KuppingerCole Report
Leadership Compass
By John Tolbert

Network Detection & Response (NDR)

This report provides an overview of the market for Network Detection and Response tools (NDR) and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing NDR solutions.

1 Introduction / Executive Summary

Commercial, government, and non-profit organizations of all kinds increasingly find themselves under cyber-attacks these days. Ransomware, fraud, credential theft, PII theft, and intellectual property theft occur on a daily basis around the globe. IT teams mitigate the risks by employing and deploying a wide array of cybersecurity tools. Many components of security architectures are well-known: firewalls, VPNs, Endpoint Protection Detection & Response (EPDR), Security Incident and Event Management (SIEM), etc. In the last decade, security professionals have pivoted to address how to detect attacks and other malicious activities, rather than focusing solely on prevention. SIEM and IDS (Intrusion Detection Systems) were touted as solutions for detection, but they quickly maxed out their potential usefulness and have been forced to evolve. Endpoint Protection (EPP) has largely merged with Endpoint Detection and Response (EDR), which came to the fore as a means of discovering malicious behavior on desktops, laptops, and servers.

NDR solutions are designed to help security analysts discover evidence on the network and/or in the cloud of malicious activities that are in progress or have already occurred. NDR tools are effectively “Next-Gen IDS”. One of the big differences between NDR and old IDS tools is that NDR tools use multiple Machine Learning (ML) techniques to identify normal baselines and anomalous traffic, rather than static rules or IDS signatures. Given the volumes of network connection data that must be analyzed, using ML algorithms and models is a “must” rather than a “nice-to-have”. Historically, the major drawbacks to IDS were that it was labor intensive to operate, was of limited effectiveness, and could generate high numbers of false positives.

These security tools were created to discover and remediate certain types of attacks. Advanced Persistent Threats (APTs) are often perpetrated by actors from state intelligence agencies for the purpose of gathering intelligence on foreign companies and agencies, copying intellectual property, or sabotage. APT actors may also include well-funded but unscrupulous companies and hacktivist groups. Their goals often require long-terms presence on victims’ properties, hence the use of the term “persistent”. APT groups have historically been the most likely ones to use Zero-Day exploits (those which were previously unseen in the wild), that may give them the advantage of not being detected by EPDR agents. In the last couple of years, cybercriminal groups have begun to use APT strategies and tactics against their victims: gaining access to resources, siphoning out data, then detonating ransomware.

Enter NDR as an additional tool to discover hitherto unknown compromises. Since data exfiltration is usually an objective of attackers, even in contemporary ransomware cases executed by cybercriminal units, properly deployed NDR tools can be better suited at discovering lateral movement from the initial compromised device to other assets within the target organization, use of compromised privileged credentials, and data exfiltration attempts.

NDR tools are also deployed to provide visibility in OT/ICS/IIoT environments where it may not be possible to implement endpoint agent-based solutions. Enterprises often separate OT/ICS and IIoT devices onto their own networks for containment purposes. Such network segmentation is indeed useful, and the control points between these specialized networks and general-use and back-end networks are logical places to deploy NDR sensors.

NDR tools can also help discover and remediate more common types of attack such as unwanted bot activities, credential theft, and insider threats.

NDR solutions can log all activities from attached networks in a central secure location for both real-time and later forensic analysis. NDR solutions are usually implemented as a mix of appliances, virtual appliances, and IaaS VM images. Appliances and/or virtual appliances deployed on-premises must tap into physical networking gear at all relevant network control points: off switch and router span or tap ports, or off network packet brokers. For example, if your organization still has perimeters (and most do), NDR appliances need to be placed there. Vendors often talk about “north-south” (across perimeters) and “east-west” (lateral movement) deployment points. All directions need to be covered by NDR solutions for maximum coverage.

