With the rise of XDR (Extended Detection and Response) adoption, the architecture question arises on how NDR (Network Detection and Response and XDR work together.

Network Detection and Response tools have matured in customer architectures throughout the years. NDRs continuously monitor networks and devices connected to it using telemetry collected from network devices, generated by endpoints, or by deploying sensors to collect such data.  NDR uses this telemetry to primary provide unmatched visibility into an environment of managed and unmanaged devices, then analyzes traffic patterns to detect abnormal behaviors caused by potential threats such as data exfiltration, botnet activity and others. In addition, a NDR becomes the main repository of network telemetry for an analyst to perform threat hunting and forensic investigations.

On the other hand, XDR is an aggregation and correlation technology with a main aim to detect incidents while simplifying and accelerating threat response. XDRs leverage a host of integrations to cross correlate detections from different technologies and telemetry sources to draw the bigger picture of an attack in a simplified, enriched, and correlated manner which makes it very simple for a SOC analyst to draw conclusions, locate the source of an attack and respond to threats in a matter of minutes instead of hours or days using individual point product technologies on their own.

Cisco Secure Network Analytics (Cisco NDR) with the modernized Data Store architecture delivers:

  • The fastest and largest scaling NDR in market which provides the best user experience with traffic analysis against various forms of network telemetry including traffic flows, firewalls logs and endpoint visibility data via Cisco Secure Client’s Network Visibility Module.
  • Newest Detection Models: Secure Network Analytics offers a next generation converged analytics capability to automatically assign device roles based on behavior and detect threats using enhanced detection techniques.

Expanding Secure Network Analytics by integrating it into Cisco XDR will expand these capabilities to the next level by:

  • Correlation with other technologies: XDR correlates NDR EDR, Email detections and threat intelligence, and many other technologies from cisco and third-party which expand NDR beyond the Network Detection boundaries.
  • Expand the Response Ecosystem: with Cisco XDR built-in and customizable incident response capabilities, NDR responses are expanded beyond the natively supported techniques leveraging the diverse and multiple integration that XDR supports with EDRs, DNS, Firewall, and others.
  • Detections Assertion secure Network Analytics’ detections are based on behavioral and machine learning detections techniques which are advanced techniques that can detect slow and hidden threats. By combining it with Cisco XDR these detections are affirmed through correlation with other technologies detections to form an end-to-end incident that explains the threat activity across multiple threat vectors.

Bottom line, Secure Network Analytics and Cisco XDR work very well together by complimenting each other.  Detections and telemetry from Secure Network Analytics is one source of data feeding into XDR, XDR ingest it along with other data from multiple technologies to identify incidents without having to focus on Network based detections or visibility since it is provided through NDR. Implementing a solution will depend on the specific needs and requirements. If you are looking to improve your network visibility and network detection capabilities it is delivered with NDR, but if your main goal is to  improve your threat response capabilities and get a comprehensive view of incidents then use XDR.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels



Hanna Jabbour

Technical Engineer

Security Business Unit