Networks are the foundation of today’s connected world. They allow millions of people, devices, apps and systems to talk with one another every minute of the day. Without networks, modern communication as we know it would cease to exist. Today’s organizations depend on networks and their critical role in overall IT infrastructure. So, it’s no surprise that networks are a prime target of attackers looking to disrupt organizations and governments around the world.

To fully understand the importance of network security, consider the simple but potent fact that 99% of cyberattacks traverse the network in some way. As a result, networks contain important information about impending threats, which is why 43% of organizations use network traffic analysis (NTA) as the first line of defense for threat detection. Furthermore, networks don’t lie. The network data captured as part of the connections between devices and systems cannot be turned off by attackers the way logs can. As a result, any group looking to improve its overall threat detection and incident response needs to consider network detection and response (NDR) as a core part of their strategy.

Network Detection and Response: How Did We Get Here?

The market first appeared as network behavior anomaly detection (NBAD) products, which analyzed network traffic patterns to detect unusual trends. In the late 2010s, the market evolved to network traffic analysis. This helped address the challenge of detecting threats from network data, commonly referred to as network flows. NTA gained momentum with the growth in network traffic. Meanwhile, high-profile attacks and heavy marketing by emerging vendors also brought it into common parlance. However, it still referred to studying network traffic patterns but did not include response.

Fast forward to 2020 when Gartner defined the market formally as network detection and response. Gartner states that “applying machine learning and other analytical techniques to network traffic are helping enterprises detect suspicious traffic that other security tools are missing.” Thus, it helps security teams plug a critical gap while enhancing their overall threat detection and incident response posture.

In our view, the report describes NDR solutions as those that analyze network data using non-signature-based techniques like machine learning to baseline what is normal for the network. Network detection and response tools monitor traffic in real-time. From there, they create a baseline and raise alerts when they detect odd behavior. They track north/south traffic across the enterprise in addition to tracking east/west traffic by watching network sensors. NDR tools can provide manual or automatic actions that teams can take to remediate security incidents.

There has been a lot of hype about this emerging market. However, security teams clearly see the importance of NDR to their overall cybersecurity posture. According to 451 Research, network visibility detection and response was the second leading tech planned for deployment within the next 6 to 24 months. Likewise, per Forrester, 62% of respondents surveyed expect to increase their network security tech budgets in 2021.

Perfect Storm for Attackers

Front page news stories of the latest attacks are becoming all too common as organized, well-funded cyber attackers prey upon today’s infrastructure. Given the growth in the volume and refinement of attacks, current detection tools cannot keep pace. Detection of known indicators of compromise is no longer enough; security teams need tools that can detect abnormal behavior, which could signal an advanced attack before it’s too late. For teams with limited resources and time, finding the budget for yet another tool is hard to justify, not to mention the complexity it adds.

In addition, the high volume of data traveling across the network makes it easy for attackers to hide their tracks and avoid detection. By blending in with normal traffic patterns, threats can hide and attackers can increase their dwell time. Attackers are patient; they may move data in small and infrequent batches to avoid being noticed. Modern attacker tactics require that security teams are prepared with NDR solutions. These can constantly monitor their networks and find strange or suspicious behavior quickly. From there, they can raise actionable alerts that help contain a cyberattack.

Network Visibility is Essential

Network security brings with it a plethora of tools that are not for the faint at heart. It involves everything from handshakes to switches to firewalls to routers and so on. However, in its simplest form, network detection and response is about getting deep visibility into the network and having enough context to make quick decisions about how to respond. And it goes beyond just visibility — it is about getting the right visibility into insightful network data to fuel meaningful analytics.

Real-time visibility is essential for effective network detection and response. Without it, it is nearly impossible to understand what is happening on your network. For example, consider an iceberg. Seeing only the tip of an iceberg above the surface obscures the full view of what’s lying below. In network security, relying on logs alone to provide network visibility can be limiting. By going below the surface, you can start to get a better sense of how big the iceberg is. In terms of network data, this is like seeing the content within the network flow record. To get the complete picture requires combining logs and network data. With it, you can see the full depth of the iceberg and gain broader context.

NDR is a Key Component of Extended Detection and Response

NDR plays a critical role as part of a broader threat detection and response strategy by working together with other security operation center (SOC) solutions like SIEM, endpoint detection and response (EDR), and SOAR to provide a unified view of potential threats while using a zero trust approach. SIEM and NDR, for example, combine logs and network data. By doing so, they produce high-fidelity alerts that give analysts greater context during investigations. Doing so natively as part of a security intelligence solution helps security teams respond faster with more context while eliminating the need to pivot between tools.

Security teams are building more modern SOCs to keep pace with today’s evolving threat landscape and to make their teams more efficient. Extended detection and response (XDR) aims to help by bringing together threat detection and response solutions, including SIEM, NDR and EDR, under a single platform by taking advantage of open standards, automation and cross-correlated analytics. According to ESG, adding SIEM and NDR is a great place to start as part of a broader XDR strategy. Today’s threats call for deep network visibility and actionable insights that help security teams respond faster. NDR solutions can provide both.

Read the ESG report to learn more about NDR and SIEM.

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today