The widespread adoption of digital transformation and other related technologies such as cloud computing, BYOD, and  IoT have significantly broadened the enterprise network attack surface and opened the door for new security risks and vulnerabilities.

One common misconception is the belief that tools such as Security Information & Event Management (SIEM), Endpoint Detection and Response (EDR) solutions, and similar technologies can sufficiently protect the enterprise. But unfortunately, SIEMs have blind spots, and EDR tools provide only a ground-level view of suspicious processes and interactions within hosts on a network. EDR tools can be evaded or disabled by a determined attacker. Moreover, devices like IoT simply do not have the ability to run endpoint security software or analytics.

Here is our list of the seven best network detection and response software packages:

  • Barracuda SKOUT Managed XDR (ACCESS DEMO) This service includes an entire security operations center to watch over your Barracuda XDR system and implement remediation for you. This is a cloud-based service.
  • CrowdStrike Falcon Firewall Management This cloud-based service interacts with your existing firewalls to collect data and pass back response instructions when it detects a threat.
  • ExtraHop Reveal(x) This package is able to perform constant device discovery, SSL offloading, and traffic examination. Available as a network appliance or a SaaS platform.
  • Cisco Stealthwatch Enterprise This service protects against DDoS attacks, intrusion, malware, and insider threats. Runs on Cisco’s cloud platform.
  • Darktrace Enterprise Immune System This SaaS service examines all traffic for signs of intrusion, insider threats, account takeover, and malware through anomaly detection.
  • Vectra Cognito Platform This SaaS platform offers three modules that can be bought individually or in combination and acts as a kind of network-based SIEM to identify threats.
  • Gigamon ThreatINSIGHT A SaaS platform that uses on-site agents to collect traffic data and upload it for threat hunting.

But in recent times, organizations are embracing a concept known as Network Detection and Response (NDR) as a security strategy to address modern network security challenges. NDR is a new category of security solutions that complement and even go beyond the capabilities of log analysis tools such as SIEM and endpoint detection and response (EDR) products to provide an aerial view of the suspicious activities and interactions between all devices on the network. NDR enables organizations to protect their networks by analyzing their network activity without the headache of having to manage individual device software. It is rapidly emerging as a must-have capability in modern security operations.

NDR solutions primarily use non-signature-based techniques such as machine learning, deep learning, statistical and heuristic analysis, and other techniques to detect suspicious traffic on a network. When the NDR tools detect suspicious traffic patterns, they raise alarms and where necessary provide an automatic response.

To select an appropriate network detection and response solution for your business, you need to consider a variety of factors. Firstly, you need to decide whether you will be best served by supervised or unsupervised machine learning. You also need to decide whether you will be best served by a managed, operated, or automated NDR solution. Other key questions to consider include: which response strategy will best meet your security goals, manual or automated? Does the solution enable alert-to-action automations? What is the false positive and false negative rate for the detections? Is the AI function of the NDR system wholly or partially dependent on rules? Is vendor support available in your region, and to what extent? What is the total cost of ownership?

The Best Network Detection and Response Software

With a variety of NDR solutions out there, choosing the right one for your business and budget can be challenging. In this article, we’re going to review the five best NDR solutions in the market. Hopefully, this will guide you in the process of choosing an appropriate solution for your business.

Taking this list of requirements into consideration, we identified network defense systems that can implement automated responses to block intrusion and malware.

Our methodology for selecting network detection and response tools for this list

We reviewed the market for network detection and response solutions and assessed the options based on the following criteria:

  • A system that can gather activity data from all points on the network
  • The ability to interface with firewalls
  • Access rights manager integration
  • Automated responses
  • Compliance reporting
  • A free trial or a demo system that provides a free assessment period
  • Value for money from a system that improves technician efficiency

1. Barracuda SKOUT Managed XDR (ACCESS DEMO)

An SaaS extended detection and response tool that helps managed service provides (MSPs) gain an edge against cyber-criminals. The Barracuda SKOUT Managed XDR goes one better by including a team of security experts as well a Security Operations Center (SOC) for 24×7 threat monitoring.

