Skip to main content

The importance of optimization when it comes to Network Detection & Response

(Image credit: Image Credit: Wright Studio / Shutterstock)

Amongst the multiple challenges catalyzed by the pandemic, network complexity has undoubtedly increased since the switch to remote working in March last year and the ongoing shift to hybrid working that is being experienced now. For many companies, their connected networks are now dispersed, with teams using personal, unmanaged, unsecured IoT devices that are producing excessive amounts of data. Cybersecurity has therefore become an issue that has rattled many CIOs. 

As these worries over network safety persist, Gartner has announced that Network Detection and Response (NDR) tools are the best options for security teams. According to the leading analyst house, NDRs delivered across on-premises, cloud and the IoT better detect suspicious activity than alternative security solutions. Nevertheless, there are a number of elements that need to be optimized in order for an NDR tool to ensure a secure network. If these optimizations are not employed, the NDR solution may simply become an expensive way to further complicate your threat detection systems.


Encrypted data poses a problem for NDR tools, which in turn becomes an issue for cybersecurity teams when their investment into these solutions fails to accurately detect threats. The majority of north-south traffic (the data flow between client and server) and half of the east-west traffic (the data that flows within data centers) is encrypted. Although encryption ensures that information is protected, it also obscures visibility and means NDRs cannot successfully monitor for threats. While these tools can understand some of this information, productivity and efficiency is far higher with decrypted traffic.  

However, it is important to consider that encrypted data is usually highly sensitive and it is only obscured to protect the privacy of its source. To avoid breaking any compliance laws, sensitive data should only be visible to the tools that need to analyze it, and must be masked to the rest. Investment in a centralized decryption tool will free up an NDR from decrypting, analyzing and re-encrypting the data itself and will also ensure that private data is kept that way. Therefore, NDR threat hunting is made far more efficient, and adequate protection is given to sensitive traffic as well as to the company reputation, by exercising due diligence.


There has been a rapid adoption of NDRs across the security industry, as companies attempt to bridge the gap between SIEMs and endpoint detection and response tools. However, if data in motion on a network is not completely visible, as with encrypted traffic, full protection is impossible. To guarantee all network traffic is visible, sensors often need to be deployed to the source of the data flow (data centers, retail sites, offices), so that the NDR tools can detect all information in motion. An alternative solution is an all-encompassing sensor – however, this is a less ideal choice as it will inevitably pick-up irrelevant or duplicate information. 

East-west traffic is particularly difficult to monitor, especially as company networks are increasingly spread out across the country (and often the globe). However, it is essential that network visibility remains a top priority for cybersecurity teams – if you cannot see the issues, how can you solve them? As well as sending more sensors to the edge where possible, additional tools that optimize visibility and analyze all the data in motion will help to ensure that NDR is not a wasted investment. 

Less visibility, resulting in difficulty accurately managing and analyzing traffic, also ultimately leads to an increase in maintenance fees and ongoing costs. Barrett Steel Limited, the UK’s largest independent steel stockholder, encountered exactly this problem after a less than optimized experience with SPAN port capabilities led to its IT team needing to seek out NDR solutions. To overcome the increase in network traffic and the inaccurate view of data-in-motion as a consequence of dropped packets, NDR tooling (without added optimization) at first seemed like a smart investment. Yet while initial costs often look promising, the price of maintaining the tools and paying for ongoing technical support can be sky-high, especially if visibility is not integrated from the start. However, by prioritizing network visibility and implementing tools that allow for NetOps teams to scale their detection solutions, these costs can be significantly reduced. For the Barrett Steel team in particular, introducing a visibility node that connected out to the NDR tooling allowed them to efficiently run de-duplication tools and flow mapping. As a result, not only was the load reduced – allowing an increase in throughput, yet only a slight change in the tooling size – running costs could also be better managed and the NetOps team could get the most benefit from their investment into NDR solutions. 

Team burnout 

If visibility is not prioritized, and a centralized decryption tool is not utilized to improve efficiency, it is likely that network and security teams will find themselves with even more tasks, admin and issues than before they invested in an NDR cybersecurity solution. What’s more, these tools are a multi-million pound a year investment, a hugely daunting prospect for many companies if they are not confident that they will see ROI.  

Choosing the right ways to optimize NDR tools is essential to avoid IT and security staff burnout. After such a challenging year, with many professionals overworking as a result of the pandemic, the last thing network teams need is additional admin caused by low-functioning tech. An efficient way to solve this issue is by engaging a SaaS solutions partner, allowing maintenance to be managed externally and freeing up internal network professionals to spend time on tasks better suited to their expertise.

NDR poses a significant investment and there are certainly areas that network teams may struggle with if they leave this technology in its basic form, ignoring optimization solutions. However, with the right choices and investments, an NDR solution can become a strong, secure and reliable threat detector and an excellent cybersecurity tool. With 84% of IT and security decision-makers reporting they had seen a rise in cyberattacks since the beginning of 2020, it is unsurprising that corporations are now seeking new solutions. The right decisions surrounding cybersecurity tools could become the difference between company success or its failure.

Matt Percival, EMEA Senior Director – Service Provider, Gigamon

Matt Percival is EMEA Senior Director – Service Provider at Gigamon. Matt has over a decade of experience in the network security space, driving multi-million pound revenues with sales teams.