Jump to content

Network detection and response

Edit links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Bibamad (talk | contribs) at 15:07, 15 August 2023. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Network detection and response (NDR) refers to a category of network security products that detect abnormal system behaviors by continuously analyzing network traffic. NDR solutions apply behavioral analytics to inspect raw network packets and metadata for both internal (east-west) and external (north-south) network communications.[1]

Description

NDR is delivered through a combination of hardware and software sensors, along with a software or SaaS management console. Organizations use NDR to detect and contain malicious post-breach activity, such as ransomware, as well as insider attacks. NDR focuses on identifying abnormal behavior patterns and anomalies rather than relying solely on signature-based threat detection. This allows NDR to spot weak signals and unknown threats from network traffic, like lateral movement or data exfiltration.[1]

NDR provides visibility into network activities to identify anomalies using machine learning algorithms. The automated response capabilities can help reduce the workload for security teams. NDR also assists incident responders with threat hunting by supplying context and analysis.[1]

Deployment options include physical or virtual sensors. Sensors are typically out-of-band, positioned to monitor network flows without impacting performance. Cloud-based NDR options integrate with IaaS providers to gain visibility across hybrid environments. Ongoing tuning helps reduce false positives. NDR competes against broader platforms like SIEM and XDR for security budgets.[1]

AI applications

The use of artificial intelligence in NDR tools is growing, as security teams explore AI's potential to enhance NDR capabilities. Key AI use cases for NDR include:[2]

  • Improved threat detection : AI can analyze large volumes of data on vulnerabilities, threats, and attack tactics to identify anomalous network activities. This allows NDR to detect emerging attack patterns with greater accuracy and fewer false positives.[2]
  • Alert prioritization : AI models can evaluate the criticality of NDR alerts based on factors like affected assets, exploitability, and potential impact. This enables security teams to triage alerts effectively despite staff shortages.[2]
  • Analyst workflow optimization : AI assistants can provide guidance to analysts during incident response, suggesting relevant investigation steps based on details of the threat. This amplifies analyst efficiency, especially for junior staff lacking specialized expertise.[2]
  • Automated response : Although not yet widely adopted, AI could enable NDR platforms to autonomously execute containment measures like quarantining endpoints. AI would identify and recommend response actions for analyst approval.[2]
  • Security team communications : NDR vendors are exploring integrations with natural language AI to generate incident reports and metrics digestible for business leaders, not just technical security staff.[2]

NDR Vendors

According to Gartner, NDR vendors include Cisco, Corelight, Darktrace, ExtraHop, Fortinet, IronNet, MixMode, Plixer, Trend Micro, Vectra.[1]

References

  1. ^ a b c d e Jonathan Nunez, Andrew Davies (20 July 2023). "Hype Cycle for Security Operations, 2023". www.gartner.com. Retrieved 2023-08-08.
  2. ^ a b c d e f Grady, John. "How AI benefits network detection and response". TechTarget. Retrieved 2023-08-15.

See also

Retrieved from "https://en.wikipedia.org/w/index.php?title=Network_detection_and_response&oldid=1170521803"