Network detection and response: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 23:52, 14 May 2024 edit CFA (talk \| contribs) Extended confirmed users, Page movers, New page reviewers, Pending changes reviewers, Rollbackers 48,307 edits Added tags to the page using Page Curation (copy edit, notability) Tag: PageTriage ← Previous edit		Latest revision as of 20:05, 29 August 2025 edit undo Marstorm (talk \| contribs) 54 edits fixed a broken link added a supporting citation
(12 intermediate revisions by 4 users not shown)
Line 1: ~~{{Multiple issues\|~~ ~~{{copy edit\|date=May 2024}}~~ {{notability\|date=May 2024}} }} {{short description\|Threat monitoring technology}} '''Network detection and response (NDR)''' refers to a category of [[network security]] products that detect abnormal system [[Behavior\|behaviors]] by continuously analyzing network traffic. NDR solutions apply [[behavioral analytics]] to inspect raw [[Packet analyzer\|network packets]] and [[metadata]] for both internal (east-west) and external (north-south) network communications.<ref name=":0">{{Cite web \|last=Jonathan Nunez, Andrew Davies \|date=20 July 2023 \|title=Hype Cycle for Security Operations, 2023 \|url=https://www.gartner.com/doc/reprints?id=1-2EIN4TVS&ct=230721&st=sb&__hstc=45788219.57a590308de95e51d2f62b49fac710ef.1691078838873.1691078838873.1691078838873.1&__hssc=45788219.1.1691078838873&__hsfp=3812163218&hsCtaTracking=51e2e4ef-078c-41c0-a8bf-673c4e38176a%7C2cb608e8-3bb2-41fb-96a8-b3d410ee1978 \|access-date=2023-08-08 \|website=www.gartner.com}}</ref>▼ '''Network detection and response (NDR)'''<ref>{{Cite web \|title=What is network detection and response (NDR)? \|url=https://www.sophos.com/en-us/cybersecurity-explained/network-detection-and-response \|website=Sophos \|access-date=2025-08-29}}</ref> ▲~~'''Network detection and response (NDR)'''~~ refers to a category of [[network security]] products that detect abnormal system [[Behavior\|behaviors]] by continuously analyzing [[network traffic]]. NDR solutions apply [[behavioral analytics]] to inspect raw [[Packet analyzer\|network packets]] and [[metadata]] for both internal (east-west) and external (north-south) network communications.<ref name=":0">{{Cite web ~~\|last=Jonathan Nunez, Andrew Davies \|date=20 July 2023~~ \|title=~~Hype~~Network ~~Cycle~~Detection ~~for Security Operations,~~and ~~2023~~Response \|url=https://www.gartner.com/~~doc~~reviews/~~reprints?id=1~~market/network-~~2EIN4TVS&ct=230721&st=sb&__hstc=45788219.57a590308de95e51d2f62b49fac710ef.1691078838873.1691078838873.1691078838873.1&__hssc=45788219.1.1691078838873&__hsfp=3812163218&hsCtaTracking=51e2e4ef~~detection-~~078c~~and-~~41c0-a8bf-673c4e38176a%7C2cb608e8-3bb2-41fb-96a8-b3d410ee1978~~response \|website=Gartner \|access-date=~~2023~~2025-08-~~08 \|website=www.gartner.com~~29}}</ref> == Description == NDR is delivered through a combination of [[Computer hardware\|hardware]] and [[software]] sensors, along with a software or [[Software as a service\|SaaS]] management console. Organizations use NDR to detect and contain malicious post-breach activity, such as [[ransomware]], asor ~~well~~insider ~~as insider~~malicious ~~attacks~~activity. NDR focuses on identifying abnormal behavior patterns and anomalies rather than relying solely on [[Signature based detection\|signature-based threat detection]]. This allows NDR to spot weak signals and unknown threats from network traffic, like [[Network Lateral Movement\|lateral movement]] or [[data exfiltration]].<ref name=":0" /> NDR provides visibility into network activities to identify anomalies using [[machine learning]] algorithms.<ref name=":3">{{Cite web \|last=Maor \|first=Etay \|title=Council Post: EDR, XDR, MDR: Making Sense Of Threat Detection And Response Acronyms \|url=https://www.forbes.com/sites/forbestechcouncil/2024/03/05/edr-xdr-mdr-making-sense-of-threat-detection-and-response-acronyms/ \|access-date=2024-05-21 \|website=Forbes \|language=en}}</ref> The automated response capabilities can help reduce the workload for security teams. NDR also assists incident responders with threat hunting by supplying context and analysis.<ref name=":0" /> Deployment options include physical or virtual sensors. Sensors are typically out-of-band, positioned to monitor network flows without impacting performance. Cloud-based NDR options integrate with IaaS providers to gain visibility across hybrid environments. Ongoing tuning helps reduce false positives. NDR competes against broader platforms like [[SIEM]] and [[Extended detection and response\|XDR]] for security budgets.