Alternatively, some NDR virtual appliances can be co-located with firewalls or other perimeter network devices. Other common places to deploy NDR sensors are between network segments, around IoT and/or OT and Industrial Control Systems (ICS) / SCADA networks, and around web-facing properties and Wi-Fi portals. With an irreversible Work-From-Home (WFH) trend in response to the global pandemic, NDRs should be deployed alongside VPNs. NDR VMs can be inserted into your IaaS and potentially PaaS infrastructure as well. Exactly how many appliances or virtual appliances your organization needs and where they should be placed depends on your architecture. Proper design of NDR deployments is necessary to monitor all traffic flows.

A key differentiator for NDR technology is the employment of multiple ML algorithms in the various analysis phases. At a high level, unsupervised ML finds outliers or anomalies in traffic patterns; while supervised ML models categorize possible threats among the outliers, classify malicious activities, domains, and other attributes. Supervised ML is more commonly used by vendors for Encrypted Traffic Analysis. Deep Learning (DL) algorithms and detection models utilize variations of neural networks and are the latest generation of AI/ML technology as applied to the cybersecurity space. Some NDR vendors use DL for Encrypted Traffic Analysis. The most effective solutions utilize several layers of ML-and DL-enhanced processing of all traffic at line speed. Vendor products in this segment typically advertise 10 – 200 Gbps throughput on network sensors, and 1 Gbps for IaaS traffic scanning.

In terms of responses, NDR solutions can provide dashboards/alerts/reports, display real-time visualizations, allow drilldowns into details, enrich discoveries with threat intelligence, correlate events and provide automated analysis, halt suspicious traffic, isolate nodes, and send event data to SIEMs, SOARs, and forensic/case management applications. In cases where vendor products operate in passive mode, they direct 3rd-party security tools via APIs to execute these responses.

NDR solutions are not usually easy to operate, and in some cases require a dedicated team of one or more analysts (depending on organization size) to make the best use of the capabilities. Knowing this, many vendors provide facilities within their solutions to automate aspects of analysis, including evidence collection, correlation, remediation suggestions, and root cause analysis (RCA). Many of the vendors in the NDR space offer managed services of different types to augment the products. Additionally, many MSSPs can manage an NDR deployment and handle the threat hunting and analysis tasks on behalf of their customers.

There are several good reasons to consider deploying NDR. The typical capabilities outlined above can be of service in discovering malicious activity that your other security tools may have missed.

Endpoint Protection Detection & Response (EPDR) agents are a must for every computing device that can run them. However, sometimes they may not catch every piece of malicious code. There are several reasons why NDR is a needed complement to EPDR and other security solutions:

  1. BYOD bypass: In permissive environments, some users may bring in infected devices and not know it because their machines do not have EPDR agents. Business partners and contractors may use their own devices, which may be beyond the control of the hosting organization.
  2. Ineffective EPP: Some EPP solutions are better at detecting and preventing malware than others. Also, EPP agents need to be updated; even those that use ML-driven heuristics and exploit prevention. If EPP solutions are weak or have outdated signatures or ML models, they are more likely to miss malware. Ultimately, it is not logically possible to design an anti-malware solution that can detect malicious code with 100% accuracy all the time.
  3. Non-traditional endpoints: Many IoT and IIoT devices can’t run EPDR. Operating systems may not support EPDR agents but are still susceptible to hacking. In other cases, IoT devices are simply not user configurable. Enterprises with large numbers of such devices tend to isolate them onto separate VLANs. These environments need security monitoring and detection capabilities that cannot be delivered by standard endpoint security solutions.
  4. Endpoint that cannot run agents: Some Linux and Windows computing devices have limited builds of operating systems to host specific applications and are not manageable by IT staff. For example, certain medical devices such as MRI machines can’t have 3rd-party security software added without invalidating warranties and support agreements. Other examples may include Industrial Control Systems (ICS) and SCADA networks. These environments are known to be targeted by particular kinds of malicious actors and given the highly critical nature of the work they do, must be monitored and protected. As in the IoT environments case, these environments need NDR solutions because other security technologies have no visibility here.
  5. Attack coverups: Advanced malware can erase application and operating system log entries and suppress security tool reporting. Unauthorized and unaudited use of compromised and privileged credentials may mask attacks. Signs of malicious activity may not make it to the SIEM from endpoints. Therefore, the only place where highly sophisticated attacks may be discovered may be at the network layer.

