Stellar Cyber Open XDR - logo
Close this search box.

What is NDR? The Definitive Guide

Today, security decision-makers are faced with a myriad of choices when it comes to building a modern security stack. One security control commonly overlooked is Network Detection and Response, or NDR. NDR cybersecurity solutions are not new. However, due to the perceived complexity of deployment, maintenance, and use, many security owners deprioritize this technology in their security stack, assuming other network-associated security products can keep their networks from being compromised. This guide provides a comprehensive NDR definition as a modern cybersecurity solution and its importance in combating cyberattacks.

How Does NDR Work

Network Detection and Response technologies are designed to identify threats across your network infrastructure and enable security analysts to take decisive response actions quickly to mitigate the risk of a damaging breach. Unlike other network technologies that require users to be semi-experts in networking, Security analysts with varied expertise can easily use NDR products. To better understand how NDR capabilities keep a network secure, we must first unpack how they are deployed and work. 

Your network is the central nervous system of your entire organization. Whether you are solely deployed “on-metal,” without a presence in the cloud, or have gone “All-In” on a cloud provider, the network enables vital communication from one business center to another. Historically, deploying a firewall was thought to provide sufficient security for a network. However, vendors introduced new security controls to protect the network and combat attack methods advancements. Intrusion detection or Intrusion prevention systems augmented the ability of the firewall to prevent successful cyberattacks, given the reliance on known network signatures of attacks, when attackers modified their tactics even slightly, most IDS/IPS products became little more than a nuisance for attackers to “deal with.”

What is NDR? The Definitive Guide - The Evolution of NDR

The Evolution of NDR

As security providers are apt to do when faced with evolving attacker challenges, a new product type was introduced known as Network Traffic Analysis (NTA). As suggested by its name, NTA products would analyze contents and metrics of traffic between organizations’ assets and traffic to and from external sources. An analyst could dig into the details of out-of-the-ordinary patterns to determine if corrective actions are required. Now, NDR enters into the picture. NDR combines the best IDS/IPS, NTA, and other network security capabilities into a single solution to protect a network. NDR products look to deliver a holistic view of security threats across your network. Using a combination of known malicious network signatures, security analytics, and behavior analysis, NDRs can quickly provide threat detection with high efficacy. To be more specific, NDR products can not only analyze the content of network traffic but also identify anomalous activity by analyzing the metadata of the network traffic (size/shape of traffic). This capability is advantageous when dealing with encrypted traffic, where it may be impossible for the NDR product to decrypt in real-time. Typical NDR products deliver detection capabilities and the ability to respond to a potential threat.

What is the Role of NDR in Cybersecurity

Modern attackers look for any weakness in an organization’s environment they can exploit. While endpoints are a popular attack surface for most attackers, they increasingly seek ways to mask their cyber threats within regular network traffic. This approach is gaining popularity because of the perceived complexity associated with monitoring, analyzing, and detecting threats as they traverse the network. In the not-so-distant past, identifying threats in network traffic required resources with extensive experience configuring, maintaining, and monitoring network traffic. Today, however, the cybersecurity landscape is vastly different, making the protection of a network much more accessible for all security professionals, not just those who are network experts. 

As most cybersecurity professionals would agree, most attacks touch the network in one way or another. Recent studies suggest that 99% of successful attacks can be detected in network traffic, many of which could be identified and mitigated before the attacker deploys their payloads. Modern network protection solutions make protecting networks much more accessible for any security professional by making their capabilities easy to use. Coupled with the increase in automated capabilities included in most solutions, identifying threats across a network is now more “hands-off” than ever before. For most security teams, even those lacking network expertise can deploy an NDR solution in their security stack and begin to identify threats as they move between network assets and into and out of the network with little human intervention. By including an NDR in a security stack, security teams can also see massive strategic and tactical benefits that surpass simply identifying threats on the network.


First, by including NDR in your security stack, you follow the best practice of the “defense-in-depth” approach to security. While endpoint protection platforms and endpoint detection and response solutions are designed to identify threats on the endpoints, for example, they are generally blind to threats as they move across the network. Similarly, data loss prevention products are very good at identifying when important data moves from a given location. However, they are not great at picking up on this critical information traversing the network, especially if obfuscated within regular network traffic. This situation is where NDR security products have the potential to uplevel a security team’s ability to reduce the risk of a successful cyberattack. Much like the other products mentioned are dedicated to detecting threats in a specific asset or data type, the NDR is solely focused on understanding network traffic in a way no other security product can. By enabling fast analysis of real-time network traffic, NDR security products can surface potential threats in network traffic that might have gone unnoticed.

Sharing Information

Once the threats are detected, that information can easily be shared into an SIEM or XDR platform to correlate with other threats, some of which might be considered a weak signal. With a constant flow of network threats now analyzed with other security-relevant data, security teams will benefit from a more holistic view of threats across their entire network environments. For instance, it is common for attackers to deploy multi-vector attacks against their targets, such as initiating a phishing email campaign against multiple employees while simultaneously looking to exploit a known vulnerability discovered somewhere across the network. When investigated separately, they may be considered lower priority than when considered part of a targeted attack. With NDR in place, in conjunction with an XDR, these attacks are no longer investigated in isolation. Instead, they can be correlated and augmented with relevant contextual information, making determining they are related much easier. This additional step, which in most cases can occur automatically, means security analysts become more productive and efficient without exerting more effort. For additional information on the strategic benefits of NDR, review the NDR Buyers Guide.

How does NDR Compare with EDR and XDR?

With so many cybersecurity products and services claiming to deliver similar benefits, it can be difficult for some security decision-makers to discern which products to deploy to gain incremental benefits. NDR is not immune from this confusion, so to help decision-makers understand the similarities and differences between standard security controls, the following outlines the differences between NDR, EDR, and XDR.

