Key Takeaways: 2022 Gartner Market Guide for Network Detection and Response (NDR)

NDRGartner recently released its 2022 Market Guide for Network Detection and Response (NDR), meant to cover emerging markets currently in limbo. The editors at Solutions Review take a look at the key takeaways.

Analyst house Gartner, Inc. recently released its new Market Guide for Network Detection and Response (NDR). The researcher’s Market Guide series is meant to cover new and emerging markets where software products and organizational requirements are in limbo. Gartner’s Market Guides can be a great resource for understanding how a fledgling space may line up with current and future technology needs.

According to Gartner, NDR is defined as products that detect abnormal system behaviors by applying behavioral analytics to network traffic data. They continuously analyze raw network packets or traffic metadata between internal networks (east-west) and public networks (north-south). It can be delivered as a combination of hardware and software appliances for sensors, and a management and orchestration console in the form of on-premises software or SaaS. NDR complements other technologies, which trigger alerts primarily based on rules and signatures, by building heuristic models of normal network behavior and spotting anomalies.

When choosing an NDR platform, security and risk management leaders should complement existing detection solutions by implementing NDR tools to detect abnormal behaviors and provide investigation capabilities for post-breach activity, identify gaps in current detection and response practices to determine if the anomalies that NDR can detect fill the most pressing detection gaps, and compare NDR vendors by defining rationalized metrics and evaluating how these NDR tools positively impact threat detection, security operations center (SOC) productivity and automated response. Organizations with specialized detection use cases would benefit from mixing known vendors with emerging local players in their shortlists.

Gartner highlights the following vendors in the NDR market: Arista Networks, Cisco, Corelight, Darktrace, ExtraHop, Fidelis Cybersecurity, Gatewatcher, Gigamon, IronNet, Plixer, Progress (Flowmon Networks), QI-ANXIN, Sangfor, Stamus Networks, Tencent, Trellix, Vectra, and VMware.

Trends in the NDR market, according to Gartner, include:

  • New sensors: By building or integrating with endpoint sensors, such as EDR, ingesting third-party logs like SIEM, analyzing software/platform/infrastructure-as-a-service events through their monitoring APIs, or adding support for OT use cases.
  • New detection techniques: By adding support for more traditional signatures, performance monitoring, threat intelligence and sometimes malware detection engines. This move toward more multifunction network detection aligns well with the use case of network/security operations convergence, but also with midsize enterprises.
  • Incident response workflow automation: NDR technologies already aggregate individual abnormal events into security incidents. By enriching alerts to provide better context and applying ML to semi-automate the incident response process, NDR vendors encourage large SOC teams to rely more on the NDR console, rather than forwarding alerts directly to a SIEM.
  • Managed NDR: Some of the large vendors have started offering more services on top of the NDR product and subscriptions, ranging from proactive notifications from the vendors in case of incident to fully managed threat detection. Many of these services are recent and supported by small but growing teams.
  • Evolving architecture: More vendors provide ML analytics only in the cloud now, as the centralized approach facilitates improvement of ML detections.

A few of the NDR vendors have built a security portfolio beyond the market and leverage their anomaly detection knowledge to new areas (e.g., SaaS or email security). These vendors are repositioning their value proposition with ML at its core, and network becoming one of the use cases for this analytical approach. Recently, Gartner has observed emerging vendors leveraging new approaches, or a focus on cloud use cases, differentiating themselves from other NDR vendors, while competing against them for similar use cases.

NDR’s smart approach to “response” is to support the incident response workflow through event aggregation, workflow automation and contextual awareness. When necessary, it also blocks or contains malicious activity. An individual vendor’s ability to provide a low false positive rate and efficient investigation capabilities will encourage customers to adopt the vendor’s response capabilities.

Mike Costello
Follow me @