Key Features:

  • SaaS XDR
  • Suitable for MSPs to sell on
  • Includes security staff
  • Operates as a SIEM

This service from Barracuda MSP, an MSP-dedicated division of Barracuda Networks, is designed as an upselling opportunity for managed service providers. Add this service to your price list and let Barracuda do all of the work.

Although XDR systems are prized for their abilities to remediate detected threats automatically, false positives on breaches can cause legitimate traffic to be blocked and no one wants that. This is why it is often necessary to involve an expert in response detection, which Barracuda MSP provides with this plan.

Staffing a Security Operations Center (SOC) can be a challenge and sourcing cybersecurity experts in remote locations might be impossible, so this SaaS-with-staff proposal is the ideal solution that allows you to offer necessary services to your clients and keep up with the competition.

The detection system at the heart of this XDR package is actually a SIEM. Setting up this system to work for a client site requires downloading collectors and altering the settings of applications to ensure that they generate and forward the right log messages. That can be a time-consuming task, but don’t worry – the Barracuda team takes care of it.

The SIEM uses AI to speed searches through large volumes of data and identify potential indicators that need to be linked to further actions before they can be classified as threats. This service doesn’t rely on a checklist of IoCs but looks for anomalous behavior first. This means that it is able to spot zero-day attacks before their attack patterns are officially recognized.

The MSP isn’t kept out of the loop and you get a multi-tenanted dashboard that gives you views on the performance of the detection system for each client. It is possible to create custom reports and analyses to add value to the detection performed by Barracuda. You can request a demo to find out more about the XDR.

Pros:

  • A Security Operations Center for hire
  • Subscription service that can be added as a product by MSPs
  • Automatically gathers activity data
  • Coordinates with third-party tools

Cons:

  • The services of security experts included with this plan makes it pricey

Barracuda SKOUT Managed XDR Access FREE Demo

2. CrowdStrike Falcon Firewall Management

CrowdStrike Falcon Firewall Management is a SaaS platform that coordinates the actions of your existing endpoint firewalls. The Falcon platform is a family of products that provide cybersecurity for sites. all of the tools on the platform, including the Firewall Management unit, enhance an on-device package, called Falcon Prevent, which is an anti-virus system and also acts as an agent for all of the other Falcon services.

  • Coordinates firewalls
  • Exploits third-party tools
  • Implements security policies
  • Automates threat responses
  • SaaS package

The Firewall Management system implements its security controls through the endpoint firewalls that share a device with a Falcon Prevent installation. Falcon Prevent is available for Windows, macOS, and Linux.

Firewalls are able to pick up circulating network traffic, not just those packets traveling in and out of the protected device. Therefore, stringing together firewall activity creates a network threat detection and response system. One detection of this approach is that you need to install Falcon Prevent on every endpoint in order for Falcon Firewall management to work effectively.

The CrowdStrike Falcon Firewall Management system allows you to formulate a network security policy and then enforce it by manipulating the settings of your firewalls. The cloud-based console includes a library of templates that guide you through the process of creating a security policy. The system will then apply this finished policy to all firewalls on your network or to groups of firewalls, according to your definitions.

The new firewall settings will include a reporting mechanism, so you can see traffic throughput data in the Falcon console. The system will also search for network-bound threats, such as intruder attempts to access endpoints or the transmission of malware as it is blocked.

The live status reports show activity around the network because each firewall contributes activity information. Thus, if you have malware attempting lateral movement, you can see how the attack makes attempts on each device.

One big hole in the visibility of this package is that it isn’t able to see what activity is going on at each network device, such as switches and routers. However, the philosophy behind the strategy is that ultimately, even if hackers tamper with switches, their ultimate goal is the data or other resources held on endpoints. You can get network configuration management software to protect the settings of network devices. You can start a 15-day free trial.

  • Optimizes the protection of firewalls

  • Coordinates firewall settings

  • Uses network and device resident firewalls as on-site agents

  • Assists with the creation of security policies

  • Compliance reporting

  • Doesn’t include the firewall software

3. ExtraHop Reveal(x)

ExtraHop Reveal(x) is a detailed and flexible NDR solution ideal for any security operations teams that need better visibility into network behavior in their environment. It helps organizations identify threats, automate data gathering, and correlation, as well as response investigation. This in turn helps to improve overall cybersecurity hygiene and meet regulatory requirements.

