What is network detection and response (NDR)?
Network detection and response (NDR) technology continuously scrutinizes network traffic to identify suspicious activity and potentially disrupt an attack.
Through monitoring and machine learning capabilities, an NDR product learns the expected traffic flow on an organization's network. The tool is then in a position to spot abnormal behavior, essentially asking itself, "Does this traffic look like the normal traffic?"
When something looks amiss, NDR will take investigative steps, such as trying to tie malicious behavior to a specific IP address.
Other capabilities include the building of models so that an organization has forecasting capabilities to more deeply understand network behavior.
NDR technologies are an extension of intrusion detection systems (IDS). The extent of the overlap between an NDR product and an IDS depends on the features of particular products.
This article is part of
What is threat detection and response (TDR)? Complete guide
NDR relates to other threat detection and response tools and services, a category that includes endpoint detection and response, cloud detection and response, and extended detection and response. NDR products can be installed alongside these and other security tools. Or, for businesses that prefer to outsource threat detection, more of these offerings -- including NDR -- are becoming available as managed security services.
Why is NDR important?
NDR is valuable because it automates the monitoring of network traffic. That monitoring cannot be accomplished manually, at least not in any consistently effective way. It is simply impractical to have network administrators or an outsourcing company watch packet captures and network traffic throughout the day. Automation of the type available in NDR helps overcome that challenge, especially in an era when hiring and retaining skilled personnel remains difficult for most organizations.
NDR views network traffic in real time, and it automatically checks it against old/existing traffic data. Behavioral analytics features will judge which activity appears typical and which does not.
These capabilities can be useful in the detection of a variety of threats, including unauthorized removal of data and installation of malware.
How to choose an NDR tool
When comparing NDR products, look at how they incorporate auto-learning with AI and machine learning (ML) for predictive analysis. And decide if you're interested in one that is open source, paid or free.
The market provides plenty of options. Vendors include Cisco, Darktrace, ExtraHop, InsightIDR, Lastline (acquired by VMware and now part of Broadcom), Vectra AI and Zeek, an open source IDS and NDR developed at the University of California, Berkeley.
When talking with a vendor, be sure to ask how the tool decides what's an anomaly. If the assessment is based on ML/AI, that means the product will have forecasting capabilities, which improves the accuracy of threat detection. Security leaders express increasing interest in network detection technologies that incorporate AI capabilities.
Also, try to determine the depth of an NDR tool's analysis of suspect IP addresses. If the address is behind a virtual private network, is the tool able to furnish enough information to help you determine if suspicious activity is evidence a bad actor is on the network?
Lastly, ask the tool vendor about guarantees and if the vendor can promise that some set percentage of malicious attempts will be analyzed.