Discover how security teams leverage network traffic data to identify threats that other tools can’t see

Network detection and response enables security teams to monitor network traffic for signs of unauthorized behavior. When threat actors conduct sophisticated systemwide attacks or engage in lateral movement between subnetworks, they leave traces that network traffic monitoring can detect.

IT teams typically use network traffic analysis tools to gain insights into traffic patterns and address performance issues. In theory, these tools can also detect suspicious activity, but they are not generally designed for this purpose.

Network detection and response tools are explicitly designed to analyze network traffic for signs of malicious behavior.

As a cornerstone of the SOC Visibility Triad, NDR technology pairs with Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) platforms to generate consistent, actionable security insights that keep sensitive assets safe.

How do network detection and response solutions work?

NDR solutions continuously monitor and analyze network traffic, looking for behavioral deviations and indicators of compromise. To do this, they first observe normal network behavior and create a neutral baseline that reflects routine network activity.

When new activity disrupts that established baseline, NDR solutions start generating alerts according to the severity of the observed behavior. As the deviation gets stronger, the NDR system generates increasingly severe alerts so that SOC analysts can investigate the highest-priority issues first.

After detecting a potential threat, analysts can use NDR tools to conduct network-wide remediation processes. This might include updating firewall rules, isolating compromised network segments, and changing network segmentation policies.

What makes NDR different from EDR and SIEM?

Network detection and response looks for security event information directly in network traffic and NetFlow data. Unlike EDR platforms that look for unauthorized behavior on endpoint devices, NDR provides a holistic look at the entire network and all the assets on it.

This may seem similar to SIEM, but there is a key difference. NDR tools do not analyze log data to look for evidence of unauthorized activity. This eliminates the possibility of attackers hiding their activities by tampering with log data, and empowers analysts to look directly at raw network packet data.

What problems do NDR platforms solve?

NDR evolved out of Network Traffic Analysis (NTA) tools, which focused on continuously analyzing raw network traffic and flow records to model normal network behavior. When network activity deviated too far from this established norm, it would trigger an alert and prompt an investigation.

The main difference between NDR and NTA is the addition of automated response capabilities. Earlier generations of network monitoring tools could not take action directly against the threat actors they detected.

Consolidating network detection and response workflows into a single comprehensive toolset led to the creation of this unique tool category. Modern NDR solutions allow organizations to catch malicious behavior and take immediate, automated action to mitigate risk — like telling a firewall to drop suspicious traffic.

Unlike previous generations of network monitoring tools, modern NDR solutions generally do not use signature-based techniques to flag suspicious traffic. Instead, they use machine learning and other advanced analytical techniques to generate deep insights into security performance at scale.

Network detection and response tools address unique threats

NDR solutions can recognize indicators of compromise that other platforms may miss. Because they analyze north-south traffic between internal hosts and the internet as well as east-west traffic between internal hosts, these tools grant total visibility and control to security teams looking for internal threats.

These threats include:

• Suspicious outgoing connections. If a network asset tries to connect to an attacker-controlled command and control server, it will reflect in network traffic and NetFlow data.
• Lateral movement. If hackers breach your network and attempt to move from one segment to another, their activities may trigger NDR alerts that other tools and platforms would miss.
• Data exfiltration. Anyone trying to send a large amount of data off the network should face additional scrutiny. NDR platforms can observe this activity and automatically respond by tightening security around the relevant records.
• Malware activity. NDR tools can use behavioral analytics to detect both known and unknown malware. If a user, asset, or application deviates from its established norms, it may trigger an NDR monitoring alert.
• Rogue devices. NDR solutions can discover unsecured devices operating on the network, potentially uncovering rogue and shadow IT devices that would not otherwise be visible.
• Malicious insiders. These threat actors may have all the privileges and permissions they need to compromise sensitive data, but they can’t avoid leaving traces of their network activities for NDR solutions to track.
• Security policy non-compliance. Legitimate users may bypass important security controls for the sake of usability. NDR tools trigger alerts when employees provide remote access to endpoints, share user accounts, or engage in shadow IT practices.

Why is network detection and response such an important part of operational security?

Threat actors can bypass firewalls, EDR solutions, and other security technologies. If they gain access to the appropriate systems, they can even disable or delete system logs — meaning your SIEM won’t be able to see them.

However, cybercriminals can’t hide the impact their activities have on the network itself. Since abnormal traffic flows are fundamental to cybercrime, detecting those flows directly is an excellent way to detect sophisticated attacks.

Keep in mind that hackers often spend weeks or months inside their victims’ networks before launching catastrophic attacks. As hacker dwell time grows, the amount of damage they can do rises exponentially — and without deep network visibility, there is little risk of getting caught.

NDR solutions completely change the risk/reward profile for cyberattackers prowling on compromised networks. Instead of having free reign to conduct reconnaissance and lateral movement, every action they take increases the likelihood of detection.

When combined with best-in-class EDR and SIEM solutions, this creates a formidable defense that few cybercriminals have the resources to breach. It considerably lowers risk while improving the performance of security operations.

Key features to look for in your NDR solution

Network security is an integral part of the SOC Visibility Triad, and an important component to overall risk management. Not all network detection and response solutions offer the same features, though.

To truly optimize your security expenditure and optimize security event outcomes, you need an NDR solution that offers the following:

• Hands-on capabilities. Many NDR solutions provide a hands-off approach based primarily on detection. These tools don’t have many of the automated response capabilities that analysts need, causing them to spend a great deal of time manually responding to network alerts.
• Raw network packet analysis. Some NDR solutions only analyze NetFlow summary data, while others briefly inspect traffic flows but discard large amounts of information in the process. Best-in-class NDR solutions support analysts by generating meaningful metadata that drives insight from raw network data packets directly.
• Complete security operations support. Network detection and response is best complemented by a fully equipped security operations team capable of conducting investigations and neutralizing threats. Without this support, network analysis may only show you the threat without giving you the tools to respond to it.
• Historical data retention. Investigating network activities often requires finding out who else connected with potentially compromised assets. This is only possible when historical data is retained and stored effectively. Best-in-class solutions let you replay historical data without paying huge storage costs in the process.
• Deployment compatibility. Since NDR is all about visibility, you need to be sure your solution can support your actual IT infrastructure. If you have air-gapped on-premises environments, you have very different implementation needs than a cloud-native organization might.

Remember that NDR solutions are designed to catch insider threats as well as external ones. Every feature must provide visibility and context for both scenarios, ensuring your network is secure against threats from within and without.