Network detection and response

Last updated

Network detection and response (NDR) refers to a category of network security products that detect abnormal system behaviors by continuously analyzing network traffic. NDR solutions apply behavioral analytics to inspect raw network packets and metadata for both internal (east-west) and external (north-south) network communications. [1]

Contents

Description

NDR is delivered through a combination of hardware and software sensors, along with a software or SaaS management console. Organizations use NDR to detect and contain malicious post-breach activity such as ransomware or insider malicious activity. NDR focuses on identifying abnormal behavior patterns and anomalies rather than relying solely on signature-based threat detection. This allows NDR to spot weak signals and unknown threats from network traffic, like lateral movement or data exfiltration. [1]

NDR provides visibility into network activities to identify anomalies using machine learning algorithms. [2] The automated response capabilities can help reduce the workload for security teams. NDR also assists incident responders with threat hunting by supplying context and analysis. [1]

Deployment options include physical or virtual sensors. Sensors are typically out-of-band, positioned to monitor network flows without impacting performance. Cloud-based NDR options integrate with IaaS providers to gain visibility across hybrid environments. Ongoing tuning helps reduce false positives. NDR competes against broader platforms like SIEM and XDR for security budgets. [1] NDR can be used to complement EDR's blind spot. [2] [3]

Key capabilities offered by NDR solutions include real-time threat detection through continuous monitoring, rapid incident response workflows to minimize damage, reduced complexity versus managing multiple point solutions, improved visibility for compliance and risk management, automated detection and response, endpoint and user behavior analytics, and integration with SIEM for centralized monitoring. [4]

History

The origins of NDR trace back to network traffic analysis (NTA) solutions that emerged around 2019. NTA provided greater visibility into network activities to quickly identify and respond to potential threats. [4]

By 2020, NTA adoption was growing for real-time threat detection. That year, a study found that 87% of organizations used NTA, with 43% considering it a "first line of defense." The NTA market was valued at US$2.9 billion in 2022, and expected to reach US$8.5 billion by 2032. NTA evolved into NDR as a distinct product category. NDR combined detection capabilities with incident response workflows. This enabled detecting and reacting to threats across networks in real time. [4]

Major attacks like WannaCry in 2017 and the SolarWinds breach in 2020 highlighted the need for solutions like NDR. Traditional perimeter defenses and signature-based tools proved insufficient against modern threats. [4]

AI applications

The use of artificial intelligence in NDR tools is growing, as security teams explore AI's potential to enhance NDR capabilities. Key AI use cases for NDR include: [5]

NDR Vendors

According to Gartner, NDR vendors include Cisco, Corelight, Darktrace, LinkShadow ExtraHop, Fortinet, IronNet, MixMode, Plixer, Trend Micro, Trellix, Vectra AI. [1]

Related Research Articles

Security event management (SEM), and the related SIM and SIEM, are computer security disciplines that use data inspection tools to centralize the storage and interpretation of logs or events generated by other software running on a network.

Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.

Network behavior anomaly detection (NBAD) is a security technique that provides network security threat detection. It is a complementary technology to systems that detect security threats based on packet signatures.

<span class="mw-page-title-main">TriGeo Network Security</span>

TriGeo Network Security is a United States–based provider of security information and event management (SIEM) technology. The company helps mid market organizations proactively, protects networks and data from internal and external threats, with a SIEM appliance that provides real-time log management and automated network defense - from the perimeter to the endpoint.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

<span class="mw-page-title-main">Information security operations center</span> Facility where enterprise information systems are monitored, assessed, and defended

An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.

<span class="mw-page-title-main">Palo Alto Networks</span> American technology company

Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100. It is home to the Unit 42 threat research team and hosts the Ignite cybersecurity conference. It is a partner organization of the World Economic Forum.

Threat Intelligence Platform (TIP) is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

Vectra AI, Inc. is a cybersecurity company that uses AI for hybrid attack detection, investigation, and response (NDR) solutions. The company was established in 2012 and operates in 113 countries from its San Jose, California headquarters.

User behavior analytics (UBA) or user and entity behavior analytics (UEBA), is the concept of analyzing the behavior of users, subjects, visitors, etc. for a specific purpose. It allows cybersecurity tools to build a profile of each individual's normal activity, by looking at patterns of human behavior, and then highlighting deviations from that profile that may indicate a potential compromise.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, Internet-of-things devices, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow a definite level of compliance to standards.

The Co-Managed IT security service model entails security monitoring, event correlation, incident response, system tuning, and compliance support across an organization's entire IT environment. Co-Management allows organizations to collaborate with their managed security service providers by blending security expertise of the provider with the contextual knowledge of the customer to optimise security posture.

Gigamon is a privately held computer security company with products that delivers network-derived intelligence and insights to cloud, security, observability, and network management tools. It is one of the main parts in the deep observability market. Formerly traded publicly, it is now owned by Elliott Management and headquartered in Santa Clara, California.

Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.

<span class="mw-page-title-main">Anomali</span> American cybersecurity company

Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing security analytics powered by artificial intelligence (AI).

Nyotron is an information-security company. It was established in 2009 by brothers Nir and Ofer Gaist. Nir Gaist is the CTO, and Sagit Manor became the CEO in 2017. The company is based in Santa Clara, CA, with an R&D office in Herzliya, Israel.

Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is a cybersecurity technology that continually monitors an "endpoint" to mitigate malicious cyber threats.

Extended detection and response (XDR) is a cybersecurity technology that monitors and mitigates cyber security threats.

Breach and attack simulation (BAS) refers to technologies that allow organizations to test their security defenses against simulated cyberattacks. BAS solutions provide automated assessments that help identify weaknesses or gaps in an organization's security posture.

Identity threat detection and response (ITDR) is a cybersecurity discipline that includes tools and best practices to protect identity management infrastructure from attacks. ITDR can block and detect threats, verify administrator credentials, respond to various attacks, and restore normal operations. Common identity threats include phishing, stolen credentials, insider threats, and ransomware.

References

  1. 1 2 3 4 5 Jonathan Nunez, Andrew Davies (20 July 2023). "Hype Cycle for Security Operations, 2023". www.gartner.com. Retrieved 2023-08-08.
  2. 1 2 Maor, Etay. "Council Post: EDR, XDR, MDR: Making Sense Of Threat Detection And Response Acronyms". Forbes. Retrieved 2024-05-21.
  3. "Change Is Coming to the Network Detection and Response (NDR) Market". www.darkreading.com. Retrieved 2024-05-21.
  4. 1 2 3 4 Wiens, Christian (2023-02-02). "A Comprehensive Guide to Network Detection & Response (NDR) — What CIOs & Security Analysts Should Know". Security Boulevard. Retrieved 2023-08-15.
  5. 1 2 3 4 5 6 Grady, John. "How AI benefits network detection and response". TechTarget. Retrieved 2023-08-15.

See also