NDR
Introduction
Network Detection and Response (NDR) is a cybersecurity technology that continuously analyses network traffic to detect anomalies, attacks, lateral movement and suspicious communication patterns. NDR solutions combine network monitoring, behavioural analysis, protocol inspection and threat detection to provide insight into activities that traditional security measures may miss.
In industrial environments, NDR plays an increasingly important role due to growing IT OT Convergence, the rise of Industrial Internet of Things, remote access, cloud connectivity and advanced threats against ICS and OT networks.
Unlike classic network monitoring, NDR does not focus solely on availability or performance, but specifically on security behaviour within network communication. The goal is to detect:
- Lateral movement
- Unusual communication
- Malware activity
- Command-and-control traffic
- Protocol abuse
- Insider threats
- Unauthorised access
- Data exfiltration
Within OT environments, NDR is often combined with Passive Monitoring, SIEM, SOC and Threat Intelligence.
⚙️ How NDR works
An NDR platform analyses network traffic from several sources:
| Source | Example |
|---|---|
| SPAN ports | Mirrored switch traffic |
| TAPs | Passive network captures |
| NetFlow/IPFIX | Flow-based metadata |
| Packet capture | Full packet inspection |
| Cloud traffic | Virtual networks |
| OT protocols | Industrial protocol analysis |
Most NDR platforms operate passively so that operational systems are not affected.
The analysis process typically consists of:
- Collecting network data
- Protocol decoding
- Building behavioural baselines
- Detecting anomalies
- Correlating with threat intelligence
- Incident analysis and response
Modern solutions often use:
- Machine Learning
- Behavioural analysis
- Statistical anomaly detection
- Rule-based detection
- Signature matching
- AI-based classification
🌐 Difference between NDR and traditional network monitoring
Traditional network monitoring focuses primarily on availability and performance.
NDR specifically focuses on security analysis.
| Functionality | Traditional monitoring | NDR |
|---|---|---|
| Availability monitoring | Yes | Limited |
| Performance analysis | Yes | Limited |
| Security detection | Limited | Extensive |
| Behavioural analysis | No | Yes |
| Threat hunting | No | Yes |
| Anomaly detection | Limited | High |
| Protocol inspection | Basic | In-depth |
| Lateral movement detection | No | Yes |
NDR functionally sits between:
🏭 NDR in OT environments
Within industrial networks, NDR requires specific characteristics due to:
- Deterministic network behaviour
- Legacy protocols
- High availability requirements
- Limited patching options
- Long asset lifecycles
- Proprietary communication
OT-specific NDR platforms support industrial protocols such as:
This enables OT-oriented detections such as:
| Detection | Example |
|---|---|
| PLC logic changes | New download to controller |
| Rogue engineering station | Unknown laptop in OT |
| Protocol abuse | Unexpected write commands |
| Firmware changes | New PLC firmware |
| Lateral movement | IT system communicating with PLC |
| External access | Vendor remote access outside maintenance window |
| Scanning | Active port scan in OT |
OT NDR strongly focuses on contextual analysis of industrial processes.
🔍 Behavioural analysis and baselining
A key function of NDR is building normal network behaviour patterns.
Examples of baselines:
- Which systems normally communicate with each other
- Which protocols are used
- Which ports are active
- Which communication volumes are normal
- Which time windows are typical
Deviations from these can indicate:
- Malware
- Misconfigurations
- Insider threats
- Lateral movement
- Shadow IT/OT
- Compromised systems
In OT environments, this often works well because industrial communication is relatively predictable.
For example:
- A PLC normally only communicates with SCADA
- An HMI does not send DNS requests to the internet
- A historian does not establish SMB connections to engineering stations
When such anomalies occur, NDR can generate alarms.
🛡️ Detection of lateral movement
One of the main benefits of NDR is detection of lateral movement within networks.
After initial compromise, attackers often move through the network via:
- RDP
- SMB
- SSH
- WMI
- PowerShell
- Remote management protocols
Traditional endpoint solutions sometimes miss this network context.
NDR can detect:
- New communication paths
- Unusual authentication
- Traffic between normally segregated zones
- Credential misuse
- Network scans
- Increased protocol activity
Within OT networks, lateral movement is particularly risky because a single compromised engineering station can affect multiple production lines.
