NDR vs. Open XDR – What’s the difference?
Every security tool vendor talks about detection and response, so what makes NDR so special, and how does it relate to XDR / Open XDR?
NDR is special because it focuses on the nerve center of an organization’s IT infrastructure: the network. Wireless or wired device, endpoint or server, application, user or cloud – all are connected to the network, and the network never lies. It’s the foundation of truth about what’s happening in the IT infrastructure.
NDR solutions use non-signature-based techniques (for example, machine learning or other analytical techniques) for unknown attacks alongside quality signature-based techniques (for example threat intelligence fused in-line for alerts) for known attacks to detect suspicious traffic or activities. NDR can ingest data from dedicated sensors, existing firewalls, IPS/IDS, metadata like NetFlow, or any other network data source, assuming strategic placement of sensors and/or other network telemetry. Both north/south traffic and east/west traffic should be monitored and traffic in both physical and virtual environments should be monitored. All data is collected and stored in a centralized data lake with an advanced AI engine to detect suspicious traffic patterns and raise alerts.
Once alerts are triggered, the analyst or NDR solution must respond. Response is the critical counterpart to detections and is fundamental to NDR. Automatic responses such sending commands to a firewall to drop suspicious traffic or to an EDR tool to quarantine an affected endpoint, or manual responses such as providing threat hunting or incident investigation tools are common elements of NDR.
So how does XDR relate to all this? In our view, NDR and XDR are not an either/or proposition. In fact, our Open XDR Platform incorporates NDR functionality natively, along with next-generation SIEM, threat intelligence and many other functions necessary for security operations. Using our dedicated sensors or integrations with existing security tools like firewalls, our platform captures and analyzes network traffic along with server logs, user information, endpoint data and many other data types to give security analysts a 360-degree view of their entire security infrastructure, along with the ability to respond quickly.
Our AI engine analyzes data from all sources across the IT infrastructure for anomalies and unknown threats (including NDR for network traffic), and correlates and combines related alerts into incidents. Those incidents are presented in our Loop dashboard interface in order of risk priority. This way, analysts are no longer chasing down every individual alert like swatting away so many flies, but can focus their attention on actual complex attacks – where they are occurring, how they’re occurring, and what to do about them, in a very efficient manner. And in many cases, our Open XDR Platform responds automatically by triggering actions in a firewall or EDR system, for example.
The result of natively incorporating NDR as part of XDR is that our platform captures the real truth about what’s happening in your IT infrastructure, presents actionable information clearly with context and in order of priority, and allows analysts to counteract actual attacks instead of chasing hundreds or thousands of individual alerts each day. By combining NDR and Open XDR, we make security fun and effective again!