What is Network Detection and Response? 

Network detection and response (NDR) is the practice of applying rules or signatures to network traffic in order to automatically trigger alerts for activity that could indicate malicious behavior.

The NDR solution category is emerging out of what was previously known as network traffic analysis (NTA), which also aimed to monitor network traffic. The broadening in scope was a response to the need for the category to include automated response actions in standard solutions.

This means that most modern solutions feature the ability to monitor, detect, and respond to potential threats. This means that, after a threat has been detected, security personnel can take immediate steps to contain or respond, quickly killing malicious processes or quarantining infected endpoints.

According to Gartner®, organizations rely on NDR to detect and contain postbreach activity such as ransomware, insider threats, or lateral movement. Core capabilities include:

  • Ability to gather activity from raw traffic 
  • Metadata enrichment at the time of collection or during event analysis 
  • Deployment from factors compatible with on-premises and cloud networks 
  • Machine learning (ML) techniques to baseline normal activity and detect abnormal behaviors 
  • Alert aggregation into logical security incidents based on multiple factors, not only alert ID and repeated alerts
  • Automated responses, such as host containment (through integration) or traffic blocking

How does Network Detection and Response Work? 

NDR works by bringing together a team of security professionals to input processes to monitor, detect, and respond to alerts that could negatively affect the integrity of the network and business. Let's look more closely at those processes: 

Detecting Suspicious and Potentially Malicious Activity 

One of the most important aspects of this process is the ability to access real-time information about user activity, application activity, and web activity. Additionally, network data should be easily searchable so that analysts can accelerate investigations into alerts based on suspicious activity. It’s also important to be able to build custom alerts as well as access a library of attacker behavior analytics (ABA) so that the process is starting from a wealth of information about past suspicious activity.

Modeling Baseline Network Behavior 

It's extremely critical to establish a baseline of usual network behavior and actions so that automated systems know what is normal and what is suspicious. For example, user-behavior analytics (UBA) are helpful for enabling your team to quickly determine whether a potential threat is an outside attacker impersonating an employee or an employee who presents some kind of risk, whether through negligence or malice. UBAs connect activity on the network to a specific user as opposed to an IP address or asset. That activity is then compared against a normal baseline of event activity for that user.

Detecting Cyber Incidents

NDR solutions should have the ability to take automated actions when an incident is detected. From quarantine, to connection termination, to executing a series of predefined actions developed by security operations center (SOC) analysts, it should be possible these days to rapidly take down an attacker if a network perimeter is breached, whether on-prem or in the cloud. Actions taken during this process would include deep-dive analysis of incidents, reverse-engineering attack methodology like malware, creating intrusion reports.

Creating Threat Feeds 

A threat-intelligence (TI) feed should be a continuous stream of data that informs automated threat prioritization and remediation efforts. A TI feed should help a security organization to compensate for its potential lack of context for certain threats. Threat feeds come in many forms, from open source community-driven lists to paid private feeds. The effectiveness of these feeds strongly depends on a number of factors:

  • Intel type (hash, IP, domain, contextual, strategic)
  • Implementation 
  • Indicator age
  • Intelligence source

Contextual intelligence feeds provide analysts not only with indicators of compromise (IOCs) but also a thorough explanation of the attacker's use of infrastructure and tools. Feeds containing contextual information are far more effective for successful threat detection. 

What are the Benefits of Network Detection and Response? 

The benefits of NDR are vast. There is no limit to the amount of protection, detection, and overall benefits that can come from closely monitoring your network for malicious activity and enacting quick responses – here are a few of those benefits:

  • High-fidelity alerts: Alerts should include plenty of context so you can make better decisions, remediate the problem, mitigate risk, and quickly contain the alert. 
  • Behavior-based detections: Enable attack detections with high-fidelity network data that helps identify novel variations of new attacker techniques. 
  • Ever-evolving detections: Quality alerts should usually detail known, recent adversary groups using similar techniques in confirmed attacks. This way, everything stays up-to-date and teams can be assured their detection techniques are ever-evolving.  
  • Context: Indicators of attack should surface on the visual timeline of a detection and response (D&R) solution, along with unusual behaviors. This combination makes it even easier for your team to perform investigations and have confidence in the results of the findings.

What are the Limitations of Network Detection and Response? 

NDR is a must-have, but modern attacker methodologies extend beyond the network – and your security coverage should as well. NDR is great at examining network logs, but it doesn’t cover endpoint alerts and events and also doesn’t extend to the cloud.

For this reason, NDR products aren’t typically used as standalone solutions. Rather, they’re part of a suite of solutions that offer comprehensive coverage for true extended detection and response (XDR). This includes:

User-endpoint Telemetry

User telemetry provides insights on file and network access, registry access or manipulation, memory management, and start-and-stop activity. Unusual behavior detected can include processes that spawn command shells, memory injection attempts, or accessing unusual file locations.

Server-endpoint Telemetry

Server telemetry provides information on extremely differentiated data. Since servers handle so much crucial organizational functionality, XDR telemetry can help prioritize investigations and remediations of incidents on a more macro level.

Network Telemetry 

Network telemetry provides insights on traffic, particularly a sudden increase in volume, new network protocols, or anomalous privilege escalations. Advanced encryption methods can often hinder deeper network analysis that could otherwise thwart threat actors. Combined with endpoint telemetry however, network traffic analysis can be a cornerstone of an XDR offense.

Cloud Telemetry

Cloud telemetry provides insights on infrastructure. This can include detecting security anomalies for any cloud workloads or deployed components. Attackers specifically targeting an organization’s cloud can easily gain access with the proper credentials, so it’s important to leverage the advanced detection technology of XDR to hunt threats faster and fortify cloud environments.

Accelerated Defense-in-depth

By incorporating attacker behavior analytics as a threat-detection methodology, teams can quickly develop new rules for emerging attacker behavior and push detections out within minutes of discovering a new technique or trend. UBAs are adept at identifying breaches in the “lateral movement” phase of the attack chain. ABAs enable detection of attacker activities in all other phases of the attack lifecycle.

Gartner, Market Guide for Network Detection and Response, Jeremy D’Hoinne, Nat Smith, Thomas Lintemuth, 14 December 2022.