What is NDR - Network Detection and Response?
Gartner Inc. defines network detection and response (NDR) as using “non-signature-based techniques (for example, machine learning or other analytical techniques) to detect suspicious traffic on enterprise networks. NDR tools continuously analyze raw traffic and/or flow records to build models that reflect normal network behavior.”
NDR is a type of network security solution that monitors and analyzes all network traffic, including north/south and east/west traffic using strategically placed sensors. When suspicious traffic patterns are detected, NDR responds automatically to the threat or sends alerts to security operators for further investigation. Threat correlation is a key feature of NDR and provides security teams with the context to simplify forensic investigation, threat hunting, and risk remediation.
Why Network Detection and Response?
Organizations are facing an increasingly dangerous threat landscape. On the one hand, threat actors are constantly refining and developing new tactics, techniques, and procedures (TTPs) to evade security detection and cause more damage. On the other hand, accelerated digital transformation in the past few years has widened organizations’ attack surface, presenting adversaries with more weaknesses to exploit.
The number of global security incidents has increased by a staggering 67% over the past 5 years, with small and medium-sized businesses (SMBs) targeted 43% of the time. While taking down large enterprises with deep pockets is the ultimate goal, attackers have found it far easier to attack smaller businesses with less robust cyber security capabilities. They then use the data and access they steal to climb the ladder and attack larger partner enterprises or even attack customers directly. Ransomware continues to be the fastest growing type of cybercrime, with profits reaching $20 billion in 2021.
When setting out to enhance your network security capabilities, you must remember that no individual security solution offers 100% protection. This must be a collaborative effort between multiple security solutions and qualified security personnel. Recognized as one of the pillars of the Gartner SOC Visibility Triad, network detection and response is fast becoming a must-have component in a security operation center (SOC) to help security teams detect the most advanced threats.
Let’s explore in further detail how NDR works in threat detection and response.
How NDR Works in Threat Detection and Response
NDR is unique in that it’s designed on the assumption that threats are residing in the network and, thus, takes an active approach to detect threats. Here are some highlights of how NDR works to detect and respond to threats.
- Monitors and analyzes traffic from across the network to provide security teams with complete visibility of network activity and network devices.
- Uses machine learning to develop baselines for normal network behavior and continuously applies AI traffic analysis to detect activity that does not comply.
- Detects threats in real-time and coordinates with other security tools to respond automatically to detected threats or provides timely alerts for incident response teams.
- Correlates traffic from various data sources to determine how threats entered and moved through the network to streamline incident response and threat hunting efforts.
Let’s drill down even deeper into how NDR works in terms of monitoring, detection, and response.
Provides Complete Network Visibility
One of the biggest obstacles to securing the network is the lack of network visibility. Basically, you cannot defend threats that you cannot see. Then there is the problem of shadow assets – devices on a network that security administrators are unaware of and, therefore, not able to provide adequate protection for. NDR solves these problems by providing security administrators and security teams the visibility they desperately crave. By monitoring and analyzing network-wide traffic, NDR solutions can both detect suspicious behavior to identify threats as well as discover all the devices connected to the network to ensure that no device is left unprotected.
Detects Irregular Behavior to Uncover Threats
Fileless malware has become very popular because signature-based tools often miss it. Attackers often use non-malicious tools familiar to the network to hide their activity. Network detection and response solutions are designed for just these situations. NDR uncovered malicious activity using anomaly detection, which works by identifying network activity that deviates from normal network behavior. The idea is that, as sophisticated and evasive as malicious activities can be, they are still different to normal behavior, and NDR is equipped to detect them. To elaborate, NDR solutions use machine learning to build and continuously refine baselines of normal network behavior. Traffic across the network is aggregated and undergoes correlation analysis using artificial intelligence and behavioral analytics to extract activity patterns. Analysis results are compared with baselines in real time to detect irregular behavior.
Initiates Automated and Coordinated Response
NDR can be configured to respond automatically to threats through security orchestration. When NDR detects a threat, it initiates a rapid, coordinated response with other security solutions according to pre-defined playbooks. For example, an employee may accidently click on a malicious link within a phishing email, which downloads malware onto the device. Suppose the malware manages to evade both firewall and endpoint security detection, allowing the attacker to start operating inside the network. NDR could pick up the attacker’s activities by correlating data from various sources to chain together a series of malicious events. NDR then instruct the firewall to block any related communications in this chain and isolate any compromised hosts. It could also instruct the endpoint detection and response (EDR) solution to run a self-scan and wipe any malicious files. Alternatively, security teams can be alerted for manual investigation and response.
