RevealX to secure its cloud migration: Read the case study.

NDR for Next-Generation IDS

While traditional, standalone IDSs remain popular tools, especially to meet compliance requirements, their signature-based detections make them less effective against sophisticated threats. NDR products that offer built-in IDS capabilities can provide:

• Intrusion detection both on-premises and in the cloud
• Full-spectrum detections powered by AI and rules-based analytics
• High-fidelity alerts with context for deeper investigation

NDR for Network Forensics and Investigation

Endpoint data and logs provide investigators and incident responders with surface level insight, but they can’t offer the depth of immutable data available in packets. To enable forensic investigation, NDR solutions should provide:

• Continuous packet capture, so you never have to worry about recreating an issue
• Event-driven packet capture, which captures packets based on conditions set by the user.
• 30-60-90- and 180-day lookback capabilities

NDR for Advanced Threat Hunting

For many organizations, threat hunting is only aspirational because traditional methods require multiple complex tools and analysts with the skills and time to find “unknown unknowns.” To support an advanced threat hunting program capable of rapidly testing hypotheses and finding IoCs, NDR solutions must provide:

• Transaction data and intuitive, query-based starting points
• Augmented workflows for faster hunting
• The ability to hunt threats across hybrid environments and in network traffic

See how RevealX has made it easier than ever for security teams to proactively hunt for threats in network traffic.

NDR for Zero Trust

NDR also supports zero trust initiatives by providing visibility and analytics for all users, devices, workloads, and applications communicating on the network. NDR solutions ensure continual network monitoring and policy validation. Best-in-class NDR solutions can also securely decrypt traffic, automatically discover and classify assets, and identify vulnerabilities. With NDR data, organizations can make informed, policy-driven access decisions.

Do I Need NDR if I Have EDR and SIEM?

In short, yes. EDR and SIEM are foundational detection and response technologies, but they have their limits. They only tell you when an attacker landed, not where they started, how they progressed, or which systems they touched in the process.

Unmanaged devices, like IoT devices or devices belonging to guests or contractors, either can’t run endpoint agents, or you don’t have the authority to install them. What’s more, sophisticated threat actors are finding ways to evade EDR, going so far as to create a lucrative black market for so-called EDR killers.

Combining network data with full packet capture and analysis fills in the crucial gaps left by EDR and SIEM. That’s because all activity must cross the network, and network traffic can’t be tampered with. So if you’re monitoring the network, attackers have no place to hide.

What’s the Difference Between NDR and EDR?

NDR is distinct from EDR in that it does not use an agent to monitor east-west and north-south traffic. It relies instead on a network or virtual tap for analysis of network telemetry across on-premises and cloud workloads. That’s important, because without an agent, NDR solutions can:

• Reduce deployment complexity.
• Reduce security friction in DevOps processes.
• Provide greater scale than agent-based solutions.
• Provide visibility into every packet sent and received.

Do I Need NDR if I Have IDS and Firewalls?

Again, the answer is yes. Firewalls and legacy IDSs can be evaded and typically only watch north-south network traffic that crosses the perimeter, not internal, east-west traffic. But key activities in successful attacks must occur on the network, which means NDR can detect threats that legacy IDS and firewalls can’t see.

What Capabilities Should I Look for in an NDR provider?

Not all NDR solutions are created equal. Here are a few key capabilities that you should look for when evaluating different solutions:

• Full packet capture (PCAP) and analysis – Many NDR solutions only collect network traffic metadata, such as packet headers, which may suffice if you’re investigating obvious threats, such an internal device communicating with a known malicious IP address. But if you’re looking for evidence of living off the land techniques or if you’re trying to determine the full scope and potential materiality of a breach, then you need full packet capture (PCAP) and analysis. With full PCAP and analysis, analysts can identify precisely what systems and data attackers accessed during a breach. This empowers them to make more informed decisions about the materiality of an incident and how to limit disruption by shutting down only impacted systems.
• Protocol fluency – Look for an NDR solution capable of decoding not just network and internet protocols, but application and database protocols, too. The more protocols an NDR solution is able to decode, the better visibility you’ll get for security and performance.
• Strategic decryption – You can’t secure what you can’t see. If you can’t look into the black box of encrypted traffic and protocols, you’re blind to more than 85% of attacks. Look for NDR solutions that can decrypt at least TLS 1.3 and SSL traffic, as well as encrypted Microsoft protocols including Kerberos, MSRPC, LDAP, WINRM, SMBv3, and NTLM. Encrypted traffic analysis can’t detect the increasing number of attacks that leverage encrypted Microsoft protocols such as MSRPC and Kerberos.
• Platform over point solutions – Modern NDR solutions combine the power of NDR with IDS, NPM, and packet forensics into a single platform to provide maximum detection coverage and faster response capabilities. Why pay for, manage, and integrate multiple point products separately, when you can combine them into a single powerful, cost-effective solution?