The Cyberman Show
The place to learn all about the cybersecurity from basics to advance topics . Every week, you will get a view of whats happening in the cyber verse. We will cover Cybersecurity, Cloud, Artificial intelligence, threats, breaches emerging technologies and novel ideas. Learn more with us. Stay Tuned!
PS: The view are mine and not my employers.
https://twitter.com/prashant_cyber
The Cyberman Show
Network Detection and Response: Basics, Usecases and Gartner 2025 MQ : EP 98
Todays episode vocers a comprehensive overview of Network Detection and Response (NDR) technology, explaining its core function in detecting abnormal and malicious system behaviors by analyzing network traffic data. It outlines key features such as data ingestion, detection, and response, and discusses common use cases including lateral movement and insider threat detection, even extending to Operational Technology (OT) environments. The text also reviews the current market vendors based on a Gartner Magic Quadrant analysis, differentiates NDR from other security technologies like EDR, SIM, and XDR, and explores the integration of AI in enhancing NDR capabilities.
Google Drive link for Podcast content:
https://drive.google.com/drive/folders/10vmcQ-oqqFDPojywrfYousPcqhvisnko
My Profile on LinkedIn: https://www.linkedin.com/in/prashantmishra11/
Youtube Channnel : https://www.youtube.com/@TheCybermanShow
Twitter handle https://twitter.com/prashant_cyber
PS: The views are my own and dont reflect any views from my employer.
Hey everyone, welcome to The Cyberman Show. Today's topic is NDR or network detection and response. Now, this is a technology that's designed to detect abnormal and malicious system behaviors by applying behavior analytics to the network traffic data1. This is not the first time I'm talking about this technology; I did an episode almost a year back on this, episode 102, which you can find on YouTube, Spotify, or Apple podcast links from around June1. The reason for revisiting this content is that the technology has evolved, and there's finally a Gartner Magic Quadrant for NDR that we're going to discuss1.
The summary of what will be discussed includes understanding how the technology works, common features in NDR products, common use cases, current market vendors, how NDR differentiates from other technologies (including EDR, SIM, firewalls, XDR), and how AI is being implemented on the NDR side.
The simplest definition is that NDR technology consumes or collects network traffic data in various form factors, continuously inspects it, builds baselines, and then identifies anything that is standing out or is an outlier1. It can be thought of as an "eye in the sky" and can monitor both east-west traffic (communication moving laterally within the network) and north-south traffic (communication between internal assets and external networks crossing the perimeter).
The most common features in NDR products are categorized into three areas: data ingestion, detection, and response and workflow1. The speaker will refer to Gartner's recent Magic Quadrant (MQ), noting that a Gartner MQ typically signifies a growing market that requires attention from analysts like Gartner. Although a market guide for NDR existed for some time, Gartner's inaugural report on NDR was released in 2025.
In NDR, native automation has been added due to the growth in API and automation technologies .The first key feature of an NDR product is data collection, which is achieved by deploying physical or virtual sensors or devices on on-prem or cloud networks. In a SaaS environment, traffic is typically mirrored from the SASE technology to the NDR technology . NDR performs analysis of raw network packets or traffic flows, such as NetFlow, and monitors both north-south and east-west traffic2. Optionally, some technologies allow monitoring and analyzing traffic in IaaS and SaaS environments, using SaaS API connectors to analyze events and user activity in cloud applications. Some NDRs also offer log injection capabilities and full packet capture for long-term retention and deep forensics2. The speaker previously worked on NetWitness technology around 2012 at RSA.
Regarding detection features in NDR, the technology models the entire network traffic and highlights unusual activity. Detection is primarily based on behavioral techniques, non-signature-based methods, and typically leverages ML and advanced analytics. In some cases, it also has the capability to detect traditional signature-based patterns, like Snort rules commonly used in the IPS world23. Threat detection can also be done using a threat feed from a threat intelligence provider or natively from the NDR vendor3. Some NDR technologies allow metadata enrichment during collection or analysis to add context.
