What is Network Detection and Response (NDR)?

Network detection and response (NDR) uses a combination of advanced cybersecurity technologies and methodologies to identify anomalies and respond to threats that other security measures can miss.

Why is NDR needed?

Security operations center (SOC) teams are under intense pressure to protect their organizations against cyber threats. Those threats continue to evolve and proliferate while the network becomes increasingly borderless, creating a bigger and more complex attack surface to deal with. The surge in remote and hybrid work has contributed significantly to this since the pandemic years, with  McKinsey estimating at least 58% of the U.S. workforce is already remote.

Within the sprawling network are huge numbers of unmanaged assets: devices that don’t have security agents installed, or whose security settings are misconfigured or out of date. By some estimates, unmanaged assets can outnumber managed assets 2:1.

Unmanaged assets are hard to patch. They’re also rarely, if ever, scanned for vulnerabilities—and may not be scannable at all. With older devices especially, manufacturers can be slow to issue security updates. And for IT teams to upgrade them, they may first need to redeploy them or add licenses first, requiring efforts and costs that aren’t easy to justify, even if those devices represent a security liability.

For all these reasons, cybercriminals are drawn to unmanaged devices. They provide excellent hiding places—opportunities to ‘live off the land’. Attackers can use completely legitimate, authorized tools to move around the network between unmanaged devices without attracting attention, lying low for weeks or months.

Security technologies and approaches such as extended detection and response (EDR), identity threat detection and response (ITDR) and attack surface management (ASM) aren’t designed to find threats lurking in unmanaged assets or see inside network traffic. NDR fills that gap, exposing and correlating even subtle anomalies caused by threats that might otherwise slip through the cracks.

What challenges does NDR solve for SOC teams?

Some projections suggest the planet could end up with more than 18 billion devices as soon as 2025. Even if a small percentage of those devices are unmanaged, the security implications will be huge. Few SOC teams today have visibility across the entire attack surface or into every last endpoint—especially unmanaged assets. It’s hard to defend where you can’t reach and impossible to manage what you can’t see.

SOCs are also notoriously overwhelmed by alerts, leading to loads of false alarms and missed attacks. Even with that deluge, they often lack the data they need to understand incidents fully. There’s too much noise and too little accurate, precise, actionable information.

NDR addresses these struggles by monitoring network traffic and device behaviors within the network. Any activity around an unmanaged device can be detected, analyzed, and determined to be anomalous, even if the device itself is dark. And NDR’s correlation capabilities do the work of sifting through patterns and connecting the dots to more precisely differentiate between legitimate potential threats and harmless activity.

With an effective NDR solution, SOC teams can discover unmanaged assets on the network and detect and correlate what would otherwise be ‘weak signals’ to lock in on threats and root out attackers. Weak signals are essentially low-confidence alerts or events about which there’s not enough information to know if an attack is present or not.

Since complex, multi-layer attacks can disguise themselves with incremental movements across different layers of the network—no one of which is evidence enough on its own to justify cybersecurity intervention—other security technologies and frameworks might miss them. NDR with cross-layer correlation can put the pieces together to deliver an affirmative assessment.

Retracing the attack from end to end

NDR gives SOC teams more visibility into what’s happening in the network by extracting network metadata from all traffic—suspicious or otherwise. That metadata is correlated with potential threats, giving SOC teams a way to visualize the footprint of an attack. They can see entire chains of attack, identify root causes, and determine the full scope of an incident throughout the entire security stack.

NDR also provides a way to uncover latent vulnerabilities by providing a platform where the outputs of third-party scanning tools can be met with expert security knowledge so that potential weaknesses are patched preemptively, before they're exploited.

All of these—especially when inline with other security solutions such as EDR, ITDM, and ASM—enable near real-time action with faster time to detection, lower costs, and fewer false positives.

What are the components of an NDR solution?

NDR provides continuous monitoring and analysis of network traffic using deep packet inspection, behavioral analytics, and machine learning. It detects anomalies and identifies potential threats, integrating with threat intelligence sources for maximum effectiveness. By combining real-time monitoring with automated response and mitigation, NDR makes it possible for SOC teams to proactively defend against sophisticated cyber threats and minimize the potential impact of security incidents.

To perform those functions, NDR needs a comprehensive set of interrelated capabilities. These include:

  • An ability to model network traffic so that anomalies stand out and detection can be done on a behavioral basis rather than looking for specific signatures. This requires machine learning and advanced analytics.
  • A reliably low false-positive rate once the solution has been properly tuned so that SOC teams can trust the results they get.
  • The capacity to aggregate and correlate alerts into what Gartner calls “structured incidents”, making it easier for security professionals to investigate threats.
  • The ability to contain or block threats with automated responses.

Network detection and response solutions also need to be able to scale as networks expand and more devices connect within them, and to deliver consistent, reliable performance. Ideally, some capacity for continuous improvement would also be built in, so that the NDR solution can become more accurate and effective over time.

What additional capabilities might NDR need?

Cybersecurity analyst firms such as Gartner and Forrester have suggested that in addition to the core capabilities outlined above, NDR solutions also need other traits to develop the full scope of protection required.

These advanced capabilities include:

  • Network traffic decryption. Analyzing traffic patterns is one thing, but seeing what that traffic contains goes a whole lot further to ensure cyber protection. Yet a significant proportion of today’s network traffic is encrypted, as is nearly all (95%) of web traffic. That means even if a suspicious lateral movement is detected between assets on the network, without decryption SOC teams can’t know what the traffic contains or if it is truly harmful.
  • Cross-layer correlation. The ability to correlate anomalous behaviors within a single layer of the network is undeniably beneficial but can still produce excess alerts or false positives. An NDR solution that can correlate data from multiple layers has a much greater chance of isolating real threats, triggering meaningful alerts that SOC teams can trust need to be addressed.
  • Support for zero-trust approaches. Zero trust is today’s best framework for limiting access to corporate assets and resources, preventing breaches and attacks through maximum caution. Coupling the zero-trust approach with network detection and response makes anomalous behaviors more conspicuous and helps pinpoint threats faster.
  • Prioritization of the SOC analyst experience. This is more of a qualitative feature than a quantitative one, but every bit (if not more) important. Given the stresses placed on SOC teams, the volume of alerts they deal with daily, and the potential consequences of getting something wrong, providing an NDR solution that makes life in the SOC easier has high value and a much greater chance of being used.

What is Trend Micro’s approach to NDR?

Trend uses native telemetry from across security vectors to provide high-fidelity detections with strong correlations and rich context. The Trend approach to NDR allows SOCs to incorporate automated remediation while working with third-party solutions and security orchestration, automation, and response (SOAR) platforms to prevent future attacks.

Trend’s NDR technology identifies risks associated with both unmanaged and managed devices—detecting anomalies and modeling behavior to pick out even faint patterns that may indicate a threat.

While many NDR solutions rely almost solely on AI, machine learning, and anomaly detection, Trend also incorporates more than 35 years of threat intelligence as well as highly sophisticated behavioral analysis to accurately detect threats out the box with extremely low false positive rates.

NDR is an essential addition to an organization’s cybersecurity toolkit, one that complements EDR, ITDR, and ASM to cover off network vulnerabilities and provide full-fledged XDR. Trend meets the core requirements for NDR and the requirements for additional capabilities identified by leading cybersecurity analysts for a comprehensive and reliable network detection and response solution.

NDR

Related Articles