What is NDR (network detection and response)?
Learn what NDR is, why the traffic crossing your network is foundational to your cyber defense strategy, and how the network evidence from Corelight’s Open NDR Platform helps data-first defenders disrupt ever-changing attacks.
What is Network Detection and Response (NDR)?
Network Detection and Response (NDR) is a cybersecurity technology that continuously monitors network traffic from physical and cloud-based environments to enable security teams to detect adversary activity, respond to incidents, and shore up their security posture.
Why is NDR so important?
Many organizations go days, weeks, months, and even years without realizing that they have been infiltrated because, despite their best efforts to create a solid defense system, their security team does not have complete visibility into their network. According to IBM's "The Cost of a Data Breach" report, in 2022 the average time to identify and contain a breach was 277 days. With time frames like these, an adversary can do some serious damage to an organization.
The fact is that you cannot defend what you cannot see. To stop a breach, you need to be able to see an adversary's tracks. Often all it takes is a single clue that something looks awry on the network to pull the thread that unravels adversarial activity. According to author and security expert Richard Bejtlich, "The defender only needs to detect one of the indicators of the intruder's presence in order to initiate incident response within the enterprise." This is where network visibility is vital. Adversaries are human and make mistakes, which are then imprinted within network records—just like a burglar who leaves behind a single fingerprint.
That's the fundamental idea of network detection and response (NDR): To find an intruder, you need to be collecting evidence all the time, and one of the best sources for that evidence is the traffic in your network, whether that's in a cloud, a data center, or a Kubernetes cluster or similar.
Most security operations centers (SOC) security stacks include an endpoint detection and response (EDR) solution to provide depth of coverage, and a security information and event management (SIEM) to aggregate and analyze information. However, while SIEMs and EDR solutions are fundamental to the modern SOC strategy, they are not enough to provide the breadth of coverage — specifically insights into the network itself — that security teams need to proactively defend their organization.
If your organization isn't monitoring its network 24/7 and keeping the relevant evidence on hand for months (or ideally, years), your blue team (network defenders, incident responders, and threat hunters) will be at a huge disadvantage when they're called upon to resolve a serious security incident or to embark on proactive threat-hunting missions.
Network data contains immutable clues about people, devices, applications, and assets that are critical to successful incident response and threat hunting. Attackers use a wide variety of techniques to try to hide their tracks, but ultimately they can't avoid pushing packets across the wire, leaving behind an unchangeable record of their activity. This network record is gold to security teams.
A common misconception among security professionals is that breaches can be stopped by simply "keeping the bad actors out." And yet cyberattacks continue to be successful despite decades of work and billions of dollars spent on security solutions that are intended to stop attackers in their tracks. This is because adversaries are constantly creating new and more sophisticated techniques, tools, and malware that firewalls and intrusion detection / intrusion prevention systems (and other solutions) have never seen before.
Ultimately, "keeping the bad actors out" leads to a detection-centric and reactive approach, which is not a great strategy in cyber defense because:
- Too many attacks generate too many alerts, swamping security teams.
- Too many alerts mean lots of false alarms, incidents that aren't run to ground completely, or attacks that are missed.
- Blue teams (defenders) often don't have the data they need to analyze security incidents quickly and accurately.
- Attackers are adept at hiding in plain sight, using "normal" applications, traffic, and tools to move around networks.
- After breaching an organization, attackers often lay low for weeks or months, before they act, making their detection even more challenging.
Adversaries are creative, determined, highly motivated, and often well-funded. Whether they are a part of industrial espionage, a nation-state operation, are a disgruntled employee, or are just a hacker looking for a challenge, they all pose serious problems for blue teams who are charged with defending their organizations.
How does Network Detection and Response work?
NDR monitors network traffic from a variety of sources—network switch SPAN ports, physical and virtual TAPs, cloud packet mirrors, existing network infrastructure (such as network firewalls), etc.—to provide a complete view of activity on the network. This view includes north/south (intranet/Internet) and east/west (lateral) movement, traffic from remote users, DNS blindspots, encrypted traffic, asset discovery, and more. NDR can be applied to both physical networks as well as cloud, hybrid, and multi-cloud environments, and is typically delivered using hardware sensors, cloud sensors, software sensors, virtual sensors, or a combination thereof.
