What is NDR?
![gartner | Stellar Cyber](https://stellarcyber.ai/wp-content/uploads/2024/07/gartner.png)
Gartner Market Guide for Network Detection and Response (NDR)
In recent Gartner® reports on Network Detection and Response (NDR), Gartner notes that OT and IT environments...
![AI | Stellar Cyber](https://stellarcyber.ai/wp-content/uploads/2024/07/AI.png)
Experience AI-Powered Security in Action!
Discover Stellar Cyber's cutting-edge AI for instant threat detection and response. Schedule your demo today!
How Does NDR Work
Your network is the central nervous system of your entire organization. Whether you are solely deployed “on-metal,” without a presence in the cloud, or have gone “All-In” on a cloud provider, the network enables vital communication from one business center to another. Historically, deploying a firewall was thought to provide sufficient security for a network. However, vendors introduced new security controls to protect the network and combat attack methods advancements. Intrusion detection or Intrusion prevention systems augmented the ability of the firewall to prevent successful cyberattacks, given the reliance on known network signatures of attacks, when attackers modified their tactics even slightly, most IDS/IPS products became little more than a nuisance for attackers to “deal with.”
![| Stellar Cyber What is NDR? The Definitive Guide - The Evolution of NDR](https://stellarcyber.ai/wp-content/uploads/2023/10/ndr-evolution.jpg.webp)
The Evolution of NDR
As security providers are apt to do when faced with evolving attacker challenges, a new product type was introduced known as Network Traffic Analysis (NTA). As suggested by its name, NTA products would analyze contents and metrics of traffic between organizations’ assets and traffic to and from external sources. An analyst could dig into the details of out-of-the-ordinary patterns to determine if corrective actions are required. Now, NDR enters into the picture. NDR combines the best IDS/IPS, NTA, and other network security capabilities into a single solution to protect a network. NDR products look to deliver a holistic view of security threats across your network. Using a combination of known malicious network signatures, security analytics, and behavior analysis, NDRs can quickly provide threat detection with high efficacy. To be more specific, NDR products can not only analyze the content of network traffic but also identify anomalous activity by analyzing the metadata of the network traffic (size/shape of traffic). This capability is advantageous when dealing with encrypted traffic, where it may be impossible for the NDR product to decrypt in real-time. Typical NDR products deliver detection capabilities and the ability to respond to a potential threat.
What is the Role of NDR in Cybersecurity
As most cybersecurity professionals would agree, most attacks touch the network in one way or another. Recent studies suggest that 99% of successful attacks can be detected in network traffic, many of which could be identified and mitigated before the attacker deploys their payloads. Modern network protection solutions make protecting networks much more accessible for any security professional by making their capabilities easy to use. Coupled with the increase in automated capabilities included in most solutions, identifying threats across a network is now more “hands-off” than ever before. For most security teams, even those lacking network expertise can deploy an NDR solution in their security stack and begin to identify threats as they move between network assets and into and out of the network with little human intervention. By including an NDR in a security stack, security teams can also see massive strategic and tactical benefits that surpass simply identifying threats on the network.
Defense-in-Depth
Sharing Information
Once the threats are detected, that information can easily be shared into an SIEM or XDR platform to correlate with other threats, some of which might be considered a weak signal. With a constant flow of network threats now analyzed with other security-relevant data, security teams will benefit from a more holistic view of threats across their entire network environments. For instance, it is common for attackers to deploy multi-vector attacks against their targets, such as initiating a phishing email campaign against multiple employees while simultaneously looking to exploit a known vulnerability discovered somewhere across the network. When investigated separately, they may be considered lower priority than when considered part of a targeted attack. With NDR in place, in conjunction with an XDR, these attacks are no longer investigated in isolation. Instead, they can be correlated and augmented with relevant contextual information, making determining they are related much easier. This additional step, which in most cases can occur automatically, means security analysts become more productive and efficient without exerting more effort. For additional information on the strategic benefits of NDR, review the NDR Buyers Guide.
How does NDR Compare with EDR and XDR?
NDR Requirements
- NDR products must collect network traffic information in real time and store the collected data to make automated analysis possible.
- NDR products must be able to normalize and enrich collected data with contextually relevant information to facilitate comprehensive analysis
- NDR products must also establish a baseline of regular network traffic, typically using machine learning algorithms. Once the baseline is established, the NDR product should quickly surface instances when the network traffic witnessed is outside the typical traffic patterns, alerting security analysts in real time of the anomaly.
- NDR products should cover both on-premises and cloud assets.
- NDR products should work to aggregate related alerts into actionable investigation buckets, making it easy for security analysts to 1)understand the scope of an attack and 2) take response actions
- NDR products must provide an automated means to take appropriate response actions when they are deemed necessary due to the nature and scope of an attack
EDR Requirements
- EDR products must provide security teams with a means to collect and analyze endpoint data in real time. Typically, this is delivered via a deployable endpoint agent that can be easily distributed via the organization’s tool of choice. These endpoint agents should be managed centrally and be easily updated without requiring the device to be rebooted.
- EDR products should be able to analyze applications and services in real-time to root out potentially malicious files and services. When discovered, it should be possible to quarantine the suspicious files and services automatically.
- EDR products should include a customizable correlation rules engine where security teams can either upload a set of publicly available correlation rules or create their own rules from scratch. These rules should include the ability to detect a threat and a means to take an automated response if required.
- EDR products must be easily integrated from a data perspective into another security product, such as a SIEM or XDR platform, so the rich data collected can be analyzed within the context of other security-relevant information.
- EDR products should support deployments on Microsoft Windows devices and different flavors of Linux devices.
- Modern EDR products can also be deployed on certain cloud-based platforms and other cloud-delivered applications such as Microsoft Office 365.
XDR Requirements
Extended Detection and Response (XDR) products are one of the newest technologies in the market, born out of the need to make it easier for lean security teams to deliver continuous security outcomes across their entire enterprise. XDR products must include the following capabilities to deliver the benefits most security teams expect.
- XDR products must ingest data from any data source available. This data can include 1) alerts from any deployed security control, 2) log data from any service in use by an organization, such as the logs created by the organization’s identity management system, and 3) log and activity-related information from any cloud environment and application, such as activity information collected from a Cloud Access Security Broker (CASB) solution.
- XDR products should ideally normalize all collected data to enable comprehensive analysis at scale.
- XDR products should use machine learning and artificial intelligence (AI) to correlate seemingly disparate unrelated alert and activity data into easily investigatable security incidents/cases.
- XDR products should automatically contextualize all collected data with important information, making it easy for security analysts to complete investigations quickly.
- XDR products should direct security analysts’ efforts by prioritizing suspected security incidents by their potential impact on the organization.
- XDR products should provide an automated response capability that can be initiated without human intervention based on the severity/impact of a potential threat.
In summary, both NDR and EDR products are ultimately inputs into an XDR platform that enables security analysts to complete cybersecurity investigations faster and more effectively than ever.
Common NDR Use Cases
Lateral Movement
By moving across the network, they could also identify a vulnerable application or service that enables them to open a “back door” later to re-enter the environment at will. Further, to maintain persistence in an environment, many attackers will attempt to escalate the privileges of a compromised user account to administrator rights, giving them carte-blanche in terms of making changes to the environment, potentially turning off certain security features, deleting logs that could leave breadcrumbs for security teams to use to complete their investigations. With an NDR that monitors network activity in real-time, security teams can quickly identify suspicious activity between network assets and abnormal traffic patterns from their network to the outside world. NDR products correlate this abnormal activity with user actions, which can highlight when an attacker is moving freely across their network assets.