What is network detection and response?
Network detection and response (NDR) is an emerging category of cybersecurity solution that ingests and analyzes network traffic to detect suspicious activity and understand security risks and exposure. NDR combines machine learning-powered detections, behavioral analysis, and signature-based detections for known IOCs. Best-in-class NDR solutions also use decryption and protocol decoding to uncover threats hiding in encrypted traffic. Streamlined workflows enable cybersecurity teams to quickly investigate down to packet-level context and respond with confidence.
Like endpoint detection and response (EDR), NDR security solutions do not prevent malicious activity. Instead, they identify attack activity in progress and provide the insight needed to stop attacks before they can do significant harm. NDR is distinct from EDR in that it does not use an agent to monitor east-west and north-south network traffic, relying instead on a network or virtual tap for analysis of network telemetry across on-premises and cloud workloads. NDR is also referred to as network analysis and visibility (NAV) by some independent analyst groups.
$1.98 billion
Projected global NDR market by 2027
“There can be no Zero Trust without visibility into what’s happening inside networks.”
Heath Mullins, Senior Analyst, Forrester
Threat Landscape
Cyber threats are sophisticated and costly
The SUNBURST attacks evidenced a sea change, a trend that has continued with increasingly advanced ransomware attacks and headline-making breaches.
When news first emerged detailing the scale and sophistication of the SUNBURST attacks, many global security teams faced an uncomfortable reality. How could a threat, albeit a state-sponsored one, fly under the radar of so many organizations, and linger for so long without detection?
SUNBURST circumvented most of the tools that security leaders rely on: perimeter defenses, endpoint detection, and antivirus. The SUNBURST attacks highlighted the deficiencies of rules- and signature-based detection methods, and exposed the security blind spots left by logging and agent-based approaches.
The attack surface is expanding
The job of cyber defense is made that much harder by the nature of modern IT environments. The traditional notion of a network perimeter perished with the advent of cloud applications, bring your own device (BYOD) policies that opened the door to ubiquitous mobile devices, third-party services, and internet of things (IoT) devices. Digital transformation efforts encompassing cloud, mobile, and IoT are also expanding the corporate attack surface and making it harder for security teams to gain visibility into suspicious traffic. These challenges are compounded by the push for "encryption everywhere". Various sources estimate that the vast majority of traffic today is encrypted, making it difficult to inspect that traffic. Adversaries can disguise their own malicious activity within encrypted traffic to cross the perimeter or move laterally inside networks.
67%
Of malicious traffic is encrypted
56 days
Median dwell time before attackers discovered
73%
Decrease in net income within 9 to 12 months after announcing a breach
Why Choose NDR?
NDR picks up where other tools leave off
EDR and SIEM provide essential visibility into endpoints and logs, but both tools leave coverage gaps. EDR requires agents to be deployed on each endpoint, but not every endpoint can support an agent. IoT and personal devices are two examples. Sophisticated attackers can also bypass EDR by taking advantage of unmanaged devices — including the 37% of critical devices that are unmanaged. SIEM tools rely on logs, which are useful sources of data, but they lack the context of network packets and attackers can delete logs, wiping away any trace of their activities. Attackers can also avoid firewalls and legacy standalone intrusion detection systems (IDS), but because certain key activities in a successful attack occur on the network, NDR can detect those threats.
NDR complements EDR, SIEM, and IDS tools by filling coverage gaps and continuously monitoring and analyzing network traffic to provide actionable insight. NDR solutions don’t require agents to understand the ways endpoints, workloads, and services communicate with each other. NDR solutions also provide packet-level context, enabling security teams to dive deeper into the activities of assets and investigate down to ground truth.
NDR supports Zero Trust initiatives
Zero trust requires cybersecurity to evolve from static defenses based on network-based perimeters and instead focus on users, assets, and resources. In short, never trust, and always verify. NDR solutions support zero trust initiatives by providing visibility and analytics for all users, devices, applications, and workloads and analytics communicating on the network. With NDR data, security teams can make informed decisions. Best-in-class NDR products also have the ability to securely decrypt traffic, automatically discover and classify assets, and identify vulnerabilities so organizations can make policy-driven access decisions.
“The real value in Extrahop RevealX is the time we see returned to our engineers so they can focus on innovation.”
Diane Brown Chief Information Security Officer, Ulta Beauty
RevealX NDR
See everything. Risk nothing.
Expose hidden threats
Detect threats other tools miss and fill coverage gaps left by EDR, SIEM, and logs with RevealX. Gain the network intelligence you need with complete visibility, real-time detection, and rapid investigation.
- Detect threats 83% faster.
- Investigate to ground truth in 3 clicks or fewer.
- Reduce time to resolve by 87%.
Security
Network Detection and Response (NDR)
RevealX NDR
Investigate smarter, stop threats faster, and move at the speed of risk to reveal threats and build business resilience.
Product overviewCustomer Stories
See everything. Risk nothing.
Learn how ExtraHop customers utilize RevealX, the most powerful source of truth and transparency.
BAC Credomatic Meets Compliance Standards, Safeguards Against Ransomware with ExtraHop
- Gained comprehensive view of complex IT environment in a single UI
- Significantly reduced false positives, saving analyst time and leading to cost savings
- Integrated Extrahop data with other tools for confident response automation