The third key feature in NDR is response and workflow. This includes case management, aggregating individual alerts into structured incidents for investigation, and automatic response capabilities such as host containment and traffic blocking. These responses can be native or through integration with other security tools like a SOAR platform. NDR also provides manual capabilities, like running analyst-uploaded scripts, and in certain cases, AI-based search assistants using natural language for threat hunting. Native integration with EDR and SIM platforms provides additional context.
Key developments in NDR over the last few years include the rise of AI assistants, similar to other security technologies, and specific to NDR, cloud application monitoring. While this was not a common use case previously, the increasing traffic and user activity in SaaS applications make monitoring this activity important. Although some of this is covered by CASB, NDR provides good context when capturing east-west and north-south traffic, including traffic to or from SaaS applications.
Common use cases for NDR products include:
• Detecting lateral movement: This is done by constantly monitoring east-west traffic using data from PCAPs or NetFlow. The solution builds a behavioral baseline for every device and user, and an attacker's lateral movement actions typically appear as outliers compared to standard user activity. Examples include a user workstation attempting to connect to a critical database via RDP for the first time, a device suddenly scanning the internal network, or the use of administrative protocols like SMB or DC RPC between systems that don't normally communicate4. These deviations from the baseline are flagged.
• Insider threat detection: Insider threats originate from individuals with legitimate access credentials, making them difficult to detect as they can bypass perimeter-based and authentication-focused security controls. NDR addresses this by focusing on how users are behaving rather than just who is accessing the network. Behavioral analytics in NDR becomes the primary detection mechanism for these users who already have credentials. Examples include an employee accessing sensitive file shares or databases they've never touched before, a user account exfiltrating an unusually large volume of data compared to their normal baseline, or an employee connecting to the network or accessing resources at unusual hours or from a different geographical location than in the past. The same logic of behavior-based outliers applies to external and internal threats, for both devices and users, regardless of traffic direction.
• Proactive threat hunting: NDR provides an ideal dataset for finding signs of compromise because it records all network conversations, allowing hunters to search for indicators of compromise (IOCs) or specific attacker TTPs (Tactics, Techniques, and Procedures) that might signal a hidden threat. With automation on L1 and L2 layers, threat hunters can proactively perform this activity based on hypotheses or their understanding of the network.
• NDR for OT (Operational Technology) environments: Many NDR technologies support OT-specific protocols like Modbus, DNP3, S7 Comm, BACnet, Ethernet/IP, and Profinet, and they have Deep Packet Inspection (DPI) capabilities for these protocols5. NDR platforms are passive and agentless, meaning they can be deployed using span or tap ports to receive a copy of network traffic without installing software on industrial controllers or endpoints. This non-intrusive approach aids in OT infrastructure discovery, providing comprehensive asset visibility by identifying legacy systems and unmanaged devices that other tools cannot see5. It maps communication patterns and creates a baseline of normal behavior essential for anomaly detection. For example, an OT device sending a command on Modbus or DNP3 that it has never done before would be detected as an outlier because it wouldn't match the baseline. This makes NDR critical for OT environments like factories and manufacturing sites.
Market Overview (Gartner Magic Quadrant for NDR Vendors): Gartner evaluates vendors based on various parameters including product, market size, revenue, and support, classifying them into four categories.
• Leaders: These vendors demonstrate strong performance in both execution and vision, offering well-integrated products, a clear roadmap aligned with market trends, and robust sales and distribution channels, typically being global vendors with a large presence.
• Challengers: These vendors execute well and have a strong market presence but may lack a forward-looking vision or fall behind in introducing innovative features. They have an active customer base but are not innovating as much6.
• Visionaries: These vendors are innovators, often with highly advanced technology, but may lack the market presence, scale, or resources to be considered leaders. They could be new companies with a specific geographic presence, still trying to scale.
• Niche Players: These vendors offer solid products but focus on a specific market segment, whether it's a particular technical capability, industry vertical, or geographic region (e.g., focusing only on OT in a specific region or globally)6.
In the recent Gartner MQ, there are:
• Four vendors in Leaders: Darktrace, Vectra AI, ExtraHop, and Corelight6.
• Two in Challengers: Stellar Cyber.
