What to look for in an NDR solution

If you need any more proof that the network detection and response (NDR) market is booming, look no further than Gartner’s Review and Ratings, which contains reviews for 20 NDR solutions—as well as information on 18 additional products that haven’t been reviewed.  

But in the vein of the adage that quantity doesn’t equal equality, it’s important to understand what sets the best NDR solutions apart from the competition. Gartner’s very lengthy definition of the network security solution is the first clue that enterprises need to distinguish between features on such solutions to make the best decision on vendor choice:  

NDR solutions primarily use non-signature-based techniques (for example, machine learning or other analytical techniques) to detect suspicious traffic on enterprise networks. These tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the tools detect suspicious traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NDR solutions can also monitor east/west communications by analyzing traffic from strategically placed network sensors. Response is also an important function. Automatic responses (for example, sending commands to a firewall so that it drops suspicious traffic) or manual responses (for example, providing threat hunting and incident response tools) are common elements of NDR tools.

From Gartner’s Network Detection and Response Reviews and Ratings

If creating a flowchart to try and dig through the twists and turns of that description doesn’t appeal to you, consider the following features that are a part of the Plixer NDR solution—and should be for any solution on the market.   

Features NDRs should have (but most don’t)  

At a minimum, NDR solutions should:  

• Provide anomaly detection: Plixer uses supervised and unsupervised machine learning (ML) to recognize traffic anomalies. This ensures malware on the network can be identified because the behavior characteristics reveal themselves as threats and unusual device behavior can be spotted against the baseline established by the ML engine.  
• Not rely solely on packets: If you’ve been a Plixer customer or have done any research into our solutions, you’ll know our aversion to relying on packet analysis for network visibility. Those solutions are incredibly complex to deploy and operate, and the probes and/or collection agents are cost-prohibitive. As such, packet capture collection systems are often only deployed in high-value ingress/exit points, meaning you only see a portion of network behavior—leaving you blind to what is happening across the entire network and vulnerable to undetected compromises.  
•  Be based on network flow data: Most enterprises don’t understand that you’re their existing network infrastructure is a storehouse of rich data that provides insight into every conversation on the network. Plixer ingests and analyzes network flow data from your existing infrastructure—switches, routers, firewalls, packet brokers, security tools, network monitoring systems, and more.  
• Ensure pervasive network visibility: This goes hand-in-hand with using network flow data. Most NDR solutions only monitor north/south traffic crossing the enterprise perimeter. But east/west traffic needs to be collected and contextualized using network flow data to ensure pervasive network visibility.  
• Bridge all types of environments: Today’s enterprise networks are a mix of cloud, virtual, and on-premise solutions. An NDR solution must quickly and thoroughly work across these environments to provide real-time, end-to-end visibility. When you bridge these environments and maintain pervasive network visibility, you can efficiently detect and correlate anomalies, understand network and application performance, and interpret traffic patterns and trends.  
• Provide comprehensive response: It’s not good enough for solutions to identify issues that need to be addressed. It also needs to deliver extensive response capabilities to help investigate and remediate potential threats and compromises on the network.   

We’ve developed a new whitepaper that provides a much deeper dive into these issues and more. Download your copy of Network Detection and Response – a technical whitepaper or schedule a demo today.