At a basic level, NDR works by gathering and recording data about network protocol activity and structuring it into log files that are typically ingested by a threat investigation platform or Security Information and Event Management (SIEM) system for analysis and review. Sophisticated NDR combines network data with machine learning, automation, and behavioral analytics to detect network-based attack techniques such as command and control (C2) or exfiltration. Some NDR platforms can also store packet data (PCAP) for long periods, which is useful for extended investigation lookback windows.
Components of an NDR strategy
NDR shows analysts signs of aberrant behavior, provides records of historical activity when investigating a breach, and stands as evidence to prove compliance or provide defensible disclosure.
Security teams use NDR to establish baselines of their networks' normal behavior. After this stage, analysts can then see suspicious traffic patterns and triggered alerts. The technology is not only based on signatures, but behaviors as well, making it adaptive to changes in attack techniques so security teams can keep up with and outmaneuver adversaries.
How does NDR fit into your security stack?
While network detection and response (NDR) emerged in the early 2010s, a number of other technologies came before it, such as: network security monitoring (NSM), network traffic analysis (NTA), network analysis and visibility (NAV), and network intrusion detection systems (NIDS). "NDR" is the new way to categorize all of those technologies that keep a pulse on the network to detect adversary behavior. In fact, Gartner describes NDR as a category that can "detect abnormal system behaviors by applying behavioral analytics to network traffic data."
In 2015, Anton Chuvakin coined the phrase "SOC nuclear triad" to explain which security tools could realistically help security teams reduce the chance of an attacker operating on a network long enough to accomplish their goals. This idea eventually evolved into the "SOC Visibility Triad," which focuses on the three elements that a enterprise SOC needs in order to have a complete picture of the security environment:
- Endpoint detection and response (EDR)
- Network detection and response (NDR)
- Security incident and event management (SIEM)
EDR data is valuable and essential, but it isn't nearly enough to paint the complete picture of the enterprise and its threat landscape. One simple challenge is that instrumenting every single endpoint isn't possible. In a large enterprise or government agency with tens or even hundreds of thousands of employees and complex IT infrastructure, instrumenting every endpoint is challenging and often impossible.
To complete the picture, Gartner (and many other analysts) recommend monitoring networks as well. The nice thing about monitoring networks is that if you pick your sensor locations strategically, you can get a comprehensive picture of activity in each segment with one sensor (as opposed to trying to deploy many thousands of endpoint monitoring solutions).
The two systems combined — EDR and NDR — provide a more complete picture, and all that data is typically ingested into and stored in a SIEM platform (or data lake).
What about extended detection response, or XDR? XDR is a unifying technology that connects NDR, EDR, and other data sources such as identity, cloud, and vulnerability management to give security teams a complete view of threats targeting their organization. By integrating data from these sources, organizations improve their situational awareness and ability to detect and respond to threats. This article talks about how NDR, XDR, and EDR work together.
To seamlessly integrate NDR into your security stack, use Corelight's Open NDR Platform, which is fully compatible with a number of SIEM, EDR, and XDR vendors.
What are the benefits of Network Detection and Response?According to research from Enterprise Strategy Group (ESG), almost half of organizations use network detection and response (NDR) solutions as a first line of defense for threat detection and response. Why? As the old security saying goes, "the network doesn't lie." Networks create an unavoidable extension of the enterprise attack surface, but when properly monitored they also provide a great source of evidence for investigation when you're attacked. Network data is ground truth.
Here is an overview of why NDR is an essential part of any security tech stack:
- Expanded network visibility: One of the most difficult challenges that organizations face is having inconsistent and incomplete visibility across different security layers. NDR eliminates blindspots by illuminating all network activity to and from any asset on monitored segments, providing ground truth for threat detection, incident response, breach disclosure, asset management, and network operations.
- Improved detection coverage: The sophistication of threats has increased (and so has the volume of threats), which makes it difficult to distinguish attacks from legitimate traffic. NDR helps security teams quickly detect attacks and MITRE ATT&CK TTPs missed by legacy network security tools and EDR, while providing the context required to understand false positives, drive effective network engineering, and improve accuracy.
