As online threats become more sophisticated, traditional threat detection may be limited in identifying them, possibly generating a high volume of false positives.
However, relying on traditional tools alone may no longer be sufficient. While endpoint security solutions remain vital in protecting businesses against cyber threats, Pavel Minarik, VP of Product Security at Progress Software, notes that there are some factors to consider when relying solely on them for full endpoint coverage.
This is where Network Detection and Response (NDR) comes into play.
Importance of NDR
Palo Alto Networks defines NDR as a technology that identifies and stops evasive network threats that traditional tools may miss, especially those that known attack patterns or signatures cannot identify.
Since emerging in the early 2010s, NDR has become instrumental in identifying unusual traffic indicating command and control, lateral movement, exfiltration, and malware activity.
"Threat actors are continuously developing techniques on how to disable or circumvent endpoint protection solutions," Minarik said.
He added that NDR plays a crucial role as a second line of defence, identifying threats and enabling remediation promptly.
Minarik underscores a key point: "Always ask yourself what you are going to do when prevention fails."
Beyond bypassing endpoint protections, coverage gaps present another challenge: "A typical enterprise environment is composed of various systems, devices such as IoT and endpoints that do not allow installing an agent."
He emphasised that a common coverage of endpoint protection solutions is around 50%. With half of the devices left unprotected, Minarik noted that NDR is the only option left to defend devices against threat actors.
LLM-powered NDR features
According to Minarik, AI-powered NDR goes beyond signature-based detection. It utilises various AI techniques, such as machine learning, heuristics, or behavioural analysis, to sift through millions of records representing network sessions and identify malicious behaviour. This advanced AI capability significantly enhances the accuracy and speed of threat detection in NDR systems.
He explained that these algorithms sift through millions of records representing network sessions and look for malicious behaviour.
Minarik explained that NDR systems are typically passive and invisible from a network perspective, allowing them to monitor both inbound and outbound comprehensively (north-south), as well as internal (east-west) traffic.
"NDR technology was developed as a reaction to the limited usability of traditional signature-based Intrusion Detection Systems, addressing the exponential growth of the network traffic, the adoption of encryption and being able to find malicious behaviour without signatures," he said.
Minarik emphasised that top-class NDR systems combine various detection techniques, including signatures, to inspect the network traffic from different angles and provide comprehensive detection capabilities.
More recently, Minarik noted that LLM-powered features are now being integrated into NDR tools to mimic the work of junior analysts. These tools can perform basic triage, prioritisation, summarisation or recommendations of remediation steps, "making human security analysts more efficient," he emphasised.
Benefits of AI-powered NDR
When effectively implemented, enterprises can reap the benefits of AI-powered NDR.
"Main security outcomes are advanced threat detection, threat response and improved visibility. NDR can detect anomalous behaviour and zero-day threats that traditional signature-based systems might miss," he explained.
He added that AI-powered NDR can automatically correlate alerts, prioritise them based on risk, and recommend or even initiate predefined response actions.
Moreover, Minarik explained that deep insights into east-west traffic enable the discovery of lateral movement within the network. It can also provide an audit trail of any network sessions with months of historical data.
"This goes hand in hand with operational efficiency," he added. "Correlation and prioritisation help to reduce the alert fatigue, and analysts can focus on high-impact incidents. Automated or assisted investigations reduce mean time to respond.".
According to the Progress executive, NDR can augment and streamline security operations by integrating with Security Information and Event Management (SIEM) or Security Orchestration, Automation, and Response (SOAR) systems.
NDR democratisation
Minarik stated that NDR initially aimed to address the needs of large enterprises. However, he noticed NDR solutions have become more accessible over the last 5 years.
"We have seen significant democratisation of the NDR market with many new players entering this space and providing offerings tailored to the needs and budgets of medium-sized organisations."
Supporting this trend, recent research indicates that the global NDR market is projected to reach USD 3.46 billion by 2025, growing at a compound annual growth rate (CAGR) of 16.5% from 2025 to 2032.
"Globally, including the APAC region, NDR is still not a mainstream technology, but solutions are available and adoption is growing," he said.
In Asia Pacific, the NDR market was valued at USD 1.1 billion in 2024. Projections show that it will reach USD 3.5 billion by 2023, growing at a CAGR of 15.5% from 2026 to 2033.
According to Verified Market Reports, several factors are driving the growth of the NDR market in the region, including the increasing number of cyberattacks, such as ransomware and zero-day exploits.
Moreover, digital transformation initiatives, the growing adoption of cloud technologies and IoT devices, as well as regulatory mandates and compliance requirements, drive the NDR market growth in APAC.
"The integration of AI and behavioural analytics within NDR platforms enhances threat detection accuracy and reduces response times. Rising cybersecurity awareness and budget allocations in enterprises and governments are strengthening market growth, making NDR a vital part of the overall security ecosystem," according to the same report.
Deploying an AI-powered NDR solution
Minarik advises those who want to deploy an AI-powered NDR solution to start with a proof of concept. This involves testing the NDR solution in a controlled environment to ensure that it fits well with the organisation's network infrastructure and security needs.
He also recommends considering the requirements for network sensors, their performance characteristics, and capacity when choosing a vendor.
Given the complexity of modern networks, he urges organisations to ensure that NDR solutions can cover all their on-premises, private, and public cloud infrastructure. Furthermore, he stated that NDR solutions should also provide a comprehensive and consolidated view of network traffic.
"Don't rush the implementation, take a step-by-step approach," Minarik stressed.
He cautions against hastily deciding on implementing NDR: "Reserve time for implementation and tuning the system properly, don't fall for marketing claims such as 'no tuning required".
According to Minarik, organisations must ensure the operationalisation of NDR solutions and have a process in place for responding to a detected threat, "either through automation or manually at first."
The benefits of AI-powered NDR
Projections reveal that with continuous innovation and evolving cyber threats, "the future scope of the Asia Pacific NDR market looks promising."
As the threat landscape evolves, so must defences. AI-powered NDR, when intentionally implemented within an organisation, can help strengthen the long-term security posture while enhancing operational efficiency and reducing workforce burnout.