Network Detection and Response


    What is Network Detection and Response (NDR)?

    Network detection and response (NDR) platforms use technology that continuously monitors and detects anomalies and malicious activity on corporate networks using machine learning (ML) and data analytics. NDR platforms enable enterprises to monitor all network traffic, allowing them to react and respond to all threats. Gartner created the NDR category in 2020, who previously called it “network traffic analysis.”

    What are the benefits to deploying a NDR platform?

    • All network traffic is analyzed for its behavior, regardless of whether the traffic is encrypted or not. Cyber attackers and their actions are rapidly revealed so an organization’s security operations center (SOC) can respond.
    • NDR is part of the SOC Visibility Triad, a network-centric approach to threat detection and response (TDR). The two other parts of the triad include:
      • Endpoint detection and response (EDR): This technology is at the user’s endpoints and focused on containment, investigation, and remediation.
      • Security information event management (SIEM): This technology collects and analyzes data with user behavior analytics, artificial intelligence (AI), and ML to review all data.
    • NDR solutions provide vital network data the SIEM requires and add context to the various threats and vulnerabilities detected. With added AI packet-based behavioral fingerprinting, NDR platforms identifies behavior in encrypted traffic streams and host-based behavioral detections.
    • Workflow capabilities of NDR support SOC analyst workflows with integrated packet analysis insights. The user interface (UI) delivers enhanced collaboration across teams by auto-enriching and correlating disparate data sources, including but not limited to geography, passive DNS, MITRE techniques, and threat intelligence.
    • By combining context-driven, enterprise-wide visibility (including east-west visibility) and advanced analytical techniques, NDR platforms provide threat analysts an early notice of a possible a cyber attack, limiting the potential damage a hacker had done to the network. Its advanced mean time to detect (MTTD) identifies unusual remote access, port scanning, and the use of restricted ports and protocols.

    Related Products


    Network Performance
    Management Software


    Extend Network


    Packet Capture
    and Analysis

    Related Glossary Terms

    QoS, or quality of service, is key to ensuring the performance of critical applications on a network. Learn how QoS works and its benefits.

    A protocol analyzer is an essential tool for network operations. Protocol analyzers act as a vital intermediary between devices within a network, allowing administrators to gain valuable insights into the active communication between these devices.

    By encrypting “stolen” files and demanding a ransom payment for the decryption key, bad actors force organizations to pay a ransom because it is sometimes the easiest and most cost-effective way to regain access to the files.

    Encryption is a data security practice that converts normal, readable information into an unintelligible cypher. Once network traffic is encrypted, it can only be accessed by authorized users with a key, or by advanced encryption practices that can decode cyphertext. This process allows organizations to safely move confidential and sensitive information around without exposing it to bad actors.

    Packet analysis is a primary traceback technique in network forensics, which, providing that the packet details captured are sufficiently detailed, can play back even the entire network traffic for a particular point in time.

    Packet loss causes reduced throughput, diminished security, and other issues in your network. Learn about causes and effects and how you can mitigate its impact.