Blog :: Security Operations

Network Detection and Response (NDR): What does it mean?

stephen

What is NDR?

This blog will focus on the hottest 3-letter acronym of 2020 & 2021—NDR. Network Detection and Response solutions must address an expanding list of non-malware threats that revolve around data exfiltration, lateral movement, and targeted user attacks. Teams must deploy solutions that learn and adapt to new patterns in real time to ensure they stay vigilant in this changing threat landscape. Plixer Scrutinizer allows network and security operations teams to address both sides of a problem within a single interface.

Detection

Let’s break this down using the Gartner definition of NDR:

NDR solutions primarily use non-signature-based techniques (for example, machine learning or other analytical techniques) to detect suspicious traffic on enterprise networks. NDR tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior.

Gartner

OK, so this is just one aspect of what it means to be a NDR tool, but the “how” of data collection is a big part of what makes these tools so powerful. The applications of analyzing data at scale and doing it effectively are the hallmark of a good solution. The applications here range from real-time network analysis on the wire to analyzing patterns inside a data lake. In these applications, how much we collect is directly related to how good the rest of the system can be.

When the NDR tools detect suspicious traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NDR solutions can also monitor east/west communications by analyzing traffic from strategically placed network sensors.

Where you look determines what types of alerts you can generate. If you only look in a single spot, lateral movement is hard to detect no matter how much data you have available for analysis. Plixer Scrutinizer and our machine learning module allow users to monitor single hosts or entire subnets from multiple levels in a network. There is intelligent de-duplication, which ensures alarm data is accurate and trimmed down to show users only what they need to see.

Response

Response is also an important function of NDR solutions. Automatic responses (for example, sending commands to a firewall so that it drops suspicious traffic) or manual responses (for example, providing threat hunting and incident response tools) are common elements of NDR tools.

Responding is where things can get overcomplicated. Many teams don’t like to have these tools take heavy-handed action to quarantine or block certain traffic. Instead, it is very common to push alert data into existing solutions like NAC, firewalls, web application firewalls, and SIEM/SOAR tools. This allows teams to fine-tune their desired alarm frequencies, thresholds, and patterns and then let the NDR platform inform the orchestration tools already in place.

Hopefully this has shed a little light on what this acronym means to you and your network team. If this was helpful and you would like to see more on how Plixer fits into this space, review the Gartner market guide on NDR solutions and request a demo of Scrutinizer today!