Many traditional threat detection tools—antivirus software, early intrusion detection and prevention systems (IDPSs), and some types of firewalls — identify and prevent threats by looking for unique indicators of compromise (IOCs), or signatures.

A signature can be any characteristic associated with a known cyberattack—e.g., a line of code, file hash or file size from a particular malware variant, a specific packet header, or a subject line from phishing or social engineering email. Signature-based tools maintain regularly updated databases of known signatures, and detect threats by scanning for the presence of these signatures in network traffic.

As a result, these signature-based tools are effective at preventing known threats from entering or lurking in the network. But they can’t detect new, as-yet-unknown or emerging malware or threats. And they’re also unlikely to identify threats without signatures, such as

• Hackers using stolen credentials to access the network
• Business email compromise (BEC) attacks in which hackers impersonate or hijack an executive’s email account
• Employees engaging in unintentionally risky behavior, such as saving company data to a personal USB drive, or clicking email links to malicious web sites.
  

Ransomware and other advanced persistent threats exploit these blind spots to sneak onto networks, carry out reconnaissance, escalate privileges and wait for the right moment to launch an attack. 

While signature-based tools are primarily preventative, NDR takes a dynamically responsive approach to network threats. Instead of scanning for specific known signatures, NDR solutions monitor and analyze network traffic and activity in real time to identify any suspicious activity, outside or inside the network, that could indicate a known or unknown cyber threat.

NDR solutions do this by:

Modeling baseline network behavior. NDR solutions ingest raw network activity data and metadata from dedicated sensors and application agents throughout the network, and from network infrastructure like firewalls and routers. NDR tools then apply behavioral analytics, AI and machine learning to the data to generate a baseline model of normal network behavior and activity. 

Detecting suspicious and potentially malicious activity. NDR monitors the network continuously, and uses the same analytics and AI capabilities to identify deviations from baseline behavior in real time. Examples might include a user accessing sensitive data outside of work hours, an endpoint device communicating with an unknown external server, or a port receiving unusual data packets.

Because NDR solutions monitor both north-south (exit and entry) and east-west (internal) network traffic, they can detect and track lateral movement of threats, a common behavior of malicious insiders and advanced threats. Some NDR solutions include capabilities for detecting threats hiding in encrypted traffic.

NDR can also generate models of threat behavior, by correlating data from threat intelligence feeds, the MITRE ATT&CK framework, and other sources of data on cybercriminals’ tactics, techniques and procedures (TTPs). These models help the NDR solution sift the signals from the noise—that is, distinguish between likely cyberattacks and unusual but harmless activity, or ‘false positives.’

Providing incident response automation and tools. When an NDR solution detects a cyberattack or behavior that could signal a cyberattack, it can

• Prioritize and raise alerts to the security team or security operations center (SOC) in real time.
• Automate incident response. NDR solutions can automatically take actions—such as terminating a suspicious network connection—to disrupt or shut down an attack as it’s happening. NDR can also leverage integrations with other security tools to trigger incident response. For example, it could prompt an organization’s SOAR (security orchestration, automation and response) system to execute a predefined response playbook.
• Optimize threat investigations. NDR solutions provide contextual data and functionality that security teams and SOCs can use to accelerate ongoing threat investigations and proactive investigations or unknown or undetected threats (known as threat hunting).

Today, enterprise networks are highly decentralized and expansive, connecting on-premises and and cloud data centers, hardware, software, IoT devices, and workloads. To gain full visibility into these distributed and interconnected networks, SOCs often rely on NDR in with other security solutions as part of their cloud security strategy. 

For example, NDR is one of the three pillars of Gartner's SOC visibility triad, along with endpoint detection and response (EDR) and security information and event management (SIEM). EDR is software designed to automatically protect an organization's end users, endpoint devices and IT assets against cyberthreats that get past antivirus software and other traditional endpoint security tools. It provides a ‘ground-level’ view of activity occurring at individual endpoints that complements the ‘aerial view’ of network traffic that NDR provides. SIEM combines and correlates security-related log and event data from disparate security tools and other sources on the network (servers, applications, devices). NDR tools can stream their network traffic data and analysis to a SIEM, further enriching the value of SIEM for security and regulatory compliance workflows.

More recently, SOCs are adopting extended detection and response (XDR) solutions. XDR integrates cybersecurity tools across an organization’s entire hybrid IT infrastructure—endpoints, networks, cloud workloads and more—so that they can interoperate and coordinate on cyberthreat prevention, detection and response. Many XDR solutions incorporate NDR capabilities; open XDR solutions can leverage the NDR capabilities an organization already has in place.