The 4 Hottest Use Cases for Network Detection & Response
Network Detection and Response (NDR) is a rapidly growing cybersecurity market segment, but what are the top use cases?
NDR is exceptionally effective at helping you detect and disrupt attacks already underway on the network.
For example, you can uncover ransomware attacks before completion, know which employees gave credentials away in a phishing attack before they do, and detect insider threats who can hide their actions from traditional tools but not NDR.
Those things are impressive. However, they are also down in the weeds just a bit. Let’s zoom out and take a broader view of the benefits organizations find through NDR implementation.
4 Top Network Detection & Response Use Cases
The four hottest use cases for Network Detection and Response include:
Let’s take a look at each of these individually.
Threat Detection NDR Use Case
According to Gartner Senior Analyst Nat Smith, who covers the NDR market, threat detection is the number one priority for organizations who are exploring the power of NDR.
“Detection is king. Detection is the most important thing when you start to look at NDR.”
The reason is that NDR platforms replace outdated rules-based detection tools like DLP or IDS with an approach that is the future of cybersecurity.
“NDR has embraced AI more than I’ve seen in almost any other technology…AI is the heart and soul of NDR, and buyers recognize that everywhere,” says Smith. “It’s exciting because it’s not just the same old technology and concepts. It is innovating, and it is evolving as we go.”
NDR platforms come in a wide variety of maturity levels and approaches. But for the threat detection use case, let’s consider the LiveAction NDR called ThreatEye NV.
The platform creates long-term behavior baselines to understand what’s typical within your environment through Deep Packet Dynamics (DPD). This historical inventory allows profiling and fingerprinting, and AI-powered Machine Learning models are then applied to identify advanced threats and behaviors.
DPD provides high-fidelity flow records with over 150 features for each flow without payload inspection. And because you look at traffic behavior instead of inspecting payloads, encryption does not block your investigation.
Hunting NDR Use Case
While threat detection is the primary use case for Network Detection and Response, another essential use case is hunting. And according to Gartner’s Smith, organizations approach this part of their NDR search in two ways.
“One is what I would call a black box. If I’m a black box buyer, I’m looking for that solution that just finds the magic and lets me know and can take care of it. Or the other side is the hunter, where I’m going to spend time working with the solution. I want to see those magic alerts. But I also want to work with it and understand exactly how that came about.”
The LiveAction NDR approach is what you might consider a hybrid model. ThreatEye NV creates automated alerts that are risk scored and MITRE ATT&CK labeled. This strategy guides network defenders, saves time, and allows teams to disrupt attackers quickly. However, you can still drill down to packet level and look at the details of an attack if you would like to do so.
Forensics NDR Use Case
Forensics is another NDR use case, and it is often integrated right into the NDR workflow. Not only does this help your team verify an attack is underway, but it also creates learning opportunities that close the cybersecurity skills gap, as you document each attack.
Many organizations report that the guided response provided by NDR gradually trains network defenders on where to look and what types of questions. The results are shorter investigation timelines and increasingly skilled network security teams.
NDR Use Case for Response
The final primary use case for Network Detection and Response is about the response. Vendor approaches vary significantly, according to analysts in the NDR space.
We can speak to ThreatEye NV, however, as an example. It seamlessly connects to existing security tools like SIEMs, SOAR, and Threat Intelligence. Workflow automation with products like Cisco SecureX can take immediate action on security events to quarantine hosts or block threats. SIEM integration can also correlate with EDR events and malicious activity on previously unseen encrypted channels.
Learn More About NDR
We’ve explored the four primary use cases for Network Detection and Response. And there are a couple of great ways to learn more about this powerful segment of cybersecurity.