Sangfor Cyber Command “What is NDR” Whiteboard Video
To simplify the technical concept, Sangfor’s security team made a whiteboard video to explain the ins and outs of Network Detection and Response. In this video, Jason Yuan, VP of Sangfor International Market, provides a simple yet informative explanation of NDR and Sangfor’s NDR solution, Cyber Command.
Key Advantages of Network Detection and Response
By now, you should have a pretty clear idea of how NDR works and its superior threat detection and response capabilities. Let’s now go through a few key advantages NDR provides.
Eliminate Security Gaps
Point solutions like firewalls and EDR generally do a decent job at their respective functions, but gaps exist between each solution’s sphere of influence that allows threats to evade detection. Network detection and response is the last piece of the jigsaw that plugs these gaps. By monitoring and analyzing traffic across the entire network, NDR creates a foolproof system against which no threat could hide. You should remember that attacks that are the most difficult to detect tend to be the most devastating. That is why keeping out the last 1% of the most dangerous threats prevents catastrophic losses and impact and could be difference between life and death for small and mid-size businesses.
Continuous Threat Detection
One weakness of the majority of security tools is that they can evaded or even disabled. For example, attackers can bypass firewall rules using various evasion techniques, such as spoofing the IP address and using a proxy server. Attackers can also kill the processes that endpoint security tools like antivirus and EDR rely on to run. The advantage of threat detection at the network layer is that cyber-attacks generate traffic one way or another so they cannot hide their activity. NDR solutions cannot be switched off either due to the way they are designed. In fact, attackers won’t even know that their activities are being monitored by NDR and will be less careful. While other security tools can fail, NDR provides a continuous and robust last line of defense.
Uncover Threats with Deep Packet Inspection
It is estimated that over 90% of malware is hidden in encrypted traffic. Only with deep packet inspection could security tools uncover this kind of malicious code. This is indeed possible with firewalls and EDR solutions. However, they typically do so in a way that consumes too much computing resources. Network detection and response solutions, on the other hand, use out-of band decryption, which does not cause performance degradation. Therefore, NDR provides the visibility needed to detect threats in encrypted without affecting performance.
Streamline Threat Hunting and Remediation
Correlating traffic from across the network not only enables NDR to detect anomalous activity to uncover threats but also streamlines forensic investigation after the security incident. By being able to chain the malicious activities together, security analysts can trace the attack step-by-step back to the point of entry and find out the root cause of the attack. This is critical for threat hunting to remove any residual threats and remediating any weaknesses that enabled the threat to penetrate and spread through the network, thus preventing future exploitation of the same weaknesses.
Protect IoT Devices
IoT, short for the internet of things, are a category of devices that can connect to the internet other than conventional devices like PCs, laptops, and mobiles phones. IoT devices such as smart light bulbs, thermostats, and printers are gaining popularity in offices. Industrial and medical IoT devices are also being widely adopted. The problem with IoT devices is that most contain vulnerabilities and don’t have the computing resources to be installed with endpoint security software. As a result, IoT devices are increasingly being exploited by threat actors to gain network access. NDR is equipped to protect IoT devices in two ways: first, to detect their presence on the network (IoT devices are often not reported to IT and become shadow assets), and second, to detect anomalous behavior to and from IoT devices.
How to choose an NDR solution
Look for an NDR solution that provides network-wide visibility. Visibility of all network traffic means IT teams are able to analyze and monitor for threats with more accuracy, and the automated security functions reduce the number of false positive alerts IT teams must deal with. The faster traffic is monitored and analyzed, the less likely it is that malware will move through the network. As many industries are adopting a cloud-first approach to digital transformation and network security, look for an NDR solution that is cloud-ready and can work in multi-cloud environments.
Sangfor’s Intelligent NDR Solution
Sangfor recognized the need for an artificially intelligent network detection and response system to counter the ever-growing list of cyber threats. That’s why Sangfor’s R&D team developed the Sangfor Cyber Command.
“Typically, firewalls are designed to only monitor the traffic that goes through the firewall itself,” explains Jason Yuan, VP of Sangfor International Market. “Sangfor Cyber Command does something called network traffic analysis (NTA). We sit right next to one of your core switches and analyze all your traffic.”