Organizations today increasingly use the cloud, and key resources may be located in IaaS or in SaaS. Thus, NDR solutions need visibility of cloud environments. Hybrid architectures are common, so many NDR customers need coverage for hybrid architectures.

Even though endpoint-based solutions may not have visibility of all malicious activities, malware communicates on networks: with command and control (C2) servers, to other assets in the environment (lateral movement), to participate in botnets for fraud or DDoS attacks, or to exfiltrate data. Therefore, NDR tools can discover malicious activities that endpoint solutions and SIEMs miss.

NDR solutions can be thought of another block in the foundation of security and monitoring architecture. Therefore, NDR sensors need to be strategically placed at optimum intersections within computing environments.

1.1 Highlights

The Top Ten findings in this Leadership Compass on Network Detection & Response solutions are:

  • The NDR market continues to grow because customers ...
Login Get full Access

1.2 Market Segment

The NDR market segment has reached a high level of maturity. Many NDR products offer a fairly complete list of features and deliver real value to thei ...

Login Get full Access

1.3 Delivery Models

NDR products require an on-premises presence for customers who have offices, data centers, factories, and other facilities with their own network infr ...

Login Get full Access

1.4 Required Capabilities

We are looking for comprehensive solutions that provide at least 5 of the 7 major areas of functionality areas:

  • Support for traditional office, r ...
Login Get full Access

2 Leadership

Selecting a vendor of a product or service must not only be based on the information provided in a KuppingerCole Leadership Compass. The Leadership Co ...

Login Get full Access

2.1 Overall Leadership

The Overall Leadership rating provides a consolidated view of all-around functionality, innovation, market presence, and financial position. However, ...

Login Get full Access

2.2 Product Leadership

Product Leadership is the first specific category examined below. This view is based on the analysis of product/service features and the overall capab ...

Product Leadership is where we examine the functional strength and completeness of services.

The top tier of Product Leaders includes Cisco, Gurucu ...

Login Get full Access

2.3 Innovation Leadership

Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require i ...

Innovation in NDR is characterized by emphasis on Encrypted Traffic Analysis techniques, fit-for-purpose use of ML for anomaly detection and classific ...

Login Get full Access

2.4 Market Leadership

Lastly, we analyze Market Leadership. This is an amalgamation of the number of customers, number of transactions evaluated, ratio between customers ...

Companies in the NDR space have picked up many customers since the first iteration of this report, and in some cases, significantly. Moreover, the num ...

Login Get full Access

3 Correlated View

While the Leadership charts identify leading vendors in certain categories, many customers are looking not only for a product leader, but for a vendor ...

Login Get full Access

3.1 The Market/Product Matrix

The first of these correlated views contrasts Product Leadership and Market Leadership.

Vendors below the line have a weaker market position than expected according to their product maturity. Vendors above the line are sort of “overperf ...

Login Get full Access

3.2 The Product/Innovation Matrix

This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising that there is a pretty good correlation between ...

Vendors below the line are more innovative, vendors above the line are, compared to the current Product Leadership positioning, less innovative.

Cis ...

Login Get full Access

3.3 The Innovation/Market Matrix

The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors might perform well in the market without being Innova ...

Vendors above the line are performing well in the market as well as showing Innovation Leadership; while vendors below the line show an ability to inn ...

Login Get full Access

4 Products and Vendors at a Glance

This section provides an overview of the various products we have analyzed within this KuppingerCole Leadership Compass on Network Detection & Respons ...

Login Get full Access

Table 1: Comparative overview of the ratings for the product capabilities

In addition, we provide in Table 2 an overview which also contains four ad ...

Login Get full Access

Table 2: Comparative overview of the ratings for vendors

Login Get full Access

5 Product/Vendor evaluation

This section contains a quick rating for every product/service we have included in this KuppingerCole Leadership Compass. For some of the products the ...

Login Get full Access

5.1 Arista Networks

Awake Security was founded in 2014 in Santa Clara, California. In late 2020, Awake Security was acquired by Arista Networks, maker of high-performance ...

