Over the course of the last decade, Network Detection and Response (NDR) naturally evolved out of earlier network security tools like Intrusion Detection and Prevention systems (IDS/IPS). In that time, NDR has found a foothold in many modern security strategies, offering unparalleled visibility into network traffic and effective detection of both known and unknown threats. As the market has grown and technology has advanced into the era of Artificial Intelligence (AI), machine learning, and behavioral analytics, NDR systems moved beyond the signature-based detection and indicators of compromise (IoC)-based threat intelligence that preceded them.
Interestingly enough, what Gartner found in their “2024 Market Guide for Network Detection and Response” is that “some providers have re-added intrusion prevention system (IPS)-like modules, mixing threat intelligence and more traditional pattern matching to complement behavioral analysis.”
Gartner calls this “Network Defense in Depth”. At Stamus Networks we have long considered the inclusion of IoC and traditional signature-based detection to be part of a multi-layer defense strategy.
This blog post, the first in a series on the “2024 Market Guide for Network Detection and Response”, seeks to explore Gartner key findings and share our belief that the Stamus Security Platform aligns with Gartner observations on the evolving NDR market. For nearly 10 years, Stamus Networks has been advancing the state of the art for the fundamental building blocks of network security, and IDS has been an important component. It's the inclusion of those capabilities along with other advancements that helps establish the Stamus Security Platform (SSP) as a comprehensive network security solution, addressing the complex challenges faced by many organizations today.
Gartner Insights on NDR Market Direction:
We feel the“2024 Gartner Market Guide for Network Detection and Response” highlights four scenarios they believe NDR products will evolve into. In this article, we are focusing on the section titled “Network Defense in Depth.” Here is what Gartner said about this shift in market direction:
“Some NDR vendors integrate signature-based threat detection engines (e.g., Zeek, Suricata), traditionally components of intrusion detection and protection systems (IDPS). As they add more modules, they position the NDR appliance as a “second layer of defense,” positioned behind the perimeter controls adding visibility on internal traffic (east-west)” (2024 Market Guide for NDR, pg. 5)
The authors go on to provide more detail later in the report:
“Re-establishing a practice from the early days of network detection and response — 10 years ago — some providers have re-added intrusion prevention system (IPS)-like modules, mixing threat intelligence and more traditional pattern matching to complement behavioral analysis. This creates a potential additional revenue stream for the providers but also makes NDR a more comprehensive product, detecting a broader set of anomalies. This benefits organizations with smaller teams or fewer infrastructure security tools. This “defense in depth” scenario, leveraging an additional source of threat intelligence and signatures, has a stronger focus on north-south traffic, improving the ability to catch data exfiltration or command and control (C2) communication. This will primarily appeal to large security operation teams in search of a customizable and multipurpose network security sensor.
Conversely, adding intrusion detection system (IDS)-like signatures might negatively impact one of the expected benefits of NDR solutions: be a “turnkey” and “low noise” product, highlighting only critical anomalies.” (pg. 7)
Here, we feel Gartner is emphasizing a growing trend towards multi-layered defense strategies, where NDR solutions are fortified with “traditional” intrusion detection and prevention system (IDS/IPS) capabilities. As outlined in the report, some NDR vendors are integrating signature-based threat detection engines, such as Suricata, to bolster their offerings and provide additional revenue streams while enhancing visibility into internal traffic.
Based on our understanding, Gartner concludes their analysis by stating that a multi-layered defense strategy involving IDS capabilities would appeal primarily to larger security operations teams desiring a more customizable solution. They also note that the common challenges of IDS — noise caused by an abundance of non-critical alerts and tuning requirements that prevent a “turnkey” installation — could have a negative impact on organizations.
A Proven, Multi-Layered NDR Solution
The Stamus Security Platform (SSP) is uniquely positioned to address this evolution in the NDR market as outlined in the “2024 Market Guide for Network Detection and Response”. Proudly built on a robust Suricata foundation, SSP offers comprehensive IDS capabilities as a core component of its NDR solution.
