Network detection and response (NDR)

What is NDR?

Network detection and response (NDR) is a security solution that monitors network traffic for suspicious activity and responds to threats in real time. 

NDR systems use a variety of techniques to detect threats, such as signature-based detection, where they can detect known threats by matching network traffic to known attack signatures, or anomaly-based detection, where they can detect unknown threats by identifying suspicious behaviors in network traffic.

Once a threat has been detected, an NDR solution can take a variety of actions to respond, including:

• Alerting: NDR solutions can send alerts to security analysts when a threat is detected.
• Blocking: NDR solutions can block malicious traffic from entering or leaving the network.
• Quarantining: NDR solutions can quarantine infected hosts or files to prevent them from spreading malware.

What are the benefits of NDR?

NDR is essential for organizations looking to strengthen their cybersecurity posture and protect their network from a wide range of threats. It’s important for several reasons:

• Early detection of threats: NDR helps detect security incidents and threats in real time, allowing organizations to respond promptly and effectively. This early detection can prevent small issues from escalating into major breaches.
• Comprehensive visibility: NDR provides comprehensive visibility across the network, identifying suspicious activities and anomalies that might otherwise go unnoticed. 
• Automated response: NDR solutions often include automated response capabilities, enabling organizations to take immediate action against detected threats. This automation helps mitigate the impact of attacks and reduces the time it takes to respond to incidents.
• Improved threat hunting: NDR enables security teams to proactively hunt for threats and identify potential vulnerabilities in the network. By analyzing network data, NDR solutions can help identify patterns and behaviors associated with malicious activity.
• Compliance: NDR can assist organizations in meeting regulatory compliance requirements related to data protection and incident response. It provides a centralized platform for monitoring and reporting on security incidents, helping organizations demonstrate their commitment to data security.

What types of threats do NDR solutions uncover?

NDR solutions uncover and respond to a wide variety of threats, including:

• Malware: NDR solutions can detect and respond to malware such as viruses, worms and trojans.
• Advanced persistent threats (APTs): NDR solutions can detect and respond to APTs, which are sophisticated attacks that are designed to remain undetected for long periods of time.
• Insider threats: NDR solutions can detect and respond to insider threats, which are attacks that are perpetrated by people who have authorized access to a network.
• Distributed denial of service (DDoS) attacks: NDR solutions can detect and respond to DDoS attacks, which are attacks that are designed to overwhelm a network with traffic.
• Man-in-the-middle attacks: NDR solutions can detect and respond to man-in-the-middle attacks, which are attacks that are designed to intercept communications between two parties.
• SQL injection attacks: NDR solutions can detect and respond to SQL injection attacks, which are attacks that are designed to exploit vulnerabilities in SQL databases.
• Cross-site scripting (XSS) attacks: NDR solutions can detect and respond to XSS attacks, which are attacks that are designed to inject malicious code into a web application.

What are the downsides of NDR tools?

While NDR solutions provide a number of benefits, they have some limitations:

• Complexity: NDR systems can be complex to deploy and manage, especially in large and complex networks. Continuous management and fine-tuning can be labor-intensive, particularly as the network changes or expands.
• Cost: NDR systems can be expensive to purchase and maintain, as they typically require deploying network probes broadly across the network, which often involves significant upfront expenses, along with ongoing costs for updates, maintenance and skilled personnel. 
• False positives: Network environments are naturally dynamic, leading to frequent benign deviations. This can cause NDR solutions to flag routine changes or legitimate traffic as threats, creating excessive noise and diverting analysts from addressing true security incidents.
• Skills gap: Effective NDR operation requires expertise in network protocols, traffic patterns and threat behaviors, making NDR analysts uniquely difficult to train and hire. The specialized skills needed to differentiate between normal and suspicious activity on a network mean that even experienced security analysts may struggle without targeted NDR knowledge.
• Limited visibility: Many NDR tools struggle to monitor encrypted traffic, private cloud segments or remote devices, creating blindspots. These visibility gaps can allow advanced threats to go undetected, limiting the effectiveness of NDR in complex environments.
• Evasion techniques: Attackers can use evasion techniques such as encryption or traffic obfuscation to bypass NDR systems.
• Integration challenges: Integrating NDR solutions with other security tools like security incident and event management (SIEM) or endpoint detection and response (EDR) tools can be complex and time-consuming. When systems fail to interoperate smoothly, it complicates workflows, creates data silos and prevents comprehensive threat analysis.

A major downside of NDR is that it can often miss more insidious attacks targeting the application layer. NDR solutions typically use a combination of machine learning, behavioral analysis and signature-based detection techniques to detect application layer attacks, such as SQL injection and XSS. But because they lack visibility inside the application, they can miss attacks such as path traversal, JNDI injection and OGNL injection.

How Contrast ADR complements NDR

Contrast Application Detection and Response (ADR) empowers defenders with the observability and control they need in the application layer in order to detect, respond and block threats that target custom applications and APIs, delivering it in a manner that’s tightly integrated with existing security operations tools and workflows. 

Contrast ADR is built on the Contrast Runtime Security Platform, which enables developers, AppSec teams and SecOps teams to better protect and defend their applications against the ever-evolving threat landscape. Contrast’s patented security instrumentation delivers integrated and comprehensive security observability that brings accurate assessment and continuous protection of an entire application portfolio.