- Accelerated incident response: Organizations tend to use too many siloed data sources to drive threat detection and response workflows. NDR provides a single source of network truth that gives analysts the comprehensive network evidence they need to more effectively investigate, resolve incidents, and reduce mean time to resolution (MTTR).
- Reduced operational costs: Due to economic headwinds and the sheer number of disparate security tools in their stack, many organizations are moving toward a more tightly integrated security operations and analytics platform architecture (SOAPA). NDR consolidates standalone technologies and amplifies SOC automation investments by following the design pattern of elite defenders.
A recent ESG report called "The Evolving Role of NDR" found that:
- Almost half of organizations have found that network-based tools provide the broadest visibility across the different parts of their environment.
- 53% of organizations have found that NDR tools provide the highest fidelity.
- 60% of organizations improved SOC analyst efficiency with NDR.
Corelight's Open NDR Platform was built to deliver these benefits to security teams of all sizes and levels of sophistication.
Why should I choose an NDR vendor with an evidence-based approach?
One of the biggest challenges that cybersecurity professionals face is alert fatigue. They have no shortage of solutions that detect and alert. What they lack is time to sort through everything to find the alerts and information that matter the most. That is where evidence comes in. By automatically fusing network evidence with an alert, an investigator can instantly get the context required to make a decision. By providing concrete evidence that shows exactly when an attack started, where the attacker went, what assets were impacted a CISO can deliver defensible disclosure with confidence.
In cybersecurity, defensible disclosure is the process of notifying constituents of an intrusion or breach in a manner that the disclosing party can competently and intelligently justify. In other words, has the intruder gained unauthorized access to a system, or have they escalated to the point where they could easily steal or damage data? Or have they already done so? In some unfortunate cases, such as ransomware attack, the intruder often answers the question for the organization by encrypting data and extorting owners. In other cases, understanding the scope and nature of an incident is too difficult to meet the defensible disclosure threshold.
Network evidence plays a crucial role in defensible disclosure. The network is a reliable record of the activity that it sees. Extensive stores (meaning several months, not several days) of high fidelity network data (with rich protocol details, not simply IP addresses and TCP or UDP ports) help chief information security officers and their computer incident response teams answer key defensible disclosure questions such as the following:
- When did the intrusion start? When did it end?
- What was the scope of the intrusion?
- Did the intruder access data stores that did hold, or may have held, sensitive information?
- Are there indications or proofs that the intruder damaged or stole sensitive information?
- Was the incident response process successful? Has the intruder maintained unauthorized access or tried to regain access?
Without access to the right data, custodians cannot make informed decisions about detection and response. They must rely on hunches, or worse, whatever the intruder tells them. For example, criminals have extorted victims, claiming — untruthfully — that they have already deployed ransomware, yet, the victims couldn't determine the truth on their own. If a victim is unsure of the scope of an incident, they may be forced to widen the impact of the activity beyond what actually happened.
High quality network evidence works well with the three other sources of awareness in the digital world, namely human sources, infrastructure and application logs, and endpoint data. A robust defensible disclosure process backed by trustworthy data enables an organization to speak with confidence when revealing details of an incident to constituents. Such leaders are also at less risk for accusations that they are inadvertently or perhaps even intentionally trying to deceive constituents.
Evidence is at the heart of security, and yet not all NDR solutions put network evidence at the center of their operations. Corelight's Open Network Detection and Response (NDR) Platform, which is trusted by some of the biggest names in the industry including CrowdStrike, Microsoft, and Splunk, is the only solution that takes an evidence-based approach to cybersecurity.
Why choose Corelight's Open Network Detection and Response (NDR) platform?
Corelight's Open NDR platform is unique in the industry because our detections and visibility engineering are community driven—with continuous content creation from Zeek®, Suricata IDS, and other Intel communities. Our integration with CrowdStrike XDR enables cross platform (EDR+NDR) analytics. This provides you with the most complete network visibility, powerful analytics, and threat hunting capabilities, and accelerates investigation across your entire kill chain.
Book a demo
We’re proud to protect some of the most sensitive, mission-critical enterprises and government agencies in the world. Learn how Corelight’s Open NDR Platform can help your organization tackle cybersecurity risk.