[UPDATED ON 11/30/23 - The 2020 Market Guide has been deprecated and is not available for download anymore]
The long-awaited Gartner Market Guide for Network Detection and Response (NDR) has been released and there are a few critically important things we believe you should note before diving into the document and the redefined category. As the market pushes to move away from simple analysis and towards actionable response, the “R” in NDR must be recognized for what it truly is—an opportunity for your organization to have a clearly outlined strategy for automatic and manual response. Previously, this category was known as Network Traffic Analysis (NTA) but has evolved beyond this definition and was renamed to reflect the functionality of these solutions more accurately.
Within this redefined category, the market now recognizes utilizing automatic and manual responses as common elements of NDR solutions, this includes anything from sending commands to a firewall so that it drops suspicious traffic, or providing threat hunting and incident response capabilities. However, spotting the real NDR solutions from those simply seeking to check the box with bolt-on features is critical in arming your security teams against future attacks.
The Gartner Market Guide defines a market and explains what clients can expect it to do in the short term. With the focus on early, more chaotic markets, a Market Guide does not rate or position vendors within the market, but rather more commonly outlines attributes of representative vendors that are providing offerings in the market to give further insight into the market itself.
I love the term “chaotic.” The list of vendors claiming to be NDR is long and diverse; many are using bolt-on or check-box security to make the NDR claim. Gartner was able to narrow down the list to 18 but even some of those have me scratching my head; I can only imagine how long the list was when they started, so hats off to Gartner because I am sure that whittling down the market to 18 vendors was no easy feat.
At Vectra, we know that response is critical to reducing breaches, increasing security operation center (SOC) efficiency, ensuring compliance, and providing security in the cloud…yet the technology and procedures that are the foundation of security enforcement are based on the quality and volume of security anomalies surfaced by an organization. It is, therefore, critical to avoid false positive alerts, which quickly lead to alert fatigue and degraded efficiency in analysts who are left struggling to prioritize response. If automated responses are not executed properly, the effects of these false positives are exacerbated, resulting in disruptions and outages.
Once you have quality and high-fidelity alerts, then you are ready for response.
- Respond based on behaviors, not volumes of anomalies: Skip the noise and false positives from anomaly-based systems. Anchor your response to an approach that covers an industry-leader number of the network behaviors in the MITRE ATT&CK framework.
- Prioritize response based on privilege and risk: Think like an attacker. Focus on response assets that they will target. Prioritize those with elevated levels of privilege, risk, and likelihood of a threat.
- Enforce at the identity-level: What’s more precise than identity-level enforcement? Nothing. Immediately remove malicious access to resources that are critical to your organization.
A favorite response capability is the Vectra Account Lockdown. It allows for immediate, customizable account enforcement via Active Directory integration. You can surgically freeze account access and avoid service disruption by disabling accounts rather than your network. By disabling an attacker's account, you can limit attacker progression along the kill chain.