  • Buy outright or subscribe
  • AI-based detection
  • Orchestration for responses

ExtraHop Reveal(x) NDR software is able to detect suspicious network behaviors, prioritize investigations according to the risk score, and automate response efforts. It automatically discovers and classifies every transaction, session, device, and asset in your enterprise up to 100Gbps. One advantage of Reveal(x) is its out-of-band deployment model, which makes the operation covert so that attackers won’t know they’re being monitored. ExtraHop Reveal(x) NDR solution comes in two flavors:

  • ExtraHop Reveal(x) Enterprise This is a self-managed deployment option that can be deployed on-premises or in the cloud, providing complete east-west visibility, real-time threat detection, and response inside your network perimeter.
  • ExtraHop Reveal(x) 360 This is a SaaS-based deployment option that completely eliminates the installation and management overhead of the self-managed option. With Reveal(x) 360, you can unify security controls across on-premises, cloud, and IoT environments. It leverages native integrations with cloud service provider packet mirroring features to provide agentless visibility, detection, and response.

Some of the key features and capabilities of Reveal(x) include:

  • Reveal(x) can be configured to monitor and passively decrypt encrypted traffic, including traffic protected by Perfect Forward Secrecy such as SSL and TLS
  • Machine learning using 5000+ features
  • Automated detection, investigation, and response via integration with third-party security tools such as Crowdstrike and Phantom
  • Automated inventory—discovering and classifying network devices
  • Peer group detection—sort devices into behavioral groups

ExtraHop Reveal(x) NDR licensing can be either subscription-based or perpetual. The subscription-based option offers time-based access to ExtraHop NDR software that is installed on purchased hardware or on a virtual machine. For the perpetual licensing option, you purchase ExtraHop hardware and software.

  • Designed for enterprise use to assist system administrators

  • Great user interface, comes with an easy-to-view dark mode

  • Automatically detects network issues and provides correlation assistance

  • Offers SSL and TLS packet inspection

  • Supports real-time monitoring as well as post intrusion investigation insights

  • Is quite comprehensive and takes time to fully explore

The ExtraHop Reveal(x) is a powerful NDR tool that can help your organization detect and respond to anomalous network traffic patterns. However, in order to get the best value out of this product, you must be prepared to go through a high learning curve and gain a good technical understanding of key protocols and application components.

4. Cisco Stealthwatch Enterprise

Cisco Stealthwatch is an agentless Network Traffic Analysis (NTA) NDR solution that uses a combination of behavioral modeling, machine learning, security analytics, and global threat intelligence to detect and respond to threats such as ransomware, distributed-denial-of-service (DDoS) attacks, unknown malware, and insider threats. Stealthwatch can be deployed on-premises as a hardware appliance or a virtual machine called Stealthwatch Enterprise, or cloud-delivered as a SaaS solution called Stealthwatch Cloud.

  • Scans network traffic
  • Behavior analysis for detection
  • DDoS identification

Stealthwatch provides enterprise-wide visibility from the private network to the public cloud and applies security analytics to detect and respond to threats in real-time. It examines traffic metadata such as NetFlow or IPFIX (Internet Protocol Flow Information Export) to build a better picture of activities within the network, which in turn can be used for identifying behavior-based anomalies. Stealthwatch can perform analytics even on encrypted traffic without breaking the encryption; and it comes integrated with Cisco SecureX and Cisco ISE platform to provide additional contextual data and boost response capabilities respectively. Some of the primary use cases include:

  • Real-time threat detection
  • Incident response and forensics
  • Network segmentation
  • Network performance and capacity planning

There are three main components that make up the core of Stealthwatch Enterprise: the Flow Rate License, Flow Collector, and Management Console.

