Updated for 2022: What is Network Detection and Response (NDR)? A Beginner’s Guide

Christian Wiens Director of Marketing

Christian Wiens is Director of Marketing at MixMode. He has 10+ years of experience as a cybersecurity professional. He has his BA from The University of California, Berkeley and resides in Austin, TX.

Network detection and response, or NDR, has been established as a key tool for companies seeking to improve their threat response. It has become a network security strategy which developed in response to perceived shortcomings in existing network security systems.

We wanted to help explain what modern network detection and response is, how it differs from other network security systems, and also discuss the ways that companies have been using NDR systems.

What Is Network Detection and Response?

NDR originated as an offshoot of endpoint detection and response, or EDR. However, NDR is significantly different from EDR, just as it’s different from firewalls and perimeter security tools.

An NDR system continuously scans for signs of malicious actors and suspicious data within your network. As soon as a potential problem is discovered, the NDR system deploys network forensics and initiates a response – a counterattack – and begins repairing the damage.

NDR systems use second-wave artificial intelligence and machine learning to build up storehouses of information about malware threats. Their ability to detect and prevent malicious network activity and address zero-day threats increases steadily over time.

How Does Network Detection and Response Work?

Firewalls are often described as the first line of defense against malicious attacks on a network. They operate at the perimeter of a network and block potentially dangerous traffic. Sometimes they are compared to security gates.

An NDR system operates differently from this kind of legacy security system. It can be compared to a security camera, monitoring for intruders who slip through the gates and lurk within the network. An NDR also analyzes potential problems and initiates a network response to address any damage caused to the network.

Also Known As NTR and XDR

Gartner identifies Network Traffic Analysis (NTA) as tools that use a “combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks.” These tools, Gartner writes, “continuously analyze raw traffic and/or flow records to build models that reflect normal network behavior.” When NTA tools detect abnormal traffic patterns, they issue alerts.

Importantly, Gartner writes, “in addition to monitoring north/south traffic that crosses the enterprise perimeter, NTA solutions can also monitor east/west communications by analyzing network traffic or flow records that it received from strategically placed network sensors.”

Gartner defines Extended Detection and Response (XDR) as a “SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”

Artificial Intelligence and Machine Learning

A network detection and response system uses both artificial intelligence and machine learning to detect anomalies in your network.

Here’s how it works. The system first establishes a baseline of your network’s day to day operations. Then, it uses continuous network monitoring to scan for any deviations from that baseline which could represent attacks to the network.

Traditional intrusion detection systems look for known viruses and malware that have already been identified elsewhere and can be recognized by their distinctive “signatures.”

But anomaly-based detection systems can detect brand new attackers. They can also detect next-generation malware capable of going to greater lengths to escape detection.

Industry Trends in Network Security

Traditional security systems are often not set up to catch next-generation fileless malware. It has the ability to change its own code, or encrypt itself, in order to escape detection. This malware can lurk within a system for months, unseen.

The Ponemon Institute’s Cost of a Data Breach Report revealed that the average time to identify a breach in 2021 was 212 days, with an additional 75 days to contain. That’s 287 total days, on average, for the lifecycle of a data breach. That kind of time gives a malicious actor plenty of opportunity to extract information and launch an extensive attack.

The study further reported the impact of these attacks are costing businesses upwards of millions of dollars per year with zero-trust approach and AI automation being the biggest factors of curbing that cost:

The average total cost of a data breach increased by nearly 10% year over year, the largest single year cost increase in the last seven years.
The average total cost of a data breach now is $4.24 million per breach
Lost business represented the largest share of breach costs, at an average total cost of $1.59 million.
A zero trust approach helped reduce the average cost of a data breach.
Security AI and automation had the biggest positive cost impact.

Why Do I Need Network Detection and Response?

Greater Visibility

Evidence seems to show that perimeter security is not enough to maintain network security. Breaches are simply going to happen, which means that in addition to having a strong firewall, more and more companies are adding network detection and response systems that can quickly spot and combat threats that are lurking within their networks.

An NDR system provides increased visibility by allowing you to see past the perimeter and into the network itself.

Less Noise

Many companies that rely on traditional perimeter security also complain that they are deluged with false positives warning them that they’ve been attacked – even when they haven’t been. This, in turn, overtaxes IT departments, who are kept busy investigating threats which turn out to be nothing.

It’s like the boy who cried wolf – when your system keeps warning you that an attack is imminent, eventually you learn to tune out all those warnings. It can be hard to distinguish the signal from the noise.

This issue can also be resolved by an effective network detection and response system. Artificial intelligence allows the system to learn what your network’s normal behavior looks like and what constitutes an anomaly.

Those same capabilities allow an NDR system to spot intruders within the system, analyze their behavior, and take action.

An NDR system will contact your IT team about the threat and initiate a network response immediately. That way, there is no lag time between identifying and tackling the problem.

Learn more about full packet capture, deep packet inspection, and easy API integrations into your SIEM, orchestration, and ticketing engines with MixMode’s third-wave AI-powered Network Detection and Response platform here.