Home Topics NDR What is network detection and response (NDR)?
Explore IBM's network detection and response solution Sign up for security topic updates
Illustration with collage of pictograms of clouds, mobile phone, fingerprint, check mark

Updated: 8 July 2024

Contributors: Annie Badman, Matthew Kosinski
What is NDR?

Network detection and response (NDR) is a category of cybersecurity technologies that use non-signature-based methods—such as artificial intelligence, machine learning and behavioral analytics—to detect suspicious or malicious activity on the network and respond to cyberthreats.

NDR evolved from network traffic analysis (NTA), a technology originally developed to extract network traffic models from raw network traffic data. As NTA solutions added behavioral analysis and threat response capabilities, industry analysts at Gartner® changed the name of the category to "network detection and response" in 2020.

 Why NDR matters

Networks are the foundation of today’s connected world and prime targets for threat actors.

Traditionally, organizations relied on threat detection tools such as antivirus software, intrusion detection systems (IDSs) and firewalls to ensure network security.

Many of these tools use a signature-based approach to detection, identifying threats by matching indicators of compromise (IOCs) to a database of cyberthreat signatures.

A signature can be any characteristic associated with a known cyberattack, such as a line of code from a particular strain of malware or a specific phishing email subject line. Signature-based tools monitor networks for these previously discovered signatures and raise alerts when they find them.

While effective at blocking known cyberthreats, signature-based tools struggle with detecting new, unknown or emerging threats. They also struggle to detect threats that lack unique signatures or resemble legitimate behavior, such as:

  • Cyberattackers using stolen credentials to access the network

  • Business email compromise (BEC) attacks, where hackers impersonate or hijack an executive’s email account

  • Employees unintentionally engaging in risky behavior, such as saving company data to a personal USB drive or clicking malicious email links

Ransomware gangs and other advanced persistent threats can exploit these gaps in visibility to infiltrate networks, conduct surveillance, escalate privileges and launch attacks at opportune moments.

NDR can help organizations fill the gaps left by signature-based solutions and secure modern and increasingly complex networks.

Using advanced analytics, machine learning and behavioral analysis, NDR can detect even potential threats without known signatures. In this way, NDR provides a layer of real-time security, helping organizations catch vulnerabilities and attacks other security tools might miss.
IBM X-Force® Threat Intelligence Index

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security® X-Force Threat Intelligence Index.
How do NDR tools work?

Network detection and response solutions take a proactive, dynamically responsive approach to managing network threats. NDR tools continuously monitor and analyze network activity and traffic patterns in real time to identify suspicious activity that might indicate a cyberthreat.

Threat detection with an NDR solution typically involves these five steps:

  1. Collect data
  2. Establish a network behavior baseline
  3. Monitor for malicious activity
  4. Respond to incidents
  5. Refine over time
1. Collect data

NDR solutions ingest raw network traffic data and metadata through telemetry, the practice of using automation to collect and transmit data from remote sources.

NDR tools often gather data from endpoints, network infrastructure, firewalls and other sources for a comprehensive view of the network. Collected data can include network packet data, flow data and log data.
2. Establish a network behavior baseline

NDR tools use behavioral analytics, AI and machine learning to evaluate the data and establish a baseline model of normal network behavior and activity.
3. Monitor for malicious activity

After it establishes a baseline, the system continuously monitors network traffic in real time. The NDR compares current network activity against that baseline to detect deviations that might signal data exfiltration and other potential threats.

Such deviations might include unauthorized access attempts, unusual data transfers, anomalous login patterns (such as accessing data outside of regular hours) or communications with unknown web servers. 
4. Respond to incidents

Upon detecting suspicious activity, NDR solutions alert security teams to act. Some NDR tools can also take automated actions to mitigate the threat. These automated responses can include blocking malicious IP addresses, isolating compromised devices or throttling suspicious traffic to prevent further damage.
5. Refine over time

NDR systems continually adapt their network activity models by incorporating feedback from detected threats and responses. They also integrate inputs from security analysts and threat intelligence feeds. This ongoing refinement improves the accuracy and effectiveness of NDR tools in detecting and responding to new and evolving threats.
Benefits of NDR

NDR solutions offer a range of capabilities that can provide advantages over traditional signature-based threat detection tools. These capabilities include: 
Real-time threat detection capabilities

NDR solutions provide real-time monitoring and analysis, enabling quicker identification and response to potential threats. Some NDR tools can also prioritize and raise alerts to security teams or security operations centers (SOCs) based on potential threat severity.
Comprehensive visibility at the perimeter and inside the network

NDR can offer visibility into all network activities on premises and in hybrid cloud environments. This comprehensive visibility can help organizations intercept more security incidents.