  • Flow Rate License This is required for the collection, management, and analysis of network flows. It also defines the volume of flows that may be collected.  The license is based on flows per second (fps) and may be combined in any permutation to achieve the desired level of flow capacity.
  • Flow Collector The Flow Collector just as the name implies collects and leverages flow data such as NetFlow, IPFIX, and other types of flow data from switches, routers, firewalls, endpoint devices, and proxy data sources to provide comprehensive network visibility.
  • Management Console The Stealthwatch Management Console aggregates, organizes, and presents analysis from up to 25 Flow Collectors, the Cisco ISE, and other sources. It uses graphical representations of network traffic, identity information, customized summary reports, and integrated security and network intelligence for comprehensive analysis.

Other optional licenses and components which can be added to enhance functionality include Cisco Stealthwatch Endpoint License—to extend visibility to end-user devices, Cisco Stealthwatch Cloud—to provide visibility and threat detection within the public cloud (AWS, Azure, Google), Cisco Stealthwatch Threat Intelligence License—provides an additional layer of protection against botnets and other attacks, Flow Sensor and the UDP Director components. Stealthwatch licenses are available as a one-, three-, and five-year term subscription, depending on your need and budget.

  • Uses agentless monitor for lightweight endpoint monitoring

  • Offered through a cloud or on-premise deployment

  • Leverages behavior analysis and anomaly detection to stop threats

  • Comprehensive live dashboards and reports

  • Better suited for enterprise environments

One unique thing about Stealthwatch is the fact that it is part of a broad security portfolio of security devices from Cisco, and has evolved and matured in capability and functionality over the last 20 years. However, the product is best suited for a Cisco infrastructure environment and covers areas beyond NDR function which some consider too broad and less deep. Furthermore, like most Cisco products, the setup process can be complicated. You need someone on your team with Cisco experience to maximize value from this product.

5. Darktrace Enterprise Immune System

The Immune System NDR solution from Darktrace combines real-time self-learning threat detection, automated investigation, autonomous response, and digital visualization capabilities in a single, unified system. It uses AI and unsupervised machine learning to autonomously detect and take action against cyber-threats across all diverse digital environments, including cloud, virtual environments, IoT, and industrial control systems.

  • Insider threat detection
  • Version for industrial systems
  • Automatic responses

The Enterprise Immune System is targeted at corporate and IT infrastructure networks, while the Industrial Immune System is targeted at industrial control systems, SCADA networks, and operations technology (OT) infrastructure. The Darktrace Immune System is made up of the following core components:

  • Immune System Engine This is the core component that provides detection capabilities via unsupervised machine learning. The Enterprise Immune System works by gaining an understanding of what is ‘normal’ for your environment as it evolves. Instead of relying on signatures, the Enterprise Immune System establishes what is called a ‘pattern of life’ for the entities in your infrastructure—users, devices, clouds, and containers, and uses this knowledge to identify anomalous activity.
  • Cyber AI Analyst This component is responsible for carrying out enterprise-wide automated investigations at machine speeds, stitching together disparate anomalies to provide triaged threat reports about the nature and root cause of security incidents.
  • Darktrace Antigena This component is responsible for autonomous response efforts. Antigena allows networks to take autonomous action against on-going cyber-attacks. The response action can be in the form of neutralizing a threat by stopping a malicious connection or a compromised device, without impacting normal business operations.
  • Threat Visualizer This is a GUI tool that provides real-time visibility of your entire digital infrastructure and network activity in a single pane of glass. Threat Visualizer helps security teams visualize every user, device, and controller in the network and identify threats in real-time. The detected anomalous events are fully searchable.

The product can be deployed as hardware or virtual appliance, and it’s simple enough to use because of its user-friendly GUI. The installation process is painless and takes only an hour to complete, and users can train on the system within three hours.

  • Offers great data and threat visualizations

  • Leverages artificial intelligence to monitor complex networks

  • Uses baseline analysis to detect threats and other anomalous behavior

  • Offers an entirely automated platform for remediation

  • Not the best option for smaller environments

However, during the learning phase of the system, Antigena may sometimes require human interaction and can throw false positives from time to time. This product is ideal for large business entities and government agencies that are subject to frequent cyber-attacks. The technology is so advanced that it isn’t cost-effective for organizations that are less susceptible to web attacks as they may not derive much value or ROI from it.

6. Vectra Cognito Platform

The Vectra Cognito platform is an intelligent AI-driven NDR application that helps organizations detect, investigate, and respond to cyber-attacks or suspicious network activities across on-premises enterprise networks, cloud, and SaaS environments.

