Summary4 min read

Risky Bulletin – Sponsored: Corelight on Where Will NDRs Go Next

Host: Katalin Campano (Risky Business News)
Guest: Ashish Malpani (Head of Product Marketing, Corelight)
Date: October 5, 2025

Overview

In this sponsor interview episode, Katalin Campano speaks with Ashish Malpani of Corelight about the evolution and future of Network Detection and Response (NDR) technologies. They address the maturity of the NDR market, its pivotal role in modern security architectures, differentiation between NDR and other controls like EDR and WAF, challenges in threat intelligence, and emerging needs driven by cloud adoption and evasive threats. Ashish shares insights on market trends, effective threat detection strategies, and the importance of baselining and anomaly detection.

Key Discussion Points & Insights

1. Maturity of the NDR Market

Misconception about Newness:
Katalin notes Wikipedia suggests the NDR market is less than six years old with few vendors, questioning its maturity.
Ashish’s Clarification:
- The concept of network-centric detection is not new—it’s evolved from older Network Security Monitoring (NSM).
- The term “NDR” is recent, but network-based threat detection has long existed.
- Recent years have seen a surge in vendors and innovation, reflecting the growing need for this category.
- Quote:
  
  “The network detection and response as a term is a few years old. But network security...for threat detection and response has been around for a long time.” – Ashish (00:29)

2. Future Evolution: Cloud, Multi-cloud, and Beyond

Expanding NDR’s Role:
Ashish expects NDR to move deeper into cloud detection, OT/ICS (industrial), and manage multi-cloud footprints.
- NDR will become indispensable as attacks increasingly bypass EDR and target less-monitored assets.
- Quote:
  
  “NDR...would take a much bigger role...and really solve the cloud detection response.” – Ashish (01:51)
Integration with Protective Controls?
- Katalin asks about the convergence of NDRs and firewalls/WAFs, especially in the cloud.
- Ashish differentiates:
  - WAFs are preventive, NDR is for detection/response—especially for threats that have breached perimeters.
  - NDR aims for uniform visibility and telemetry across environments.
- Quote:
  
  “WAF does mostly what we call is a protective or preventive control...NDR has a bigger role to play...” – Ashish (03:00)

3. Threat Intelligence and Alert Fatigue

The Problem:
Flood of threat feeds creates noise, false positives, and alert fatigue for SOC teams.
Ashish’s Multi-layered Solution:
- Relying solely on threat intel is insufficient.
- SOCs need network intelligence, behavioral analysis, AI/ML anomaly detection, and signature detection to validate threats with context.
- A layered strategy reduces false positives.
- Quote:
  
  “Over reliance on any single way of doing threat detection is going to impact the SOC outcomes...multi layered approach...reduce your false positives, reduce noise...” – Ashish (05:42)

4. EDR-Evasive Threats: The NDR Advantage

Nature of Modern Attacks:
Recent attacks (e.g., on critical infrastructure) exploit network devices without EDR agents, move laterally, and blend in with normal traffic.
Why NDR?
- NDR visibility fills gaps EDR can’t cover, especially for unmanaged devices.
- Only NDR can observe subtle network-based malicious behavior at scale.
- Quotes:
  
  “You are not going to have an EDR agent sitting on these devices...” (06:53)
  “This is where I believe NDR is the only tool in the stack where you are able to...see these types of attacks...” – Ashish (08:08)

5. Modern Security Stack Essentials

The Holy Trifecta:
According to Ashish, must-have security detection components are:
- EDR
- SIEM/SIM
- NDR
- Application-level threat detection will become an important “fourth leg.”
- Quote:
  
  “EDRs, SIMs, NDR are going to be really critical to your infrastructure ...possibly adding...application level threat detection...” – Ashish (09:10)

6. Evolving Threats and Need for Anomaly Detection

Do threats really move that fast?
Yes. Generative tools aid attackers in morphing attacks to evade detection.
Response:
- Products must emphasize strong traffic baselining and anomaly detection.
- Detecting anomalies in standard behavior (e.g., unexpected user agents like curl) can expose breaches.
- Memorable Explanation:
  
  “As much as your threat detection needs to evolve...you have to have really strong baselining and anomaly detection capabilities...” – Ashish (10:49)

Notable Quotes & Memorable Moments

On NDR Market Perception:

