The Network Detection and Response (NDR) market: An overview of trends, growth, and evolving cybersecurity solutions. The NDR market is evolving rapidly, driven by the need for more effective security solutions in cloud-based environments. New technologies like AI and ML are being used to detect suspicious behavior and alert security teams before a threat is successful.
But many public sector agencies struggle to deploy and integrate NDR solutions, largely due to limited cybersecurity budgets.
New Vendors
The 2020 Gartner Market Guide for Network Detection and Response (NDR) defines this new security category as tools that “use non-signature-based techniques—machine learning, statistical and heuristic analysis, and other analytical methods—to monitor traffic on enterprise networks and detect abnormal activity.” NDR solutions collect raw log data from network switch SPAN ports or physical TAPs and analyze it to identify dangers. They send alarms and threat correlations to security information and event management (SIEM) solutions or integrate with them to enable a wide range of automated alert-to-action responses.
Unlike traditional Intrusion Prevention System (IPS) signatures, which often misidentify innocuous activities as hostile and trigger hundreds of false alarms per hour, NDR solutions use predictive behavior models that can detect attacks in their early stages, eliminating the need for manual investigation and greatly shortening the time it takes to investigate a detected threat. NDR solutions also help prevent “alert fatigue,” which can cause security analysts to stop paying attention to alarms or ignore them altogether, allowing an undetected breach to happen.
As the market for NDR expands, vendors are offering a wider range of features, including supervised and unsupervised machine learning, managed or cloud-based services, and integration with security orchestration, automation, and response (SOAR) technology to enable automated response to threats. Some also offer a SaaS model, which reduces IT costs by reducing the number of devices required to manage the solution and the number of people needed to support it.
NDR is a critical component of the SOC Visibility Triad, which also includes Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR), because it provides crucial network data that can’t be easily collected by other tools. In addition to providing advanced detection capabilities, NDR provides rich contextual telemetry, standard investigative playbooks, and automation to streamline and expedite threat hunting. It’s an especially good fit for enterprises with Internet of Things (IoT), operational technology (OT) or industrial control systems (ICS) that can’t install agents. It can even detect threats that are brand new and unseen by other cybersecurity tools. The NDR market is evolving quickly, fueled by the demand for 24/7 preventive and immediate cyber protection.
New Applications
NDR software enables agencies to monitor their network for signs of attack activity. This includes attacks aimed at the collection, manipulation, or exfiltration of data. The software also helps to detect and respond to these threats, resulting in improved cyber security. This software can be used by organizations of all sizes and industries. Its advantages include providing visibility, automation, integration, threat detection and response. It is also easy to use and provides detailed analytics. The top vendors in the NDR market include Stellar Cyber, Darktrace, and ExtraHop. The industry’s growth is primarily driven by the digitalization of business operations and an increase in the number of cybercrimes. It is crucial for businesses to ensure the protection of their sensitive data from cyber-attacks. The NDR software helps to detect and respond to these attacks, thereby helping to protect businesses from financial losses and reputational damage.
NDR tools provide advanced capabilities that go well beyond traditional signature-based security technologies like intrusion prevention systems (IPS/IDS) and Security Information and Event Management (SIEM/EDR) solutions. They employ non-signature-based advanced analytical techniques such as machine learning and behavioral modeling to establish a baseline of what normal system behavior looks like, and can quickly detect and issue alerts related to suspicious traffic that deviates from this behavior.
They can detect and prioritize alerts based on severity, automatically perform key tasks such as threat hunting and automated responses, and integrate with SIEM/EDR solutions to enable complete visibility within the existing workflows of SOCs. These capabilities can help improve the accuracy of attack detection, allowing security teams to quickly and confidently identify and respond to threats such as stolen credentials for lateral movement, unauthorized administrative behaviors, rare file shares, and more.
While traditional cybersecurity tools can detect known threats, these tools cannot be effective at detecting attacks that are new and unheard of, or simple variations of previously seen attacks. With the proliferation of IoT devices, cloud computing, and other digital transformation initiatives, it has become increasingly challenging for IT security teams to keep up with the increasing frequency and sophistication of attacks on their networks. Combined with ongoing shortages of security professionals, these trends have led to many state and local governments turning to NDR solutions to fill in gaps in their defenses.
New Threats
The threat landscape is constantly evolving, and attackers are leveraging new tactics to bypass traditional security solutions. Often, these attacks are sneaky and disguised to hide their true behavior from existing detection tools. As a result, many agencies have blind spots in their network defenses. To help fill these gaps, state and local governments can look to advanced NDR solutions that use non-signature-based detection techniques such as behavioral analytics and machine learning to detect attacks and other anomalous activity.
NDR solutions analyze raw traffic packets (not log data) to learn what normal network behavior looks like, then alert security teams when they see suspicious activity that may indicate an attack. This gives teams greater visibility than relying on third-party signature-based tools that can’t baseline behavior over time or uncover stealthy threats that blend in with legitimate traffic. NDR solutions also integrate with SIEM and SOAR (security orchestration, automation and response) solutions to allow security teams to immediately act on alerts and reduce incident response times.
Beyond detecting attacks, NDR solutions can work with firewalls and other security systems to proactively block suspect or known-bad traffic in order to disrupt attackers. This can help prevent attackers from communicating with their command and control (C&C) servers and launching additional attacks. In addition, NDR solutions can detect abnormal traffic associated with C&C servers and alert security teams to these anomalies so they can investigate, isolate and respond.
Advanced NDR vendors can improve their ability to find hidden threats by using behavioral analysis, machine learning and AI of on-premise, virtual and cloud networks. These models can re-prioritize threats based on the likelihood of risk, so analysts can focus their efforts on triage and remediation. Additionally, NDR solutions can incorporate contextual telemetry to further automate and streamline investigations and threat responses for faster investigation and resolution.
However, despite the benefits of NDR, implementing these advanced solutions can be challenging for some public entities. For one, budgets in the government sector can be tight and take longer to be approved than in private industry. And staff familiarity with legacy security systems can make it difficult to adopt new technologies.
New Challenges
The influx of new vendors in the NDR market is good news for security teams, but with more options comes more challenges. NDR tools continuously monitor and analyze raw enterprise network traffic to construct models that reflect normal behavior. When suspicious patterns that deviate from this baseline are detected, NDR alerts security teams. By closing blind spots left by EDR (endpoint detection and response) solutions that are limited to endpoints and SIEM (security information event management) systems that rely on log data, NDR helps to eliminate many types of attack vectors.
NDR uses multiple detection methods to identify malicious activity on the network, including non-signature-based methodologies like machine learning. NDR also taps into the network to sit passively and collect telemetry from internal, remote and cloud environments without requiring additional hardware. Then, NDR uses this telemetry to perform behavioral analysis and detect suspicious activities on the network.
In addition, NDR offers broad context to see all of the network events that attackers perform, which improves attack detection accuracy. This includes all of an attacker’s reconnaissance and discovery activities that may not create log events, as well as their lateral movement, command and control communications, and exfiltration activities. NDR triangulates the attacker from different attack perspectives to significantly increase the confidence that an assault is occurring and reduce the number of false positives.
As the threat landscape continues to evolve and become more complex, NDR is an essential tool to help close blind spots in a cybersecurity strategy. NDR, when integrated with SIEM and security orchestration, automation and response (SOAR) solutions, helps to ensure that all aspects of the attack chain are detected.
Unlike other security solutions, NDR provides the most comprehensive view of all devices, entities and network traffic. This helps to identify threats that are hiding in the vast volume of unstructured data traversing distributed networks. NDR also enables security analysts to better assess, prioritize and act on threat detections and alerts through full attack reconstructions and built-in response capabilities.
The top use cases for NDR include detecting advanced and zero day attacks, reducing false positive alerts, providing forensic investigation capabilities and helping to shorten the average attack dwell time which has been documented in post-incident reports to range from five to seven months. To meet these requirements, best-in-breed NDR solutions offer high-fidelity alerts that are prioritized based on severity, automated and manual response capabilities that streamline SOC operational efficiency and reduce threat hunting costs, and a single pane of glass that combines security operations center analytics (SOC TA) with NDR, UEBA and threat protection.
