Network detection and response (NDR) is a category of cybersecurity technologies that use non-signature-based methods—such as artificial intelligence, machine learning and behavioral analytics—to detect suspicious or malicious activity on the network and respond to cyberthreats.
NDR evolved from network traffic analysis (NTA), a technology originally developed to extract network traffic models from raw network traffic data. As NTA solutions added behavioral analysis and threat response capabilities, industry analysts at Gartner® changed the name of the category to "network detection and response" in 2020.
Networks are the foundation of today’s connected world and prime targets for threat actors.
Traditionally, organizations relied on threat detection tools such as antivirus software, intrusion detection systems (IDSs) and firewalls to ensure network security.
Many of these tools use a signature-based approach to detection, identifying threats by matching indicators of compromise (IOCs) to a database of cyberthreat signatures.
A signature can be any characteristic associated with a known cyberattack, such as a line of code from a particular strain of malware or a specific phishing email subject line. Signature-based tools monitor networks for these previously discovered signatures and raise alerts when they find them.
While effective at blocking known cyberthreats, signature-based tools struggle with detecting new, unknown or emerging threats. They also struggle to detect threats that lack unique signatures or resemble legitimate behavior, such as:
Ransomware gangs and other advanced persistent threats can exploit these gaps in visibility to infiltrate networks, conduct surveillance, escalate privileges and launch attacks at opportune moments.
NDR can help organizations fill the gaps left by signature-based solutions and secure modern and increasingly complex networks.
Using advanced analytics, machine learning and behavioral analysis, NDR can detect even potential threats without known signatures. In this way, NDR provides a layer of real-time security, helping organizations catch vulnerabilities and attacks other security tools might miss.
Industry newsletter
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.
Network detection and response solutions take a proactive, dynamically responsive approach to managing network threats. NDR tools continuously monitor and analyze network activity and traffic patterns in real time to identify suspicious activity that might indicate a cyberthreat.
Threat detection with an NDR solution typically involves these five steps:
NDR solutions ingest raw network traffic data and metadata through telemetry, the practice of using automation to collect and transmit data from remote sources.
NDR tools often gather data from endpoints, network infrastructure, firewalls and other sources for a comprehensive view of the network. Collected data can include network packet data, flow data and log data.
NDR tools use behavioral analytics, AI and machine learning to evaluate the data and establish a baseline model of normal network behavior and activity.
After it establishes a baseline, the system continuously monitors network traffic in real time. The NDR compares current network activity against that baseline to detect deviations that might signal data exfiltration and other potential threats.
Such deviations might include unauthorized access attempts, unusual data transfers, anomalous login patterns (such as accessing data outside of regular hours) or communications with unknown web servers.
Upon detecting suspicious activity, NDR solutions alert security teams to act. Some NDR tools can also take automated actions to mitigate the threat. These automated responses can include blocking malicious IP addresses, isolating compromised devices or throttling suspicious traffic to prevent further damage.
NDR systems continually adapt their network activity models by incorporating feedback from detected threats and responses. They also integrate inputs from security analysts and threat intelligence feeds. This ongoing refinement improves the accuracy and effectiveness of NDR tools in detecting and responding to new and evolving threats.
NDR solutions offer a range of capabilities that can provide advantages over traditional signature-based threat detection tools. These capabilities include:
NDR solutions provide real-time monitoring and analysis, enabling quicker identification and response to potential threats. Some NDR tools can also prioritize and raise alerts to security teams or security operations centers (SOCs) based on potential threat severity.
NDR can offer visibility into all network activities on premises and in hybrid cloud environments. This comprehensive visibility can help organizations intercept more security incidents.
Because NDR solutions monitor both north-south (exit and entry) and east-west (internal) network traffic, they can detect both intrusions at the network perimeter and lateral movement within the network. The ability to spot anomalies inside the network can help NDR catch advanced threats lying in wait. Some NDR tools can also detect threats hiding in encrypted traffic.
NDR leverages AI and advanced machine learning algorithms to analyze network data, identify patterns and spot potential threats, including previously unknown threats that traditional tools often miss.
Some NDR solutions feature automated response capabilities—such as terminating a suspicious network connection—that can stop an attack as it’s happening. NDR tools can also integrate with other security tools to execute more complex incident response plans. For example, after detecting a threat, an NDR might prompt a security orchestration, automation and response (SOAR) platform to run a predefined response playbook.
Many NDR tools can integrate with threat intelligence feeds and databases such as the MITRE ATT&CK framework. These integrations can enhance behavioral models and improve the accuracy of threat detection. As a result, NDR tools can be less prone to false positives.
NDR solutions provide contextual data and functionality that security teams can use for threat hunting activities that proactively search for previously undetected threats.
Despite their benefits, NDR solutions are not without their limitations. Some common weaknesses of current NDR tools can include:
NDR tools can require significant investment in hardware, software and cybersecurity personnel. For instance, the initial setup can involve deploying sensors across network segments and investing in high-capacity data storage for large volumes of network traffic data.
Scaling NDR solutions for growing networks can be challenging. Increased data flow can strain resources and create bottlenecks, making threat detection and response solutions less effective in large enterprises.
NDR tools can generate many false positives and overwhelm security teams with alert fatigue. Even the slightest deviations from normal patterns might be flagged as suspicious, leading to wasted time and potentially missing real threats.
Continuous monitoring of network traffic, including encrypted communications, can raise privacy issues. Failure to comply with regulations such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS) can lead to steep fines and penalties.
Today's enterprise networks are decentralized and expansive, connecting data centers, hardware, software, IoT devices and workloads both on premises and in cloud environments.
Organizations and their security operations centers (SOCs) need a robust set of tools to gain complete visibility into these complex networks. Increasingly, they rely on a combination of NDR with other security solutions.
For example, NDR is one of the three pillars of Gartner's SOC visibility triad, along with endpoint detection and response (EDR) and security information and event management (SIEM).
More recently, SOCs have also adopted extended detection and response (XDR) solutions. XDR integrates cybersecurity tools across an organization's entire hybrid IT infrastructure, including endpoints, networks and cloud workloads. Many XDR providers include NDR capabilities, while open XDR solutions can leverage an organization's existing NDR capabilities, fitting into existing security workflows.