Not All NDR Is Created Equal

An introduction to advanced network detection and response.

Abstract dark blue background with lighter blue dots, lines, and binary code

Network detection and response (NDR) is a crucial aspect of your security stack because NDR solutions provide the visibility necessary for increasing your security posture and lowering your risk. This blog breaks down the basics of NDR, explains the difference between endpoint detection and response (EDR) and NDR, and details the advantages of advanced NDR.

What Is Network Detection and Response?
NDR is a security solution designed to protect the unique requirements of on-premises, public and private cloud, and hybrid environments as efficiently as possible. By combining NDR with other solutions such as log analysis tools via security information and event management (SIEM) and EDR, you can mitigate blind spots within the network. 

NDR solutions heighten security capabilities by providing network context and automating responses to threats, enabling security and network operations teams to collaborate more effectively and leading to better detection and mitigation. NDR solutions also reduce the burden on security resources, freeing personnel to focus on other important tasks.

What Is Endpoint Detection and Response?
EDR is a security solution that monitors endpoints to mitigate endpoint attacks. Endpoints are network devices such as personal computers, file servers, smartphones, and Internet of Things (IoT) devices that connect to the network to communicate back and forth. Via a software agent deployed on the endpoint, EDR inventories detections of known malware and suspicious activity on the endpoint, such as registry changes and keyfile manipulation.
Which Is Better?
Today’s security stack contains many different tools and types of data. Unfortunately, this creates data silos, which leads to visibility gaps. EDR is designed to monitor and mitigate endpoint attacks, which typically are focused on computers and servers. NDR, on the other hand, monitors network traffic to gain visibility into potential or active cyberthreats, delivering real-time visibility across the broader network. 

One of the biggest advantages NDR has over EDR is that bad actors can hide or manipulate endpoint data fairly easily. Network data is much harder to manipulate. Because attackers and malware can avoid detection at the endpoint, NDR is the only real source for reliable, accurate, and comprehensive data. All endpoints use the network to communicate, which makes your network data the ultimate source of truth. That doesn’t mean one is necessarily better than the other: EDR and NDR provide the required information within the different contexts of the endpoint and the network, respectively. 

What Is Advanced NDR?
Not all NDR solutions are equal. The difference between the previous generation of NDR solutions and advanced NDR is the quality of data being used.

Characteristics of advanced NDR include:

  • Packet-based, not NetFlow-based: NetFlow is a common source of data for NDR. This may be fine for gaining broad network visibility, but it’s too shallow and will not provide the visibility into packets that is required for detecting more advanced attacks such as tunneling.
  • Can capture full packets at line rate: With its specialized network instrumentation, advanced NDR provides continuous line-rate packet capture before, during, and after an alert or attack. The previous generation of NDR solutions provide line-rate packet capture only when an alert is triggered or by using shortcuts such as packet slicing. 
  • Ability to extract meaningful metadata from packets in real-time: Specialized network instrumentation can conduct deep packet inspection (DPI) at scale to capture full packets and extract layer 2–7 metadata at line rates. This metadata can be analyzed to conduct real-time and historical threat detection.
  • Local storage and analysis: Save full packets and metadata locally (versus sending them to a cloud) without using large amounts of storage (along with the associated cost) or giving up fidelity while also gaining quick access for analyzing saved packets and metadata for responsive analytics and long-term investigation. 
  • Full integration and data export: Full integration into existing security ecosystems (for example, via SIEM; security orchestration, automation, and response [SOAR]; and blocking devices such as firewalls) provides the ability to export metadata and packets for combination with other data sets (for example, EDR, SIEM logs, or threat intelligence) for custom analysis.

With advanced NDR, your security stack and your security staff become better. Without advanced NDR and the proper level of network intelligence, you cannot fully trust your overall cybersecurity. 

NETSCOUT’s core competency for more than 30 years has been to capture packets and conduct DPI at scale. NETSCOUT’s patented Adaptive Service Intelligence (ASI) technology converts those packets into a rich source of unique layer 2–7 metadata that we call Smart Data. NETSCOUT’s Omnis Cyber Intelligence (OCI) solution can use Smart Data to provide the following: 

  • Visibility Without Borders: See the data that matters, from the internet to the packet and everything in between. Omnis CyberStream, which is a highly scalable packet-capture, classification, and storage solution, provides both north-south and east-west traffic, giving you greater visibility across your entire network from all perspectives, including cloud environments (with which EDR has limitations). This level of end-through-end visibility is a fundamental requirement for cybersecurity.
  • Smart detection: Better visibility in combination with continuous threat intelligence feeds enables you to stay up to date on all known indicators of compromise. NETSCOUT provides multiple types of detection, including network statistical/behavioral analysis of Smart Data, using threat intelligence (ATLAS or third-party) via OCI to fill the visibility and data gaps left by other cybersecurity tools.
  • Smart integration: NETSCOUT’s seamless integration with multiple partners such as Splunk, Palo Alto Networks, and AWS Security Hub makes your entire security stack stronger and more effective. Advanced NDR does more than just “detect” threats: It also helps to block them. OCI integrates with your firewalls to instruct immediate blocking at the edge. NETSCOUT’s Smart Data can be exported and combined with your other sources of data, filling the gaps in visibility to increase incident investigation efficiency and decrease mean time to resolution (MTTR).

NETSCOUT believes in achieving comprehensive Visibility Without Borders by enabling a single source of smart packet-derived data—which we call Smart Data—for more efficient service assurance and cybersecurity. NETSCOUT gives you the most comprehensive attack surface observability in the industry and provides continuous intelligence, with real-time detection of all network activity to halt attackers in their tracks. 

With this detailed visibility, you have up-to-the-minute contact tracing abilities as well as visibility throughout the dwell time of an incident, including full context to restore normal operation with shortest downtime. With Smart Data, your security team can use high-quality metadata to quickly act and prevent further damage to the organization. 

NETSCOUT Omnis Cyber Intelligence leverages this Smart Data for advanced NDR, making your cybersecurity stack, staff, and overall cybersecurity simply better.

Learn more about Omnis Cyber Intelligence.