Learn how organizations monitor, detect, and respond to suspicious network activity.
InsightIDR ProductNetwork detection and response (NDR) is the practice of applying rules or signatures to network traffic in order to automatically trigger alerts for activity that could indicate malicious behavior.
The NDR solution category is emerging out of what was previously known as network traffic analysis (NTA), which also aimed to monitor network traffic. The broadening in scope was a response to the need for the category to include automated response actions in standard solutions.
This means that most modern solutions feature the ability to monitor, detect, and respond to potential threats. This means that, after a threat has been detected, security personnel can take immediate steps to contain or respond, quickly killing malicious processes or quarantining infected endpoints.
According to Gartner®, organizations rely on NDR to detect and contain postbreach activity such as ransomware, insider threats, or lateral movement. Core capabilities include:
NDR works by bringing together a team of security professionals to input processes to monitor, detect, and respond to alerts that could negatively affect the integrity of the network and business. Let's look more closely at those processes:
One of the most important aspects of this process is the ability to access real-time information about user activity, application activity, and web activity. Additionally, network data should be easily searchable so that analysts can accelerate investigations into alerts based on suspicious activity. It’s also important to be able to build custom alerts as well as access a library of attacker behavior analytics (ABA) so that the process is starting from a wealth of information about past suspicious activity.
It's extremely critical to establish a baseline of usual network behavior and actions so that automated systems know what is normal and what is suspicious. For example, user-behavior analytics (UBA) are helpful for enabling your team to quickly determine whether a potential threat is an outside attacker impersonating an employee or an employee who presents some kind of risk, whether through negligence or malice. UBAs connect activity on the network to a specific user as opposed to an IP address or asset. That activity is then compared against a normal baseline of event activity for that user.
NDR solutions should have the ability to take automated actions when an incident is detected. From quarantine, to connection termination, to executing a series of predefined actions developed by security operations center (SOC) analysts, it should be possible these days to rapidly take down an attacker if a network perimeter is breached, whether on-prem or in the cloud. Actions taken during this process would include deep-dive analysis of incidents, reverse-engineering attack methodology like malware, creating intrusion reports.
A threat-intelligence (TI) feed should be a continuous stream of data that informs automated threat prioritization and remediation efforts. A TI feed should help a security organization to compensate for its potential lack of context for certain threats. Threat feeds come in many forms, from open source community-driven lists to paid private feeds. The effectiveness of these feeds strongly depends on a number of factors:
Contextual intelligence feeds provide analysts not only with indicators of compromise (IOCs) but also a thorough explanation of the attacker's use of infrastructure and tools. Feeds containing contextual information are far more effective for successful threat detection.
The benefits of NDR are vast. There is no limit to the amount of protection, detection, and overall benefits that can come from closely monitoring your network for malicious activity and enacting quick responses – here are a few of those benefits:
NDR is a must-have, but modern attacker methodologies extend beyond the network – and your security coverage should as well. NDR is great at examining network logs, but it doesn’t cover endpoint alerts and events and also doesn’t extend to the cloud.
For this reason, NDR products aren’t typically used as standalone solutions. Rather, they’re part of a suite of solutions that offer comprehensive coverage for true extended detection and response (XDR). This includes:
User telemetry provides insights on file and network access, registry access or manipulation, memory management, and start-and-stop activity. Unusual behavior detected can include processes that spawn command shells, memory injection attempts, or accessing unusual file locations.
Server telemetry provides information on extremely differentiated data. Since servers handle so much crucial organizational functionality, XDR telemetry can help prioritize investigations and remediations of incidents on a more macro level.
Network telemetry provides insights on traffic, particularly a sudden increase in volume, new network protocols, or anomalous privilege escalations. Advanced encryption methods can often hinder deeper network analysis that could otherwise thwart threat actors. Combined with endpoint telemetry however, network traffic analysis can be a cornerstone of an XDR offense.
Cloud telemetry provides insights on infrastructure. This can include detecting security anomalies for any cloud workloads or deployed components. Attackers specifically targeting an organization’s cloud can easily gain access with the proper credentials, so it’s important to leverage the advanced detection technology of XDR to hunt threats faster and fortify cloud environments.
By incorporating attacker behavior analytics as a threat-detection methodology, teams can quickly develop new rules for emerging attacker behavior and push detections out within minutes of discovering a new technique or trend. UBAs are adept at identifying breaches in the “lateral movement” phase of the attack chain. ABAs enable detection of attacker activities in all other phases of the attack lifecycle.
Gartner, Market Guide for Network Detection and Response, Jeremy D’Hoinne, Nat Smith, Thomas Lintemuth, 14 December 2022.