Gartner Blog Network

Can We Have NDR, Please?

by Anton Chuvakin  |  September 28, 2018  |  6 Comments

We have EDR (thanks Anton!), but can we also have NDR – if only to make the world of acronyms more consistent?

Instead, today we have NIDS (detection that is assumed to be signature-based), NTA (detection by learning and baselining, and praying to AI gods). We also have not-quite-accepted acronym of NFT or Network Forensics Technology (collection and retention of traffic data in support of incident response).

But just like EDR is a detection and response technology for the endpoint, why can’t we have the equivalent for the network? Why can’t we have NDR?

Specifically, why can’t we have one tool that does signature-based NIDS, machine learning – based traffic analytics together with capture and retention of layer 7 metadata (and files and occasionally full pcap) for incident response support?

Well … duh. We do! There are several vendors who (IMHO) balance the needs of detection with the needs of investigation / response. In fact, nearly all NTA vendors now can retain some metadata and provide search, while the remaining NFT vendors died can do some detection. In fact, even some SIEMs can do most of the above – while also continuing to do SIEM stuff (but more on that  in later posts).

To me, this seems to indicate that Network Detection and Response (NDR) is real. At this time, at least two vendors use the acronym on their websites.

So, can we have NDR? Yes we can!

Posts related to this research:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: network  network-forensics  nta  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on Can We Have NDR, Please?

  1. Yi Zhou says:

    Totally agree that NDR is real. Actually our NTA capability is pretty much a NDR but we just didn’t position like this, as it is still NOT a category name.

  2. Anton, you might have some influence with that naming 😉

  3. […] (this post, BTW is the result of our initial discussions on upcoming NTA research…) […]

  4. […] won the detection and response wars to this one. As we are ramping up our NTA (but, really, broader NDR for network-centric detection and response) research one mystery has to be […]

  5. […] about log analysis (via SIEM/UEBA), network security monitoring (via NTA or, if you’d like, NDR), endpoint detection (via EDR) and overall about SOC. Even threat hunting comes up. All very […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.