Cyber Command features sophisticated detection capabilities thanks to the broad range of intelligent technologies such as machine learning and AI analysis. The Cyber Command Response Center allows administrators to watch the network carefully, with contextualized and easy to read logs ready at the touch of a button. Combined with Sangfor Endpoint Secure and Sangfor NGAF - Next Generation Firewall, Cyber Command delivers rapid response for maximum security and protection of your network.
Sangfor Whitepaper on Network Detection and Response
Ransomware is the biggest cyber threat of the 21st century. With the advent of ransomware-as-a-service (RaaS), attackers no longer need to be skilled to successfully profit from extortion. Worse, ransomware has leveraged artificial intelligence (AI) to significantly improve both its ability to breach organizations and, more disturbingly, its ability to hide from almost every malware detection tool available today.
Sangfor Technologies has been a leader in threat detection and response solutions for many years. We developed our Cyber Command NDR solution to push the boundaries of threat detection and response using our XDDR security framework. XDDR integrates NDR with all of Sangfor's and certain third-party security products to deliver a holistic way to combat ransomware and APTs that use weaponized AI. Cyber Command uses AI models designed for specific threat hunting use cases to detect and remove weaponized AI.
Read our whitepaper to learn how Sangfor is using purpose-built AI in Cyber Command NDR to detect and combat weaponized AI.
The future of NDR
The global NDR market is expected to reach CAGR of 17.5% between now and 2026, and is widely expected to be the go-to network solution of our time. With ransomware and malware becoming increasingly sophisticated, it’s critical that you prepare for the worst, and hope for the best. For more information on NDR, Sangfor Cyber Command, or Sangfor’s suite of network security or cloud solutions, visit us online, or email directly, and see how Sangfor can make your IT simpler, more secure and valuable.
Frequently Asked Questions
Network detection and response (NDR) is a cybersecurity solution that is used to detect and respond to cyber-attacks that have already breached a computer network. These are likely to be advanced cyber-attacks that were missed by other security solutions and have the potential to cause a major impact.
In terms of threat detection, the basic concept of NDR is to detect irregular behavior in network traffic. Because malicious activity is different from normal network activity, a cyber-attack will show up as irregular behavior in network traffic. To detect irregular behavior, NDR uses machine learning to learn what is considered normal behavior over time. Traffic from across the network is continuously analyzed to detect any activities that deviate from normal behavior.
Because the primary function of NDR is advanced threat detection, it is most needed by organizations that are often targeted by sophisticated cyber-attacks. These include medium to large enterprises, government agencies, and critical public infrastructure such as energy and communication infrastructure, hospitals, schools and universities. Managed service providers (MSP) that have access to the networks of large enterprise customers and government agencies are often targeted by sophisticated supply chain attacks.
NDR is different from other cybersecurity solutions in various aspects. The main differences are:
- Sphere of influence: Most cybersecurity solutions are point solutions, that is, they can only protect a particular space. For example, firewalls only protect the network perimeter, controlling what enters and exits the network. Endpoint security software such as antivirus only protects the device it is installed on. NDR takes a holistic approach to threat detection by taking account of all network traffic.
- Method of threat detection: Most traditional cybersecurity solutions rely on signature-based detection, that is, the detection of malware based on known features and patterns. NDR uses anomaly-based detection, that is, the detection of malware and cyber-attacks based on irregular activity. Anomaly-based detection is more accurate for detecting unknown malware and new tactics and techniques used by attackers.
Using cybersecurity solutions such as a firewall and endpoint security software is not only standard practice but also enhances the effectiveness of NDR. In terms of threat detection, NDR can correlate traffic and logs from other security solutions to make better sense of network activity. This helps to produce more accurate threat detection rates. In terms of threat response, NDR can be configured to respond to detected threats by coordinating with other security solutions, for example, to ask the firewall to block a specific IP address.
By taking a holistic approach to threat detection, NDR is equipped to detect advanced cyber-attacks missed by point solutions. These attacks are the most dangerous and have the potential to cause major damage, such as the theft of sensitive data and encryption by ransomware. By being able to detect these attacks, NDR ultimately helps organizations minimize or avoid data and financial losses, ensure business continuity, and protect their reputation.
Sangfor provides NDR as part of its Cyber Guardian managed detection and response (MDR) service. In this service, Sangfor deploys its Cyber Command NDR solution in your environment, and its security experts monitor your network traffic 24/7 to detect and respond to signs of cyber-attack. Essentially, Sangfor provides the technology and personnel so that customers can enjoy professional security protection without capital investment.