<ref name=":0" /> NDR can be used to complement EDR's blind spot.<ref name=":3" /><ref>{{Cite web \|title=Change Is Coming to the Network Detection and Response (NDR) Market \|url=https://www.darkreading.com/cyber-risk/change-is-coming-to-the-network-detection-and-response-ndr-market \|access-date=2024-05-21 \|website=www.darkreading.com \|language=en}}</ref> Key capabilities offered by NDR solutions include: ~~Real~~real-time threat detection through continuous monitoring, ~~Rapid~~rapid incident response workflows to minimize damage, ~~Reduced~~reduced complexity versus managing multiple point solutions, ~~Improved~~improved visibility for compliance and risk management, ~~Automated~~automated detection and response, ~~Endpoint~~endpoint and user behavior analytics, ~~Integration~~and integration with [[SIEM]] for centralized monitoring.<ref name=":2" /> ==History== The origins of NDR trace back to [[network traffic analysis]] (NTA) solutions that emerged around 2019. NTA provided greater visibility into network activities to quickly identify and respond to potential threats.<ref name=":2">{{Cite web \|last=Wiens \|first=Christian \|date=2023-02-02 \|title=A Comprehensive Guide to Network Detection & Response (NDR) — What CIOs & Security Analysts Should Know \|url=https://securityboulevard.com/2023/02/a-comprehensive-guide-to-network-detection-response-ndr-what-cios-security-analysts-should-know/ \|access-date=2023-08-15 \|website=Security Boulevard \|language=en-US}}</ref> By 2020, NTA adoption was growing for real-time threat detection. That year, a study found that 87% of organizations used NTA, with 43% considering it a "first line of defense.". The NTA market was valued at US$2.9 billion in 2022, and expected to reach US$8.5 billion by 2032. NTA evolved into NDR as a distinct product category. NDR combined detection capabilities with incident response workflows. This enabled detecting and reacting to threats across networks in real- time.<ref name=":2" /> Major attacks like [[WannaCry]] in 2017 and the [[SolarWinds]] breach in 2020 highlighted the need for solutions like NDR. Traditional perimeter defenses and signature-based tools proved insufficient against modern threats.<ref name=":2" /> == AIArtificial Intelligence applications == The use of [[artificial intelligence]] in NDR tools is growing, as security teams explore AI's potential to enhance NDR capabilities. Key AI use cases for NDR include:<ref name=":1">{{Cite web \|last=Grady \|first=John \|title=How AI benefits network detection and response \|url=https://www.techtarget.com/searchsecurity/opinion/How-AI-benefits-network-detection-and-response \|access-date=2023-08-15 \|website=TechTarget \|language=en}}</ref> * Improved threat detection : AI can analyze large volumes of data on vulnerabilities, threats, and attack tactics to identify anomalous network activities. This allows NDR to detect emerging attack patterns with greater accuracy and fewer [[False positives and false negatives\|false positives]].<ref name=":1" /> * Alert prioritization : AI models can evaluate the criticality of NDR alerts based on factors like affected assets, exploitability, and potential impact. This enables security teams to triage alerts effectively despite staff shortages.<ref name=":1" /> * Analyst workflow optimization : AI assistants can ~~provide guidance to~~guide analysts during incident response, suggesting relevant investigation steps based on details of the threat. This amplifies analyst efficiency, especially for junior staff lacking specialized expertise.<ref name=":1" /> * Automated response : Although not yet widely adopted, AI could enable NDR platforms to autonomously execute containment measures like quarantining endpoints. AI would identify and recommend response actions for analyst approval.<ref name=":1" /> * Security team communications : NDR vendors are exploring integrations with natural language AI to generate incident reports and metrics digestible for business leaders, not just technical security staff.<ref name=":1" /> == NDR Vendors == According to [[Gartner]], NDR vendors include [[Cisco]], Corelight, [[Darktrace]], [https://www.linkshadow.com/ LinkShadow] [[ExtraHop Networks\|ExtraHop]], [[Fortinet]], IronNet, MixMode, Plixer, [[Trend Micro]], Trellix, [[Vectra AI]].<ref name=":0" /> == References ==