What is Network Detection and Response (NDR)? A beginner’s Guide

Recently, network detection and response, or NDR, has been established as a key tool for companies seeking to improve their threat response. It's a relatively new network security strategy which developed in response to perceived shortcomings in existing network security systems.

We wanted to help explain what modern network detection and response is, how it differs from other network security systems, and also discuss the ways that companies have been using NDR systems.

What Is Network Detection and Response?

NDR originated as an offshoot of endpoint detection and response, or EDR. However, NDR is significantly different from EDR, just as it’s different from firewalls and perimeter security tools.

An NDR system continuously scans for signs of malicious actors and suspicious data within your network. As soon as a potential problem is discovered, the NDR system deploys network forensics and initiates a response – a counterattack – and begins repairing the damage.

NDR systems use artificial intelligence and machine learning to build up storehouses of information about malware threats. Their ability to detect and prevent malicious network activity and address zero-day threats increases steadily over time.

How Does Network Detection and Response Work?

Firewalls are often described as the first line of defense against malicious attacks on a network. They operate at the perimeter of a network and block potentially dangerous traffic. Sometimes they are compared to security gates.

An NDR system operates differently from this kind of legacy security system. It can be compared to a security camera, monitoring for intruders who slip through the gates and lurk within the network. An NDR also analyzes potential problems and initiates a network response to address any damage caused to the network.

Artificial Intelligence and Machine Learning

A network detection and response system uses both artificial intelligence and machine learning to detect anomalies in your network.

Here’s how it works. The system first establishes a baseline of your network’s day to day operations. Then, it uses continuous network monitoring to scan for any deviations from that baseline which could represent attacks to the network.

Traditional intrusion detection systems look for known viruses and malware that have already been identified elsewhere and can be recognized by their distinctive “signatures.”

But anomaly-based detection systems can detect brand new attackers. They can also detect next-generation malware capable of going to greater lengths to escape detection.

Industry Trends in Network Security

Traditional security systems are often not set up to catch next-generation fileless malware. It has the ability to change its own code, or encrypt itself, in order to escape detection. This malware can lurk within a system for months, unseen.

As we mentioned in our recent article on the gap in endpoint security, according to the Ponemon Institute’s 2018 State of Endpoint Security Report, the survey revealed that malicious actors have grown better and better at evading threat detection and outsmarting traditional cybersecurity tools like firewalls and virus protection software.

In a related Ponemon Institute report called the 2018 Cost of a Data Breach Study, over 400 companies surveyed said that on average, threats often go undetected in their system for 197 days. In fact, the average dwell time by mid-2018 was 101 days. That kind of time gives a malicious actor plenty of opportunity to extract information and launch an extensive attack.

Why Do I Need Network Detection and Response?

Greater Visibility 

Evidence seems to show that perimeter security is not enough to maintain network security. Breaches are simply going to happen, which means that in addition to having a strong firewall, more and more companies are adding network detection and response systems that can quickly spot and combat threats that are lurking within their networks.

An NDR system provides increased visibility by allowing you to see past the perimeter and into the network itself.

Less Noise

Many companies that rely on traditional perimeter security also complain that they are deluged with “false positives” warning them that they’ve been attacked – even when they haven’t been. This, in turn, overtaxes IT departments, who are kept busy investigating threats which turn out to be nothing.

It’s like the boy who cried wolf – when your system keeps warning you that an attack is imminent, eventually you learn to tune out all those warnings. It can be hard to distinguish the signal from the noise.

This issue can also be resolved by an effective network detection and response system. Artificial intelligence allows the system to learn what your network’s normal behavior looks like and what constitutes an anomaly.

Those same capabilities allow an NDR system to spot intruders within the system, analyze their behavior, and take action.

An NDR system will contact your IT team about the threat and initiate a network response immediately. That way, there is no lag time between identifying and tackling the problem.

Learn more about full packet capture, deep packet inspection, and easy API integrations into your SIEM, orchestration, and ticketing engines with MixMode's third-wave AI-powered Network Detection and Response platform here.