• One in Visionaries: Gatewatcher . Multiple in Niche Players: NetWitness, ThreatBlockr, Trend Micro, Arista Networks, and Trellix.
Beyond Gartner's evaluation, there's a "best-of-breed" versus "platform" debate in the market6.
• Best-of-breed companies specialize in NDR as their main strength, including Corelight, ExtraHop, and Darktrace.
• Platform companies offer NDR as a feature within a larger security story, such as Stellar Cyber, Trend Micro, and Trellix. Many firewall vendors also claim NDR capabilities by capturing north-south activity from firewall logs and collecting NetFlow data in their XDR or autonomous platforms.
The choice of vendor depends on a company's current security stack, use cases, desired visibility, and the skill level of their personnel. For example, monitoring OT environments might require a packet capture-based NDR, while monitoring firewall side or IT switches could involve an NDR license on an existing XDR platform. The decision is entirely based on company requirements and network architecture.
NDR's Comparison with Other Technologies:
Firewalls and IPS (Intrusion Prevention Systems): Firewalls and IPS typically rely on signatures—predefined patterns of known malicious code or activity—along with rule sets7. While firewalls are now learning, they generally don't perform full packet capture; they learn to find and block malicious content. In contrast, NDR uses machine learning and advanced analytics to build a dynamic baseline model, continuously comparing it with real-time activity. This allows NDR to detect subtle anomalies and suspicious deviations that signal potential threats, even if never seen before, which is not typically possible with traditional IPS or firewalls.
• EDR (Endpoint Detection and Response) and SIM (Security Information and Event Management)7: Both EDR and SIM complement NDR. EDR is designed for managed devices and cannot monitor unmanaged devices like IoT or OT equipment, which are blind spots for EDR. NDR fills this gap by monitoring every connected device, including unmanaged IoT, OT, and BYOD, that are often blind spots for EDRs and sometimes SIMs. SIM provides digital evidence from log data, but log data can be tampered with or cleared by attackers. Network packets, which NDR analyzes, cannot be deleted, providing untamperable trace evidence.
◦ An analogy for how EDR, SIM, and NDR fit together in a security incident (crime scene) is: EDR is a forensic team analyzing a single room, examining fingerprints and evidence on a desk; SIM is the detective reviewing employee statements and timelines; and NDR is the security camera footage showing who entered and exited, which rooms and hallways they used, and at what times these events occurred.
• XDR (Extended Detection and Response): XDR is a holistic security platform designed to break down data silos from different security layers like EDR, SIM, cloud environments, identity systems, and email. It integrates and correlates telemetry from these multiple layers into a single, unified system for investigation and response8. NDR can be part of an XDR platform, with many large XDR players offering sensors for collecting activity data from NetFlow and firewall logs. However, these XDR platforms typically do not provide full packet capture as a capability.
AI Adoption in NDR:
• Core Engine Baselining and Anomaly Detection: The most basic use cases involve traditional AI and ML in the core engine for baselining normal network behavior and detecting anomalies.
• Generative AI (GenAI) and Large Language Models (LLMs): These are being used to enhance Security Operations Center (SOC) workflows and for new use cases like:
◦ Natural Language Threat Hunting: Analysts can ask questions in plain English instead of complex queries (e.g., "Show me all unusual outbound connections to North Korea from the engineering department in the last 24 hours").
◦ Automating Incident Summaries: GenAI can automatically analyze event sequences and generate concise, human-readable narratives summarizing an attack (how it started, affected systems, attacker actions).
◦ AI-Guided Response: AI can provide prioritized, step-by-step remediation recommendations, acting as an expert guiding junior analysts through containment and recovery, increasing efficiency and reducing learning time.
• On-Device LLMs: An interesting development is the story of on-device LLMs, where an LLM can run directly on the NDR appliance rather than in the cloud9. This addresses data privacy concerns by keeping sensitive network data on-premises, reduces latency for faster analysis, and allows the solution to function effectively in air-gapped environments, which is critical for many OT and government use cases. This is considered a unique concept that could benefit all appliances, not just NDR, for air-gapped networks.
The speaker concludes by thanking Gartner and the mentioned vendors for helping to learn about these technologies.