Network detection and response versus network traffic analysis

Network Detection and Response (NDR) is a new category of security solutions that complement and go beyond the capabilities of log analysis tools (SIEM) and endpoint detection and response (EDR) products. . NDR is a great first step towards a more proactive security posture because it provides immediate benefits and is generally easier to deploy and configure than SIEM and EDR.

NDR products monitor east-west traffic or communications within the network itself and apply advanced behavioral analytics such as cloud-scale machine learning to quickly detect, investigate, and respond to threats which otherwise would remain hidden. This is true whether the environment is on-premises, in the cloud, or in a hybrid environment spanning both on-premises and in the cloud.

The recent release of cloud traffic mirroring for Azure and AWS customers cemented the central role that NDR plays in modern security operations. By providing customers with real-time visibility into east-west cloud traffic, NDR products ultimately enabled Gartner SOC Visibility Triad (a security infrastructure framework designed to help organizations secure cloud and hybrid environments) a viable reality for hybrid environments.

NDR solutions are the foundation of the triad, providing complete visibility across the entire network with real-time threat detection, while integrations with EDR and SIEM products enable seamless data correlation. In this scheme, NDR solutions provide visibility into network or wired data, with EDR doing the same for endpoint data, and SIEM primarily aggregating log data.

What is Network Traffic Analysis (NTA)?

Gartner previously defined Network Traffic Analysis (NTA) as an emerging category of security products that uses network communications as the primary source of data for detecting and investigating threats within a network. Note the absence of “answer” anywhere in this definition.

In February 2019, Gartner published a first Market Guide for Network Traffic Analysisbut soon after, it became clear to the industry that this was just the start of a terminology conversation in the analyst space about NTA and NDR.

In June 2020, Gartner changed the name of the category and published its 2020 Market Guide for Network Detection and Response.

NDR versus NTA: why the change in terminology?

When it became clear that scanning network traffic as a technology process would be a crucial factor in cloud and hybrid security, because without it, customers would have no fast, scalable way to see threats infiltrate in their increasingly permeable networks, or locate configuration errors in real time. time—NTA received a lot of hype. And for good reason!

But as the industry blessed the category and vendors began to push the boundaries of their technology, particularly advanced behavioral analytics that make real-time, high-fidelity threat detection possible, we also began to realize that detection and investigation are the beginning, not the end, of what is possible with network-based security analytics. Network-based solutions must not only detect threats, but also enable safe and rapid responses.

To that end, NDR is an attempt to make room for the broader and more comprehensive potential of network traffic analysis. NDR products use NTA but add historical metadata for investigations, threat hunting, and automated threat response through intelligent integrations with firewalls, EDR, NAC, or SOAR platforms.

Use cases and NDR examples

There are a number of areas where NDR products offer unique value, and you can discover a few of them below:

  1. Framework support: Helping security teams use frameworks such as MITER ATT&CK and Top 20 CIS controls to maximum effect by detecting a significant amount of subtle attack tactics and techniques that SIEM and EDR products do not can’t see. Watch the SANS webinar on this.
  2. Insider Threat Detection: Detection (and assessment) of shadow computing so organizations can secure assets, monitor misuse of unauthorized apps, and empower employees to show them the technology they need to to succeed. Read more.
  3. Security Hygiene: Detection of suspicious activity, sub-par encryption practices, and “home phones” from third-party vendors, making it much easier to maintain security, privacy, and compliance data. Read more.

You can get a hands-on idea of ​​the benefits and use cases of NDR by exploring the fully functional product demo of ExtraHop Reveal(x), our cloud-scale machine learning-powered NDR solution. check this here.

Copyright © 2020 IDG Communications, Inc.

Charles J. Kaplan