Detect hidden threats and stop advanced attacks

• Visibility: Complete visibility into all network data sources and flows including monitoring all connection points on-premises and in the cloud
• Analyst experience: Alerts displayed in an intuitive user interface to simplify the process of investigating and tracking all security events
• Encrypted traffic inspection: Analysis of encrypted traffic without need for interception
• Historical data retention: Lightweight storage of historical network data for later inspection for up to one year to aid the SOC team in identifying the source of a cyberattack or policy violation

IPS is a network security tool (which can be a hardware device or software) that continuously monitors a network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it, when it does occur. Unlike IPS, NDR systems do not rely on signature-based intrusion detection and prevention. Instead, they use advanced analytical protocols (AI and machine learning algorithms) to inspect network communications in real time to look for suspicious or anomalous behavior and report that activity to SOC team members.

NDR is used by SOC teams to monitor network traffic for trace evidence of attacker activity. By analyzing network traffic metadata, NDR can detect signs of advanced attacker tactics like lateral movement, command and control, privilege escalation, and data exfiltration.

The solutions learn what normal network behavior looks like for your organization and then applies ML and advanced analytics to detect signs of sophisticated attacks. Because NDR technology constantly evolves based on your enterprise’s network activity, threats are detected faster and more accurately.

Network Detection and Response (NDR) continuously monitors network traffic to help detect and respond to threats. Endpoint Detection and Response (EDR) helps detect and respond to attacker activity on user devices such as desktops, laptops, tablets, and phones.

No, NDR is a complementary solution to SIEM as SIEM focuses on log analysis. NDR, however, correlates detected threats with network activity, addressing potential logging gaps. NDR provides essential network data to add context to threats identified by SIEM.

Absolutely, NDR provides broad security visibility by monitoring for every device on the network passively, without impacting performance or availability. NDR integrates with and complements EDR, SIEM, and SOAR to provide the enterprise with a comprehensive security approach.

Fortinet NDR has two flexible deployment options. FortiNDR On-prem can be deployed as an air-gapped solution where all appliances and analysis occur on-prem. FortiNDR Cloud is a SaaS-based service where a mix of on-prem or virtual sensors are deployed across the network but the data is analyzed in the cloud, where it is then accessed by the customer.

NDR provides contextual data and tools that security teams and security analysts can use to accelerate ongoing threat investigations and proactive investigations or unknown or undetected threats (known as threat hunting). These tools also integrate with the existing security stack so detections can be correlated across EDR, SIEM, and SOAR tools for a more comprehensive response.