Because NDR solutions monitor both north-south (exit and entry) and east-west (internal) network traffic, they can detect both intrusions at the network perimeter and lateral movement within the network. The ability to spot anomalies inside the network can help NDR catch advanced threats lying in wait. Some NDR tools can also detect threats hiding in encrypted traffic.
AI-powered threat analysis

NDR leverages AI and advanced machine learning algorithms to analyze network data, identify patterns and spot potential threats, including previously unknown threats that traditional tools often miss.
Automated incident response

Some NDR solutions feature automated response capabilities—such as terminating a suspicious network connection—that can stop an attack as it’s happening. NDR tools can also integrate with other security tools to execute more complex incident response plans. For example, after detecting a threat, an NDR might prompt a security orchestration, automation and response (SOAR) platform to run a predefined response playbook.
Integration with threat intelligence

Many NDR tools can integrate with threat intelligence feeds and databases such as the MITRE ATT&CK framework. These integrations can enhance behavioral models and improve the accuracy of threat detection. As a result, NDR tools can be less prone to false positives.
Threat hunting

NDR solutions provide contextual data and functionality that security teams can use for threat hunting activities that proactively search for previously undetected threats.
Potential drawbacks of NDR

Despite their benefits, NDR solutions are not without their limitations. Some common weaknesses of current NDR tools can include:
Complexity and cost

NDR tools can require significant investment in hardware, software and cybersecurity personnel. For instance, the initial setup can involve deploying sensors across network segments and investing in high-capacity data storage for large volumes of network traffic data.
Scalability issues

Scaling NDR solutions for growing networks can be challenging. Increased data flow can strain resources and create bottlenecks, making threat detection and response solutions less effective in large enterprises.
False positives

NDR tools can generate many false positives and overwhelm security teams with alert fatigue. Even the slightest deviations from normal patterns might be flagged as suspicious, leading to wasted time and potentially missing real threats.
Privacy and regulatory concerns

Continuous monitoring of network traffic, including encrypted communications, can raise privacy issues. Failure to comply with regulations such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS) can lead to steep fines and penalties.
NDR and other security solutions

Today's enterprise networks are decentralized and expansive, connecting data centers, hardware, software, IoT devices and workloads both on premises and in cloud environments.

Organizations and their security operations centers (SOCs) need a robust set of tools to gain complete visibility into these complex networks. Increasingly, they rely on a combination of NDR with other security solutions.

For example, NDR is one of the three pillars of Gartner's SOC visibility triad, along with endpoint detection and response (EDR) and security information and event management (SIEM).

  • EDR is software designed to automatically protect an organization's end users, endpoint devices and IT assets against cyberthreats. Whereas NDR provides an "aerial view" of network traffic, EDR can provide a supplementary "ground level" view of activity at individual endpoints.

  • SIEM combines and correlates security-related log and event data from disparate security tools and network sources, such as servers, applications and devices. NDR tools can complement these efforts by streaming their network traffic data and analysis to SIEM systems, enhancing the SIEM's security and regulatory compliance effectiveness.

More recently, SOCs have also adopted extended detection and response (XDR) solutions. XDR integrates cybersecurity tools across an organization's entire hybrid IT infrastructure, including endpoints, networks and cloud workloads. Many XDR providers include NDR capabilities, while open XDR solutions can leverage an organization's existing NDR capabilities, fitting into existing security workflows.
Related solutions
Threat detection and response solutions

Leverage IBM threat detection and response solutions to strengthen your security and accelerate threat detection.

 Explore threat detection and response solutions
Cloud security solutions

Move confidently to hybrid multicloud and integrate security into every phase of your cloud journey.

 Explore cloud security solutions
Managed infrastructure and network security services

Protect your infrastructure and network from sophisticated cybersecurity threats with proven security skills, expertise and modern solutions.

 Explore managed infrastructure and network security services
Resources Cost of a Data Breach Report

Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs.

 Cybersecurity in the era of generative AI

Learn how today’s security landscape is changing and how to navigate the challenges and tap into the resilience of generative AI.

What is artificial intelligence?

Artificial intelligence (AI) leverages computers and machines to mimic the problem-solving and decision-making capabilities of the human mind.
Take the next step

IBM cybersecurity services deliver advisory, integration and managed security services and offensive and defensive capabilities. We combine a global team of experts with proprietary and partner technology to co-create tailored security programs that manage risk.

 Explore cybersecurity services Subscribe to the Think Newsletter