What is Network Detection and Response (NDR)?
Network detection and response (NDR) platforms use technology that continuously monitors and detects anomalies and malicious activity on corporate networks using machine learning (ML) and data analytics. NDR platforms enable enterprises to monitor all network traffic, allowing them to react and respond to all threats. Gartner created the NDR category in 2020, who previously called it “network traffic analysis.”
What are the benefits to deploying a NDR platform?
- All network traffic is analyzed for its behavior, regardless of whether the traffic is encrypted or not. Cyber attackers and their actions are rapidly revealed so an organization’s security operations center (SOC) can respond.
- NDR is part of the SOC Visibility Triad, a network-centric approach to threat detection and response (TDR). The two other parts of the triad include:
- Endpoint detection and response (EDR): This technology is at the user’s endpoints and focused on containment, investigation, and remediation.
- Security information event management (SIEM): This technology collects and analyzes data with user behavior analytics, artificial intelligence (AI), and ML to review all data.
- NDR solutions provide vital network data the SIEM requires and add context to the various threats and vulnerabilities detected. With added AI packet-based behavioral fingerprinting, NDR platforms identifies behavior in encrypted traffic streams and host-based behavioral detections.
- Workflow capabilities of NDR support SOC analyst workflows with integrated packet analysis insights. The user interface (UI) delivers enhanced collaboration across teams by auto-enriching and correlating disparate data sources, including but not limited to geography, passive DNS, MITRE techniques, and threat intelligence.
- By combining context-driven, enterprise-wide visibility (including east-west visibility) and advanced analytical techniques, NDR platforms provide threat analysts an early notice of a possible a cyber attack, limiting the potential damage a hacker had done to the network. Its advanced mean time to detect (MTTD) identifies unusual remote access, port scanning, and the use of restricted ports and protocols.