NDR Requirements

First, to establish a baseline understanding of the focus of this guide, NDR, here are the standard table-stake capabilities of an NDR solution:
  • NDR products must collect network traffic information in real time and store the collected data to make automated analysis possible.
  • NDR products must be able to normalize and enrich collected data with contextually relevant information to facilitate comprehensive analysis
  • NDR products must also establish a baseline of regular network traffic, typically using machine learning algorithms. Once the baseline is established, the NDR product should quickly surface instances when the network traffic witnessed is outside the typical traffic patterns, alerting security analysts in real time of the anomaly. 
  • NDR products should cover both on-premises and cloud assets.
  • NDR products should work to aggregate related alerts into actionable investigation buckets, making it easy for security analysts to 1)understand the scope of an attack and 2) take response actions
  • NDR products must provide an automated means to take appropriate response actions when they are deemed necessary due to the nature and scope of an attack

EDR Requirements

Endpoint Detection and Response (EDR) products must deliver the following capabilities to provide the necessary protection of their area of focus, endpoint devices:
  • EDR products must provide security teams with a means to collect and analyze endpoint data in real time. Typically, this is delivered via a deployable endpoint agent that can be easily distributed via the organization’s tool of choice. These endpoint agents should be managed centrally and be easily updated without requiring the device to be rebooted. 
  • EDR products should be able to analyze applications and services in real-time to root out potentially malicious files and services. When discovered, it should be possible to quarantine the suspicious files and services automatically. 
  • EDR products should include a customizable correlation rules engine where security teams can either upload a set of publicly available correlation rules or create their own rules from scratch. These rules should include the ability to detect a threat and a means to take an automated response if required. 
  • EDR products must be easily integrated from a data perspective into another security product, such as a SIEM or XDR platform, so the rich data collected can be analyzed within the context of other security-relevant information. 
  • EDR products should support deployments on Microsoft Windows devices and different flavors of Linux devices. 
  • Modern EDR products can also be deployed on certain cloud-based platforms and other cloud-delivered applications such as Microsoft Office 365. 

XDR Requirements

Extended Detection and Response (XDR) products are one of the newest technologies in the market, born out of the need to make it easier for lean security teams to deliver continuous security outcomes across their entire enterprise. XDR products must include the following capabilities to deliver the benefits most security teams expect. 

  • XDR products must ingest data from any data source available. This data can include 1) alerts from any deployed security control, 2) log data from any service in use by an organization, such as the logs created by the organization’s identity management system, and 3) log and activity-related information from any cloud environment and application, such as activity information collected from a Cloud Access Security Broker (CASB) solution.
  • XDR products should ideally normalize all collected data to enable comprehensive analysis at scale.
  • XDR products should use machine learning and artificial intelligence (AI) to correlate seemingly disparate unrelated alert and activity data into easily investigatable security incidents/cases. 
  • XDR products should automatically contextualize all collected data with important information, making it easy for security analysts to complete investigations quickly.
  • XDR products should direct security analysts’ efforts by prioritizing suspected security incidents by their potential impact on the organization.
  • XDR products should provide an automated response capability that can be initiated without human intervention based on the severity/impact of a potential threat. 

In summary, both NDR and EDR products are ultimately inputs into an XDR platform that enables security analysts to complete cybersecurity investigations faster and more effectively than ever. 

Common NDR Use Cases

It should be evident that NDR products are focused on identifying security threats as they traverse an organization’s network infrastructure. That said, it may be easier for security decision-makers to understand the benefits an NDR product delivers by applying a use case lens to the discussion. The following discussion outlines several common security use cases an NDR product can help a security team meet.

Lateral Movement

A common challenge for a security team is understanding when an attacker moves laterally across their environment. For instance, when an attacker successfully compromises a user account or an endpoint without detection, the next logical step is for the attacker to attempt to move further into the environment. Suppose they can move from one device to another in stealth mode. In that case, they may uncover where sensitive information exists in the environment, making their attack more impactful in the case of ransomware.

By moving across the network, they could also identify a vulnerable application or service that enables them to open a “back door” later to re-enter the environment at will. Further, to maintain persistence in an environment, many attackers will attempt to escalate the privileges of a compromised user account to administrator rights, giving them carte-blanche in terms of making changes to the environment, potentially turning off certain security features, deleting logs that could leave breadcrumbs for security teams to use to complete their investigations. With an NDR that monitors network activity in real-time, security teams can quickly identify suspicious activity between network assets and abnormal traffic patterns from their network to the outside world. NDR products correlate this abnormal activity with user actions, which can highlight when an attacker is moving freely across their network assets.

Compromised Credentials

Another everyday security use case NDR products can meet is associated with compromised credentials. Unfortunately, today, an attacker can obtain valid user credentials in many ways, from purchasing them from the dark web to getting an unwitting employee to volunteer their credentials in response to a fraudulent email or via a malicious website. Once the attacker obtains the credentials, it becomes easy for the attacker to get access to the environment. Once inside the organization, the attacker can carry out any number of malicious activities, such as deploying debilitating ransomware, deleting mission-critical data, or exposing company confidential information to the outside world to cause havoc. NDR products make the detection of compromised credentials easier by the nature of how an NDR works. For example, if a North American-based employee is detected logging in from China. In that case, the NDR product will detect this anomaly and generate an alert that a security analyst can investigate quickly. Since the NDR product will contextualize the warning automatically, the security analyst can quickly determine if this anomaly is a threat and initiate an automated response in seconds, such as restricting the user’s access to all network environments and forcing a password reset. They could also ensure the user’s access to any cloud-based applications and network assets is disabled via an integration to a CASB product.
Scroll to Top