Network Detection and Response (NDR) technology emerged in the early 2010s to identify and stop evasive network threats that couldn't be easily blocked using known attack patterns or signatures. NDR, also referred to as network traffic analysis (NTA), technology uses machine learning and behavioral analytics to monitor network traffic and develop a baseline of activity. Then they discover anomalous activity associated with malware, targeted attacks, insider abuse, and risky behavior.
NDR solutions allow organizations to recognize unusual traffic that indicate command and control, lateral movement, exfiltration, and malware activity. They analyze north-south traffic between internal hosts and the internet, but they also inspect east-west traffic between internal hosts, including internal servers, to accurately identify attacks.
According to the 2020 Gartner Market Guide for Network Detection and Response, NDR solutions “primarily use non-signature-based techniques (for example, machine learning or other analytical techniques) to detect suspicious traffic on enterprise networks. NDR tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NDR tools detect suspicious traffic patterns, they raise alerts... Response is also an important function of NDR solutions."
Unlike many log management and security analytics products that focus on security alerts, NDR solutions analyze raw network traffic logs to identify threats. While they can also be deployed as a passive network element that collects data from network switch SPAN ports or physical TAPs, an increasing number of NDR solutions today can gather network traffic data from existing network infrastructure, such as network firewalls, easing deployment.
The four main types of cybersecurity risks identified by NDR solutions include:
DID YOU KNOW?
NDR solutions profile network behavior metadata, not payloads and files; thus, they can operate effectively regardless of encrypted or unencrypted communication protocols, like HTTPS.
NDR solutions provide powerful attack detection capabilities for both internal and external attackers.
The earlier you can detect attacks, the earlier you can stop attackers in their tracks. The average attack dwell time has been well documented by many post-incident response surveys to average between five and seven months. If you can detect, investigate and stop an attacker in the early hours or days of the attack, then it’s likely that you can eliminate all potential damage. With visibility into the earliest stages of the attack, NDR solutions can identify those unusual network events related to command and control communications and discovery activities.
Unless security teams analyze network data for anomalies indicative of attacks, they will struggle to find attackers during the critically important early stages of the attack and, therefore, won't be able stop most attacks before real damage is done.
Today’s network detection and response tools are delivered from the cloud. This cloud-native approach simplifies operations because teams do not need to deploy new log servers on premises to collect and analyze network data. In addition, advanced NDR platforms can collect network logs from existing network security products, including network firewalls, avoiding dedicated network sensors. Altogether, NDR systems offer full visibility and threat detection, with minimal overhead.
Security teams that want to hunt down active attackers at the earliest possible stages of the attack life cycle should monitor network traffic for attacks. However, despite their benefits, NDR tools also have their limitations. They only analyze network logs and can’t monitor or track endpoint events, such as process details, registry changes or system commands. They cannot examine cloud or identity data or other valuable sources of security information. Complex attacks require analysis of multiple data sources to identify and confirm malicious activity. Siloed cybersecurity tools like NDR solutions are costly to deploy and maintain, create potential blind spots, and force security analysts to switch between consoles to gather context.
Traditional network detection and response tools focus on network data only. This narrow scope of analysis can result in missed detections, increased false positives and lengthy investigations. These weaknesses magnify the problems many security teams already face, including too many siloed tools, too many alerts and too little time.
Extended detection and response, or XDR, is a new approach to threat detection and response. XDR expands the scope of security beyond one data source, such as endpoint, network, cloud, or identity data, recognizing that it’s not effective to investigate incidents in isolated silos. XDR platforms automatically stitch together data from different sources and apply use artificial intelligence (AI) to uncover covert cyber threats. This increases visibility and productivity compared to siloed security tools. The result is simplified investigations across security operations, reducing the time it takes to identify, verify, and respond to attacks.
Cortex XDR detects targeted attacks, insider abuse and malware by applying AI-powered analytics to rich security data. Your analysts can rapidly confirm threats by reviewing actionable alerts with full context and quickly shut down attacks through tight integration with enforcement points.
Cortex XDR is the industry’s first extended detection and response platform that integrates data from virtually any source to stop sophisticated attacks. Cortex XDR has been designed from the ground up to protect your whole organization holistically while simplifying operations. It delivers best-in-class next-gen antivirus (NGAV) to stop exploits, malware, ransomware, and even non-malware attacks.
Cortex XDR uses behavioral analytics to reveal highly evasive threats targeting your network. Machine learning and AI models uncover threats from any source, including managed and unmanaged devices. Because Cortex XDR gathers data from network devices, including Palo Alto Networks NGFW, it can uncover hidden threats lurking in your network. It also gathers endpoint data from the Cortex XDR agent to deliver full endpoint detection and response (EDR).
Cortex XDR helps you speed investigations by providing a complete picture of each incident. It stitches different types of data together and reveals the root cause and timeline of alerts, allowing your analysts to easily triage alerts. Flexible response options let you root out attackers, contain fast-moving threats, and even restore compromised endpoints.