NDR: a simple acronym describing a complex and dynamic area

As three-letter acronyms in tech go, network detection and response (NDR) has to be one of the clearest – as the advertisement goes, “It does what it says on the tin.” While the concept of identifying and responding to cyber threats in the network environment may be clear, the task is not straightforward, not least because it involves piecing together a picture at the network level. Traffic volumes are by their nature vast, and it isn’t simple to understand what we can loosely call “Layer 7 threats” in Layers 1-6 of the network stack. 

Nonetheless, and as we cover in our Key Criteria and Radar reports, NDR solutions can help in multiple ways. First, they can identify issues that higher levels might not have been able to spot – it’s the difference between working with raw data and composite data (as a simple analogy, phishing attacks are much easier to spot in text-based rather than HTML email). So, NDR complements and augments other forms of detection and response. In addition, NDR solutions may identify attacks before they arrive at the upper layers, or at least in a more timely fashion. In zero-day situations, time is everything, and NDR can identify previously undetected threats. 

NDR solutions combine network traffic analysis, behavioral monitoring, and intelligence about known threats. For enterprises, NDR is necessary for a holistic security response, helping mitigate overall risks to corporate and personal data, processes, and experiences. As such, solutions can be considered based on how well they integrate with other security tools and dashboards, as well as their ability to meet organizations where they are—not blinding network and security engineers with an avalanche of alerts and enabling users to focus on solving the issues rather than diagnosing the problems.

In addition, solutions need to keep up with the changing threat landscape. Cloud-based models and hybrid IT architectures have expanded the attack surface: financially motivated and state-backed threat actors are constantly finding new ways to circumvent perimeter security tools. In today’s distributed environments, we are a long way beyond defense in depth, instead requiring defense in breadth – across all layers of the stack, wherever data may reside or be moving. 

By monitoring all network communications, NDR solutions serve as an authoritative source for ensuring security in both cloud and hybrid environments. The overall result is to broaden the pool of engineers able to identify security issues and, therefore, to reduce the time to detect and respond to threats. This also means improved response rates and approaches, lessening the overall potential for damage. Meanwhile, NDR solutions can reduce false positives, meaning less time wasted and more focus on actual issues. They can also help a regulated organization meet its compliance goals through evidence-based inputs to audits. 

When choosing an NDR solution, however, it isn’t as simple as just choosing the leading product on the market. This space is constantly evolving, balancing the time taken to process network-level data and the need to dig deep into it to get the best possible insights. Alongside traditional deep-packet inspection (DPI, breaking apart network packets and seeing what’s inside them), we’re seeing increased attention on metadata analysis and machine learning to detect currently unknown threats, which may resemble previous attack fingerprints or have similar payloads. 

IT decision-makers can best prepare themselves for evaluating NDR solutions by considering the above factors, based on a keen understanding of the organization’s needs. In doing so, prospective customers must consider the importance of both DPI and metadata analysis. Each method offers unique strengths in the context of network security: for example, DPI can uncover anomalies and threats that hide within network traffic, such as certain types of malware, and can also identify applications being used on a network, even if they are operating on non-standard ports or protocols. However, it can be resource-intensive and potentially raise privacy concerns because it involves examining the full content of network data packets, including decrypting and re-encrypting encrypted network packets.

On the other hand, metadata analysis refers to the process of analyzing the data about the data, including information such as source and destination IP addresses, port numbers, timestamps, and protocol types, but not the actual content of the data packets. This method is typically less resource-intensive (some NDR solutions only evaluate three per cent of the overall data) and can quickly identify potential security threats or anomalies based on patterns in the metadata. It is also less likely to raise privacy issues because it does not involve examining the content of communications. However, it may not be as effective as DPI in uncovering threats. 

In choosing an NDR solution, organizations should consider the level of detail they require in their network traffic analysis, how many computational resources they can dedicate to this function, and their obligations and responsibilities regarding user privacy. In addition, they should look at the range of available detection techniques from each supplier, the ability to automate a response, and the integration with other tooling such as security incident and event management (SIEM) or threat intelligence platforms. 

An additional challenge comes from the market itself. Not only is it overcrowded, but we’re also seeing smaller players being acquired as larger platform providers and security vendors look to bolster their security offerings. This is even more reason not just to choose a product just because it appears to be a market leader but to keep in mind that acquisitions don’t always benefit existing customers, especially if the goal of the acquisition is to reduce competition in the space. 

We’ve written our Key Criteria and Radar reports to guide technology decision-makers as they navigate this superficially simple but, in reality, dynamic and complex area of technology. Whilst NDR plays a pivotal role in an organization’s cybersecurity response, any tool selection needs to start with the organization’s own technical needs, business strategy, privacy stance, and operational approach. 

As a final, related point, you shouldn’t just settle for the incumbent vendor’s solution in this rapidly evolving—and crowded—vendor landscape. Instead, start with a clean sheet of paper and document your needs, capabilities, and skill levels. When talking to vendors, ensure that their vision aligns with yours, and their roadmap includes the features and capabilities your business demands.