Stamus Networks has been intimately involved in both the development and ongoing support of the Suricata IDS, going so far as to write the first and only practical guide to optimizing Suricata and getting the most out of its robust capabilities.
Unlike many vendors who view IDS as an add-on or a separate revenue stream, Stamus Networks believes the inclusion of IDS capabilities to be essential for effective threat detection and response. In fact, many vendors have used engines like Suricata or Zeek “under the hood” for years, including elements of signature-based detection in their product offering but not achieving the full value these tools can provide.
It is only recently that these vendors have started to promote the real value of IDS as a component of a successful, multi-layered NDR. Unlike other vendors, the Stamus Security Platform has seamlessly integrated IDS capabilities since the very beginning, providing customers with all the benefits of IDS as part of a multi-layered defense strategy without the challenges often associated with signature-based detection methods.
Stamus Security Platform combines advanced behavioral analytics with proven signature-based detection mechanisms to provide granular visibility into both east-west and north-south traffic while uncovering both known and unknown threats. This comprehensive approach enables organizations to identify and respond to threats more effectively, while also gaining the ability to perform in-depth threat-hunting and forensic activities often only provided by intrusion detection (IDS) and network security monitoring (NSM) systems.
As for Gartner concerns about the potential impact of IDS-style signatures on NDR system performance, SSP has proven that it is possible to tame the IDS alert cannon and ensure minimal impact on system performance while maintaining high detection accuracy. The primary method of achieving this is through Declarations of Compromise™ (DoC) and Declarations of Policy Violations™ (DoPV). These are high-confidence and high-priority security events generated by SSP signaling a “serious and imminent” threat on an asset (DoC) or a definitive notification of specific policy violations taking place in the organization (DoPV). These automatically escalated events allow security teams to focus on critical alerts without being overwhelmed by noise and false positives.
The Power of IDS in a Modern NDR Solution
As unashamed IDS advocates, let us make it clear that we fully support the NDR market’s shift towards multi-layered defense strategies. By incorporating IDS capabilities into a comprehensive NDR solution such as the Stamus Security Platform, we believe organizations will experience the following benefits:
- Enhanced Threat Detection: SSP's combination of behavioral analytics and signature-based detection provides a more complete view of network activity, enabling earlier identification of both known and unknown threats.
- Reduced False Positives: SSP's advanced algorithms and optimization techniques minimize false positives, enabling organizations to get the benefits of IDS detection without the common challenges.
- Improved Incident Response: With deeper insights into network traffic, security teams can respond to incidents more quickly and effectively and access the full scope of network traffic data available only to an IDS or NSM tool such as Suricata.
- Cost Efficiency: By integrating existing IDS infrastructure (network sensors) into an NDR that is optimized for IDS functionality, organizations can reduce the complexity and cost associated with managing a home-grown IDS solution.
- Regulatory Compliance: SSP's comprehensive visibility and threat detection capabilities — aided by Suricata-generated data — can help organizations meet their industry compliance requirements.
Stamus Security Platform: Leading the NDR Market Direction with IDS at its Core
We believe the “2024 Gartner Market Guide for Network Detection and Response” clearly outlines how the NDR market is shifting towards a “defense in depth” approach that adds IDS capabilities to NDR offerings. The Stamus Security Platform aligns perfectly with that trend, offering a comprehensive NDR solution proudly built on top of the world’s most powerful open-source network security engine — Suricata.
Download the 2024 Market Guide for Network Detection and Response
Normally, Gartner reports are only available to Gartner clients. However, this year Stamus Networks is offering a complimentary copy of the “2024 Market Guide for Network Detection and Response” to equip defenders with strategic insights on the NDR market. To download your copy, please visit our website here >>.
To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.
Attributions and Disclaimers
Gartner, Market Guide for Network Detection and Response, Jeremy D'Hoinne, Thomas Lintemuth, Nahim Fazal, Charanpal Bhogal, 29 March 2024
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the
U.S. and internationally and is used herein with permission. All rights reserved.