Login Get full Access

5.2 Bricata

Bricata is an NDR and network traffic analysis specialist startup that was established in 2014 in Maryland, US. Bricata’s solution is delivered as a ...

Login Get full Access

5.3 Broadcom Inc.

Broadcom is a large IT vendor with a diverse portfolio of security products, including Symantec Enterprise Security Business, which is maintaining sep ...

Login Get full Access

5.4 Check Point

Check Point is a global cybersecurity leader, founded in 1993 in Tel Aviv. Check Point offers next-gen firewalls, edge security solutions, IoT securit ...

Login Get full Access

5.5 Cisco

Cisco is a global network and security leader, founded in 1984, and headquartered in the Bay Area. Cisco is well-known for networking products, and ha ...

Login Get full Access

5.6 ExtraHop

ExtraHop was founded in Seattle in 2007. In June of 2021, the company was acquired by Bain Capital Private Equity and Crosspoint Capital Partners. Ext ...

Login Get full Access

5.7 Fidelis Cybersecurity

Fidelis Cybersecurity was founded in 2002 and is headquartered in Bethesda, MD, outside Washington, DC. They are a privately held company. The sensors ...

Login Get full Access

5.8 FireEye

FireEye was founded in 2004 and is headquartered in Milpitas, CA and has offices around the globe. On October 8, 2021, McAfee Enterprise and FireEye a ...

Login Get full Access

5.9 GreyCortex

GreyCortex is an early-stage startup, founded in Brno, Czechia in 2016. They specialize in NDR. Sensors are delivered as physical or virtual appliance ...

Login Get full Access

5.10 Group-IB

Privately held Group-IB was founded in 2003 in Moscow but now has its global HQ in Singapore, and research centers in Amsterdam and Dubai. Their NDR f ...

Login Get full Access

5.11 Gurucul

Gurucul was founded in 2010 and is a privately-owned company headquartered in Los Angeles. Gurucul has a suite of products and services covering cyber ...

Login Get full Access

5.12 NetWitness (RSA)

RSA is a well-known cybersecurity vendor that was acquired by Symphony Technology Group in 2020. Their headquarters is in the Boston area and they hav ...

Login Get full Access

5.13 Plixer

Plixer is a network and security specialist owned by Battery, a private equity firm. Plixer was founded in 1999 and is headquartered in Kennebunk, Mai ...

Login Get full Access

5.14 VMware

VMware acquired Lastline in 2020. Lastline Defender is the basis of VMware’s NSX Network Detection & Response product. Sensors can take the form of ...

Login Get full Access

6 Vendors to Watch

Login Get full Access

6.1 Darktrace Enterprise Immune System

Darktrace was founded in 2013 in Cambridge, UK. The software is delivered as virtual or physical appliances and can be deployed off span ports or in t ...

Login Get full Access

6.2 Gigamon ThreatINSIGHT

Gigamon, founded in 2001 in the Bay Area, is a privately owned network traffic visibility and security specialist. Gigamon is well-known for their net ...

Login Get full Access

6.3 Kaspersky

Kaspersky is a leading cybersecurity vendor headquartered in Russia with global transparency centers in Switzerland and Spain. Their NDR capabilities ...

Login Get full Access

6.4 Securonix

Securonix is a late-stage cybersecurity startup renowned for their SIEM solutions. They also have SOAR, UBA, Adversary Behavioral Analytics, and CTI s ...

Login Get full Access

6.5 Sophos

Sophos is a well-respected name in endpoint security, with products and services for endpoint anti-malware, EDR, firewalls, secure web gateways, cloud ...

Login Get full Access

6.6 Stellar Cyber – Open XDR

Stellar Cyber is a mid-stage startup founded in 2015 in the Bay Area. Their product, OpenXDR, serves several cybersecurity roles including NDR and SIE ...

Login Get full Access

6.7 Vectra - Cognito

Vectra was established in 2010 in San Jose, CA. Their NDR suite is composed of Detect, Recall, and Stream products. Vectra’s strategy focuses on hig ...

Login Get full Access



©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksÔ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.