Applying behavioral analytics to network data traffic, network detection and response (NDR) products work tirelessly to detect abnormal system behavior before it can emerge into a full-blown attack. Typical NDR capabilities include detection, hunting, forensics, and response.
In an email interview, Jeff Orr, director of ISG Ventana Research, states that an NDR product should include the following basic attributes:
-
Visibility across the network layer to monitor and analyze network traffic.
-
Real-time threat detection and analysis.
-
Automated incident responses with the goal of improving mean-time-to-repair (MTTR) metrics.
-
Integration with threat intelligence repositories.
-
Incorporates threats identified by SecOps industry experts and other threat hunting activities, which could include the use of AI technologies to identify novel threats.
Erez Tadmor, field CTO at security policy provider Tufin, offers the following additional attributes via email:
-
Behavioral detection using machine learning and advanced analytics to detect anomalies.
-
Compatibility that supports both physical and virtual sensors for on-premises and cloud networks.
-
incident management that’s capable of aggregating alerts into structured incidents and automates responses such as host containment and traffic blocking.
Tadmore notes that these three features stand out because they ensure robust and efficient network security. “Comprehensive monitoring covers all network traffic, detecting intrusions at any point,” he says. Behavioral detection, meanwhile, uses machine learning to identify sophisticated threats beyond traditional methods. “Compatibility with both on-premises and cloud networks offers flexibility and scalability. Incident management aggregates alerts and automates responses, speeding up threat investigation and mitigation.”
Limitations
NDR’s practical limitation lies in its focus on the network layer, Orr says. Enterprises that have invested in NDR also need to address detection and response for multiple security layers, ranging from cloud workloads to endpoints and from servers to networks. “This integrated approach to cybersecurity is commonly referred to as Extended Detection and Response (XDR), or Managed Detection and Response (MDR) when provided by a managed service provider,” he explains.
Features such as Intrusion Prevention Systems (IPS), which are typically included with firewalls, are not as critical because they are already delivered via other vendors, Tadmor says. “Similarly, Endpoint Detection and Response (EDR) is being merged into the broader XDR (Extended Detection and Response) market, which includes EDR, NDR, and Identity Threat Detection and Response (ITDR), reducing the standalone importance of EDR in NDR solutions.”
Vendor attributes
When considering an NDR provider, Orr recommends evaluating tools across both product and customer experiences. “While product features and benefits give a good sense of the capabilities, will the NDR product adapt to changing business requirements and evolving threats? Is the NDR offering compatible with existing network infrastructure and cybersecurity programs through pre-built connectors or API calls?”
Look for vendors that are focused on fast, accurate detection and response, advises Reade Taylor, an ex-IBM Internet security systems engineer, now the technology leader of managed services provider Cyber Command. “Buyers should beware of complex, expensive solutions that are difficult to deploy and manage,” he warns via email. “High-quality NDR needs intelligent detection, not just raw data.” Features like flashy dashboards or a long list of integrations offer little real value. “Lots of features means nothing if threats slip through the cracks,” Taylor says. The solution should work with the existing security stack, not replace it. “Be wary of excessive upfront costs or multi-year contracts—your NDR product should provide value from day one.”
Leading vendors
Taylor identifies Darktrace, Vectra, and Cisco Stealthwatch as the leading NDR providers. Orr observes that his enterprise clients work with a variety of providers, including Cisco, NetScout, and Palo Alto Networks. Shop carefully, however. “There’s no one-size-fits-all approach for any organization size or complexity level.”
A common trap buyers should avoid is choosing a tool based solely on price without considering functionality and effectiveness, says Thomas Medlin, co-founder of JumpMD, a medical referral management platform. “A lower-cost solution may need more critical features for comprehensive protection,” he says. “It’s crucial to evaluate how well a tool integrates with your existing systems and workflows.”
Risky business
According to ISG research, nearly all enterprises (95 percent) have experienced a security incident within the past 12 months. “In response to [a security] incident, one-half of enterprises have procured additional protection,” Orr says.
“Firewalls and other forms of network protection do a magnificent job of stopping most outside threats, but a small portion make it through, bypassing protection schema and requiring detection,” Orr says. “This behavior is not sustainable.” That’s what makes NDR technology indispensable.
Related articles: