Home Topics What is NDR? What is network detection and response (NDR)?
Explore IBM's network detection and response solution Subscribe to security topic updates
Illustration with collage of pictograms of clouds, mobile phone, fingerprint, check mark
What is NDR?

Network detection and response (NDR) is a category of cybersecurity technologies that use non-signature-based methods—such as artificial intelligence, machine learning and behavioral analytics—to detect suspicious or malicious activity on the network and respond to cyberthreats.

NDR evolved from network traffic analysis (NTA), a technology originally developed to extract network traffic models from raw network traffic data. As NTA solutions added behavioral analysis and threat response capabilities, industry analyst Gartner renamed the category NDR in 2020.

IBM X-Force® Threat Intelligence Index

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security® X-Force Threat Intelligence Index.

Related content

Register for the Cost of a Data Breach report

Limitations of signature-based network security solutions

Many traditional threat detection tools—antivirus software, early intrusion detection and prevention systems (IDPSs), and some types of firewalls — identify and prevent threats by looking for unique indicators of compromise (IOCs), or signatures.

A signature can be any characteristic associated with a known cyberattack—e.g., a line of code, file hash or file size from a particular malware variant, a specific packet header, or a subject line from phishing or social engineering email. Signature-based tools maintain regularly updated databases of known signatures, and detect threats by scanning for the presence of these signatures in network traffic.

As a result, these signature-based tools are effective at preventing known threats from entering or lurking in the network. But they can’t detect new, as-yet-unknown or emerging malware or threats. And they’re also unlikely to identify threats without signatures, such as

  • Hackers using stolen credentials to access the network
  • Business email compromise (BEC) attacks in which hackers impersonate or hijack an executive’s email account
  • Employees engaging in unintentionally risky behavior, such as saving company data to a personal USB drive, or clicking email links to malicious web sites.

Ransomware and other advanced persistent threats exploit these blind spots to sneak onto networks, carry out reconnaissance, escalate privileges and wait for the right moment to launch an attack. 

How NDR works

While signature-based tools are primarily preventative, NDR takes a dynamically responsive approach to network threats. Instead of scanning for specific known signatures, NDR solutions monitor and analyze network traffic and activity in real time to identify any suspicious activity, outside or inside the network, that could indicate a known or unknown cyber threat.

NDR solutions do this by:

Modeling baseline network behavior. NDR solutions ingest raw network activity data and metadata from dedicated sensors and application agents throughout the network, and from network infrastructure like firewalls and routers. NDR tools then apply behavioral analytics, AI and machine learning to the data to generate a baseline model of normal network behavior and activity. 

Detecting suspicious and potentially malicious activity. NDR monitors the network continuously, and uses the same analytics and AI capabilities to identify deviations from baseline behavior in real time. Examples might include a user accessing sensitive data outside of work hours, an endpoint device communicating with an unknown external server, or a port receiving unusual data packets.

Because NDR solutions monitor both north-south (exit and entry) and east-west (internal) network traffic, they can detect and track lateral movement of threats, a common behavior of malicious insiders and advanced threats. Some NDR solutions include capabilities for detecting threats hiding in encrypted traffic.

NDR can also generate models of threat behavior, by correlating data from threat intelligence feeds, the MITRE ATT&CK framework, and other sources of data on cybercriminals’ tactics, techniques and procedures (TTPs). These models help the NDR solution sift the signals from the noise—that is, distinguish between likely cyberattacks and unusual but harmless activity, or ‘false positives.’

Providing incident response automation and tools. When an NDR solution detects a cyberattack or behavior that could signal a cyberattack, it can

  • Prioritize and raise alerts to the security team or security operations center (SOC) in real time.
  • Automate incident response. NDR solutions can automatically take actions—such as terminating a suspicious network connection—to disrupt or shut down an attack as it’s happening. NDR can also leverage integrations with other security tools to trigger incident response. For example, it could prompt an organization’s SOAR (security orchestration, automation and response) system to execute a predefined response playbook.
  • Optimize threat investigations. NDR solutions provide contextual data and functionality that security teams and SOCs can use to accelerate ongoing threat investigations and proactive investigations or unknown or undetected threats (known as threat hunting).
NDR and other enterprise security solutions

Today, enterprise networks are highly decentralized and expansive, connecting on-premises and and cloud data centers, hardware, software, IoT devices, and workloads. To gain full visibility into these distributed and interconnected networks, SOCs often rely on NDR in with other security solutions as part of their cloud security strategy. 

For example, NDR is one of the three pillars of Gartner's SOC visibility triad, along with endpoint detection and response (EDR) and security information and event management (SIEM). EDR is software designed to automatically protect an organization's end users, endpoint devices and IT assets against cyberthreats that get past antivirus software and other traditional endpoint security tools. It provides a ‘ground-level’ view of activity occurring at individual endpoints that complements the ‘aerial view’ of network traffic that NDR provides. SIEM combines and correlates security-related log and event data from disparate security tools and other sources on the network (servers, applications, devices). NDR tools can stream their network traffic data and analysis to a SIEM, further enriching the value of SIEM for security and regulatory compliance workflows.

More recently, SOCs are adopting extended detection and response (XDR) solutions. XDR integrates cybersecurity tools across an organization’s entire hybrid IT infrastructure—endpoints, networks, cloud workloads and more—so that they can interoperate and coordinate on cyberthreat prevention, detection and response. Many XDR solutions incorporate NDR capabilities; open XDR solutions can leverage the NDR capabilities an organization already has in place.

Related solutions
Threat detection and response solutions

Leverage IBM threat detection and response solutions to strengthen your security and accelerate threat detection.

Explore threat detection and response solutions
Cloud security solutions

Move confidently to hybrid multicloud and integrate security into every phase of your cloud journey.

Explore cloud security solutions
Managed infrastructure and network security services

Protect your infrastructure and network from sophisticated cybersecurity threats with proven security skills, expertise and modern solutions.

Explore managed infrastructure and network security services
Resources What is EDR?

EDR uses real-time analytics and AI-driven automation to protect organizations against cyberthreats that get past antivirus software and other traditional endpoint security technologies.

Cybersecurity in the era of generative AI

Learn how today’s security landscape is changing and how to navigate the challenges and tap into the resilience of generative AI.

What is artificial intelligence?

Artificial intelligence (AI) leverages computers and machines to mimic the problem-solving and decision-making capabilities of the human mind.

Take the next step

IBM cybersecurity services deliver advisory, integration and managed security services and offensive and defensive capabilities. We combine a global team of experts with proprietary and partner technology to co-create tailored security programs that manage risk.

Explore cybersecurity services