Network detection and response (NDR) is a category of cybersecurity technologies that use non-signature-based methods—such as artificial intelligence, machine learning and behavioral analytics—to detect suspicious or malicious activity on the network and respond to cyberthreats.
NDR evolved from network traffic analysis (NTA), a technology originally developed to extract network traffic models from raw network traffic data. As NTA solutions added behavioral analysis and threat response capabilities, industry analysts at Gartner® changed the name of the category to "network detection and response" in 2020.
Networks are the foundation of today’s connected world and prime targets for threat actors.
Traditionally, organizations relied on threat detection tools such as antivirus software, intrusion detection systems (IDSs) and firewalls to ensure network security.
Many of these tools use a signature-based approach to detection, identifying threats by matching indicators of compromise (IOCs) to a database of cyberthreat signatures.
A signature can be any characteristic associated with a known cyberattack, such as a line of code from a particular strain of malware or a specific phishing email subject line. Signature-based tools monitor networks for these previously discovered signatures and raise alerts when they find them.
While effective at blocking known cyberthreats, signature-based tools struggle with detecting new, unknown or emerging threats. They also struggle to detect threats that lack unique signatures or resemble legitimate behavior, such as:
- Cyberattackers using stolen credentials to access the network
- Business email compromise (BEC) attacks, where hackers impersonate or hijack an executive’s email account
- Employees unintentionally engaging in risky behavior, such as saving company data to a personal USB drive or clicking malicious email links
Ransomware gangs and other advanced persistent threats can exploit these gaps in visibility to infiltrate networks, conduct surveillance, escalate privileges and launch attacks at opportune moments.
NDR can help organizations fill the gaps left by signature-based solutions and secure modern and increasingly complex networks.
Using advanced analytics, machine learning and behavioral analysis, NDR can detect even potential threats without known signatures. In this way, NDR provides a layer of real-time security, helping organizations catch vulnerabilities and attacks other security tools might miss.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security® X-Force Threat Intelligence Index.
Network detection and response solutions take a proactive, dynamically responsive approach to managing network threats. NDR tools continuously monitor and analyze network activity and traffic patterns in real time to identify suspicious activity that might indicate a cyberthreat.
Threat detection with an NDR solution typically involves these five steps:
- Collect data
- Establish a network behavior baseline
- Monitor for malicious activity
- Respond to incidents
- Refine over time
NDR solutions ingest raw network traffic data and metadata through telemetry, the practice of using automation to collect and transmit data from remote sources.
NDR tools often gather data from endpoints, network infrastructure, firewalls and other sources for a comprehensive view of the network. Collected data can include network packet data, flow data and log data.
NDR tools use behavioral analytics, AI and machine learning to evaluate the data and establish a baseline model of normal network behavior and activity.
After it establishes a baseline, the system continuously monitors network traffic in real time. The NDR compares current network activity against that baseline to detect deviations that might signal data exfiltration and other potential threats.
Such deviations might include unauthorized access attempts, unusual data transfers, anomalous login patterns (such as accessing data outside of regular hours) or communications with unknown web servers.
Upon detecting suspicious activity, NDR solutions alert security teams to act. Some NDR tools can also take automated actions to mitigate the threat. These automated responses can include blocking malicious IP addresses, isolating compromised devices or throttling suspicious traffic to prevent further damage.
NDR systems continually adapt their network activity models by incorporating feedback from detected threats and responses. They also integrate inputs from security analysts and threat intelligence feeds. This ongoing refinement improves the accuracy and effectiveness of NDR tools in detecting and responding to new and evolving threats.
NDR solutions offer a range of capabilities that can provide advantages over traditional signature-based threat detection tools. These capabilities include:
NDR solutions provide real-time monitoring and analysis, enabling quicker identification and response to potential threats. Some NDR tools can also prioritize and raise alerts to security teams or security operations centers (SOCs) based on potential threat severity.
NDR can offer visibility into all network activities on premises and in hybrid cloud environments. This comprehensive visibility can help organizations intercept more security incidents.
Because NDR solutions monitor both north-south (exit and entry) and east-west (internal) network traffic, they can detect both intrusions at the network perimeter and lateral movement within the network. The ability to spot anomalies inside the network can help NDR catch advanced threats lying in wait. Some NDR tools can also detect threats hiding in encrypted traffic.
NDR leverages AI and advanced machine learning algorithms to analyze network data, identify patterns and spot potential threats, including previously unknown threats that traditional tools often miss.
Some NDR solutions feature automated response capabilities—such as terminating a suspicious network connection—that can stop an attack as it’s happening. NDR tools can also integrate with other security tools to execute more complex incident response plans. For example, after detecting a threat, an NDR might prompt a security orchestration, automation and response (SOAR) platform to run a predefined response playbook.
Many NDR tools can integrate with threat intelligence feeds and databases such as the MITRE ATT&CK framework. These integrations can enhance behavioral models and improve the accuracy of threat detection. As a result, NDR tools can be less prone to false positives.
NDR solutions provide contextual data and functionality that security teams can use for threat hunting activities that proactively search for previously undetected threats.
Despite their benefits, NDR solutions are not without their limitations. Some common weaknesses of current NDR tools can include:
NDR tools can require significant investment in hardware, software and cybersecurity personnel. For instance, the initial setup can involve deploying sensors across network segments and investing in high-capacity data storage for large volumes of network traffic data.
Scaling NDR solutions for growing networks can be challenging. Increased data flow can strain resources and create bottlenecks, making threat detection and response solutions less effective in large enterprises.
NDR tools can generate many false positives and overwhelm security teams with alert fatigue. Even the slightest deviations from normal patterns might be flagged as suspicious, leading to wasted time and potentially missing real threats.
Continuous monitoring of network traffic, including encrypted communications, can raise privacy issues. Failure to comply with regulations such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS) can lead to steep fines and penalties.
Today's enterprise networks are decentralized and expansive, connecting data centers, hardware, software, IoT devices and workloads both on premises and in cloud environments.
Organizations and their security operations centers (SOCs) need a robust set of tools to gain complete visibility into these complex networks. Increasingly, they rely on a combination of NDR with other security solutions.
For example, NDR is one of the three pillars of Gartner's SOC visibility triad, along with endpoint detection and response (EDR) and security information and event management (SIEM).
- EDR is software designed to automatically protect an organization's end users, endpoint devices and IT assets against cyberthreats. Whereas NDR provides an "aerial view" of network traffic, EDR can provide a supplementary "ground level" view of activity at individual endpoints.
- SIEM combines and correlates security-related log and event data from disparate security tools and network sources, such as servers, applications and devices. NDR tools can complement these efforts by streaming their network traffic data and analysis to SIEM systems, enhancing the SIEM's security and regulatory compliance effectiveness.
More recently, SOCs have also adopted extended detection and response (XDR) solutions. XDR integrates cybersecurity tools across an organization's entire hybrid IT infrastructure, including endpoints, networks and cloud workloads. Many XDR providers include NDR capabilities, while open XDR solutions can leverage an organization's existing NDR capabilities, fitting into existing security workflows.
Leverage IBM threat detection and response solutions to strengthen your security and accelerate threat detection.
Move confidently to hybrid multicloud and integrate security into every phase of your cloud journey.
Protect your infrastructure and network from sophisticated cybersecurity threats with proven security skills, expertise and modern solutions.
Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs.
Learn how today’s security landscape is changing and how to navigate the challenges and tap into the resilience of generative AI.
Artificial intelligence (AI) leverages computers and machines to mimic the problem-solving and decision-making capabilities of the human mind.