Network Detection and Response: Using Data to Stop Threats that Defy Endpoint Protection


In our recent article, “Endpoint Detection and Response: What Data Do You Need?”, we examined how Endpoint Detection and Response (EDR) systems help to detect and mitigate the risk of cyber threats that enter the network from endpoint devices. But sometimes, malicious activity evades detection at the network’s edge because attack patterns or signatures are unknown or a hacker’s tactics are too sophisticated. In this case, a Network Detection and Response (NDR) system can save the day.

According to Gartner and IDC, in 2020, NDR was the second-fastest growing segment of the security market at a 25% CAGR. Why? Because it picks up where EDR leaves off. While EDR systems capture and analyze data from connected endpoint devices, NDR systems provide real-time visibility across the network after traffic leaves the endpoints.

How Does NDR Work?

NDR systems are designed to flag suspicious activity within the traffic flow on a corporate network. They use a combination of non-signature-based, advanced analytical techniques such as AI and machine learning to provide a bird’s-eye view of all interactions between networked devices, surfacing and correlating data and events from users, devices and applications. 

NDR systems detect attacks at the network layer, where it’s difficult for bad actors to hide their activities – while hackers can manipulate endpoint devices or bypass firewalls by pretending to be legitimate users or services, it’s impossible to tamper with network information. Hackers also have no way of knowing if their activities are being observed.

By providing context around anomalous and potentially malicious network traffic, NDR systems reduce the time it takes for security teams to investigate potential threats. Additionally, they can be configured to stream information about suspicious activity to Security Information Event Management (SIEM) systems, to initiate a response. It’s important to note that NDR systems work across on-premises, cloud, and hybrid environments.

Why is NDR Important?

NDR systems provide numerous benefits to IT security teams:

  • Continuous network visibility: They enable teams to see what’s happening across all users, devices and services, whether on-premises or in the cloud.
  • Advanced threat detection: Because they leverage AI and machine learning, they can analyze behavioral data with precision and detect active attacks in real-time. 
  • Rapid response: Advanced NDR systems not only detect threats that other security systems miss but also enable rapid response through integrations with SEIM systems.
  • Operational efficiency: NDR systems reduce the time it takes to investigate potential threats, so teams spend less time finding and analyzing the problem, and can fix it faster.

What Data Do NDR Systems Use?

NDR solutions collect a variety of data across networks and environments. The more data they have, the better they analyze and detect potentially malicious activity. Information about the location and device from which traffic originates, where it’s headed and who’s sending it is all essential. Both current and historical data are needed to provide context and paint a complete picture. The more data – and the more granular the data – the better the AI and machine learning algorithms can learn and identify suspicious and analogous patterns in the traffic flow.

Granular Data Across the Entire Technology Estate

By embedding Lansweeper’s industry-leading IT discovery and recognition technology into their products, cybersecurity companies have immediate access to all of the rich data they need to fuel their NDR algorithms, and analyze traffic flows on the network to identify both new and existing threat patterns.  

Lansweeper’s deep scanning engine and credential-free device recognition (CDR) technology continuously scan the corporate network, automatically detecting and identifying any connected hardware and software assets. It provides contextual information about users, assets and vulnerabilities that can be streamed to and analyzed by NDR systems for deep insights. This data – which includes granular details on devices such as make, model, category, OS, location, and users – enhances the performance of NDR systems, accelerating investigations and response. What’s more, Lansweeper’s device catalog is enriched with product metadata such as release and EOL dates, as well as references to documentation and support resources, enabling rapid risk mitigation to prevent future attacks.

Get Started Today

Lansweeper Embedded Technologies makes it easy to embed Lansweeper into your NDR solution via a cloud API or multi-platform SDK. Find out more, and get started today.