  • AI-based detection
  • Hybrid environments
  • Playbooks for responses

The Cognito platform addresses network security challenges through three-component applications: Cognito Detect, Cognito Recall, and Cognito Stream.

  • Cognito Detect is designed to find threats by looking for suspicious or malicious network activities, and/or devices and users that have already bypassed perimeter defenses. The detection effort is made possible by a combination of many detection algorithms and an AI engine. Every detection attempts to answer the question of what was discovered, why it should be a concern, and how to mitigate the problem.
  • Cognito Recall collects and stores a huge amount of historical network traffic data, and uses it to assist in deeper investigations and threat hunting. With Recall, almost nothing needs to be manually correlated. Every incident in Detect has a link to launch Recall, which opens up a new dashboard where Recall pulls information related to activities that previously occurred within the network.
  • Cognito Stream enriches network metadata with additional network and host information for further analysis. It does not have its own interface but works behind the scenes in tandem with Detect and Recall or other third-party security tools such as SIEM, to enhance their capabilities.

These products work together to analyze network data including metadata and provide a behavior-focused model of detection and response. Detect, Recall and Stream can be purchased individually and can operate independently of one another, but it’s much more likely that an organization may go for Detect and not Recall if they are only installing one component. However, the real power of Vectra’s Cognito platform lies in the integration of the three products to make threat hunting and detection more efficient and effective. But this comes at a cost that may be unbearable especially for SMBs.

  • Uses an AI-powered NDR to drive insights

  • Provides automated response as well as root cause analysis

  • Features data enrichment to help identify more coordinated attacks

  • Excellent UI and live reporting capabilities

  • Is broken up into multiple tools – would like to see a comprehensive single platform

  • Pricing puts this out of reach for most small businesses

7. Gigamon ThreatINSIGHT

The Gigamon ThreatInsight is a cloud-native NDR solution that enables organizations to gain network visibility, discover hidden threats even in encrypted communications, and automates security investigations and responses across both inbound, outbound (north/south), and internal (east/west) network communications. ThreatINSIGHT is an easy-to-install, cloud-based SaaS solution with fully managed sensors that can be easily deployed across a variety of environments. The signal-to-noise ratio is good enough, which means that the solution has a low false-positive rate.

  • SaaS package
  • SSL offloading
  • Works with Cisco devices

Traffic is collected through physical or virtual sensors that perform packet inspection and aggregation of metadata generated from the inspection. Once useful information is extracted from network flows, the sensors pass the information into the INSIGHT Cloud Data Warehouse, where the metadata is indexed, enriched, and correlated with information from other external sources. Thereafter, ThreatINSIGHT leverages the machine learning algorithms and Gigamon Applied Threat Research (ATR) to provide insights into hidden threats within the network.

The resources required to deploy ThreatINSIGHT are minimal and the emphasis is placed on features that enable SOC teams to do their job effectively. The application is integrated with the Cisco SecureX platform to enable customers of Gigamon and Cisco exchange data and gain visibility across Cisco infrastructure and partner solutions.

Traffic is collected through physical or virtual sensors that perform packet inspection and aggregation of metadata generated from the inspection. Once relevant information is extracted from network flows, the sensors pass the information into the INSIGHT Cloud Data Warehouse, where the metadata is indexed, enriched, and correlated with information from other external sources. Thereafter, ThreatINSIGHT leverages the machine learning algorithms and Gigamon Applied Threat Research to provide insights into hidden threats within the network.

When you acquire ThreatINSIGHT subscription licenses, each subscription includes a designated technical account manager that ensures you get the most from the solution. The Gigamon ThreatINSIGHT is a powerful NDR solution despite the fact that the product is relatively young. The latest version, ThreatINSIGHT 3.0 comes with new features and functionalities. Nonetheless, to maximize value from this product, take the time to work through the training documentation and data set to gain mastery of the tool.

  • Uses physical and virtual sensors combined with packet inspection to identify threats

  • Supports data enrichment during indexing

  • Leverages machine learning to identity threats

  • Can time to fully explore the product and documentation