⚡ Deep Packet Inspection within NDR
Many NDR platforms use DPI to analyse protocols in depth.
DPI provides insight into:
- Function codes within Modbus TCP
- PLC commands
- Firmware transfers
- Configuration changes
- File exchange
- Unusual protocol fields
This enables advanced detections.
Example:
A standard firewall only sees TCP traffic on port 502.
An NDR platform sees:
- Which Modbus function code is used
- Whether registers are being read or written
- Which devices are involved
- Whether anomalous behaviour is occurring
This is crucial for OT security.
🔐 Integration with SOC and SIEM
NDR solutions are often integrated with:
The workflow typically looks like this:
- NDR detects anomalous network behaviour
- The event is forwarded to SIEM
- Correlation with other security events
- Incident analysis by SOC
- Automated response via SOAR
In converged IT/OT environments, this creates a single central security view.
🧠 Machine learning within NDR
Many modern NDR platforms use Machine Learning for:
- Baseline analysis
- Behavioural clustering
- Detection of unknown threats
- Alert prioritisation
- Risk scores
Benefits:
- Detection of zero-day behaviour
- Less dependency on signatures
- Recognition of subtle anomalies
Limitations:
- Risk of false positives
- Long learning period
- Complexity of OT processes
- Need for context validation
Within OT, human validation remains essential due to operational impact.
⚠️ Challenges in OT NDR
Although NDR is powerful, important considerations exist.
Legacy protocols
Many industrial protocols contain:
- No encryption
- No authentication
- Little metadata
- Vendor-specific extensions
This complicates detection and interpretation.
Encrypted traffic
Increasingly more traffic uses TLS or encryption.
This makes DPI harder unless:
- Metadata analysis is used
- SSL inspection is possible
- Endpoint telemetry is available
Operational sensitivity
OT networks are sensitive to:
- Additional latency
- Broadcast storms
- Excessive monitoring
- Packet loss
NDR solutions are therefore almost always implemented passively.
False positives
During unusual maintenance work, legitimate activities can trigger alarms.
For example:
- Firmware updates
- Engineering uploads
- Vendor remote maintenance
- Temporary bypasses
Good tuning is therefore essential.
🏗️ NDR within Zero Trust and Defense in Depth
NDR supports modern security architectures such as:
NDR provides visibility at the network layer.
Examples:
| Security concept | NDR role |
|---|---|
| Zero Trust | Verifying communication behaviour |
| Segmentation | Detecting unwanted connections |
| Threat Hunting | Analysis of suspicious flows |
| Incident Response | Forensic network data |
| Risk Management | Identifying high-risk assets |
⚙️ Practical example: water treatment plant
A water company implements NDR within an OT network with:
- SCADA
- PLC
- Historian servers
- Remote maintenance
- Modbus TCP
Situation
An engineering laptop is infected via phishing in the IT network.
Detection
The NDR platform detects:
- New communication towards PLCs
- Anomalous Modbus write commands
- Lateral movement to OT zones
- Unusual network paths
Response
The SOC:
- Blocks network access
- Segments affected systems
- Analyses packet captures
- Verifies PLC integrity
This prevents process disruption.
🔄 Difference between NDR, IDS and IPS
| Property | IDS | IPS | NDR |
|---|---|---|---|
| Detection | Yes | Yes | Yes |
| Blocking | No | Yes | Sometimes |
| Behavioural analysis | Limited | Limited | Extensive |
| Machine Learning | Limited | Limited | Often |
| Historical analysis | Limited | Limited | Extensive |
| OT context | Variable | Variable | High |
| Threat hunting | No | No | Yes |
NDR is therefore broader than classic detection systems.
📈 The future of NDR within OT
As digitalisation continues, the importance of NDR is growing within:
- Industry 4.0
- Industrial Internet of Things
- Cloud-based OT Monitoring
- Smart grids
- Water management
- Smart manufacturing
Key trends:
- AI-based threat detection
- Integration with XDR
- Cloud-native OT Monitoring
- Unified visibility
- Asset intelligence
- Autonomous Threat Hunting
NDR is increasingly becoming a core component of modern OT security architectures.