“The market was there, but...the term itself as NDR has been recent.” – Ashish (00:35)
On NDR Filling Security Gaps:

“Traditional SOC architectures have a SIEM and an EDR...what they were missing was the network level intelligence.” – Ashish (01:26)
On Threat Intel Noise:

“SOC teams and analysts really kind of getting burnt out because of that.” – Ashish (04:45)
Short, Firm Answer on WAF Convergence:

“No.” – Ashish (02:59)
On “Trifecta” Approach:

“So your holy trifecta is SIEM, NDR and EDR.” – Katalin (09:05)
“Yeah.” – Ashish (09:10)
On Anomaly Detection:

“If that pattern is only evident on one of the hosts across this entire peer group, then you can determine that, hey, this is clearly an anomalous traffic.” – Ashish (10:26)

Timestamps for Key Segments

NDR Market Status & Evolution: 00:14 – 01:19
Future of NDR (Cloud, ICS, Multi-cloud): 01:19 – 02:46
NDR vs WAF Role in Cloud: 02:46 – 04:06
Threat Intel Noise and Multi-layered Detection: 04:06 – 06:26
EDR-Evasive Threats and NDR’s Role: 06:26 – 08:42
Essential Security Stack: 08:42 – 09:21
Adapting to Fast-Moving Threats (Anomaly Detection): 09:21 – 11:35

Conclusion

Ashish’s central message: NDR has matured beyond its “new” label and is now an essential security component, crucial for addressing evasive threats and supplementing other detection tools. The future of NDR is cloud-centric, with a growing need for multi-layer detection strategies and advanced anomaly detection powered by robust network visibility.

Final tone: Practical, insightful, and realistic about both challenges and ways forward in the evolving cybersecurity landscape.

Loading summary

Transcript20 lines

[00:00]
A
Foreign this is Katalin Campano and this is a Risky Business News sponsor interview with Ashish Malpani, Head of Product Marketing at corelight. Welcome Ashish.
[00:14]
B
Glad to be here, Ashish.
[00:16]
A
I was looking today at the Wikipedia page for ndrs and to my huge surprise, the entire market is only half a decade old and just over a dozen vendors. Is it actually correct? Is it really that small and early in its evolution?
[00:30]
B
I would not say NDR is early in its evolution. The network detection and response as a term is a few years old. But network security and network security based monitoring for threat detection and response has been around for a long time when we used to call it Network Security Monitoring NSM in the past there have been tools that the SOCs had used where they've taken the data from the network perspective and used it for threat detection. So the market was there, but it just the term itself as NDR has been recent and then it has come to like last few years we have seen that the vendors, increasing number of vendors have come and really participated in this mix.
[01:19]
A
Where do you think the market will go? How are NDR products evolving? Or do you think they're going to evolve in the coming years?
[01:26]
B
So if you think about why is NDR critical, right? Traditional SOC architectures have a SIEM and an EDR as an essential component when it comes to threat detection. And what they were missing was the network level intelligence. And this is what NDR really provides is giving you the network level data and evidence that would help you kind of do the threat detection, especially when the EDRs are not enough or the newer attacks that we see that are bypassing the EDRs. Now I personally think that NDR as a category, as an important tool in your security stack is probably going to continue to evolve going forward and become that interesting. I mean the really necessary tool in your tool stack going forward. But in future then NDR probably would take a much bigger role. I mean maybe there is an opportunity to really expand the footprint into cloud and really solve the cloud detection response. Also there are other ways, I mean ics, ota, multi cloud footprints, I mean all of this is already becoming part of the NDR portfolio today. But I see that as NDR would continue to evolve and make a play for a bigger threat detection and response capability within your society.
[02:47]
A
So you're saying an evolution toward the cloud. Do you see that ndis merging with firewalls or web application firewalls in the near future? Because usually that's the WAF's jobs of protecting the Cloud?
[03:00]
C
No.
[03:00]
B
So WAF does mostly what we call is a protective or preventive control, right? You are actually stopping bad things from coming into your infrastructure. And that's what the role of WAF is where when I say threat detection and response in cloud, it's really analyzing your cloud traffic and really understanding if there are threats that have bypassed your preventive controls, whether it's swift, whether it's kind of your ASM attack surface management tools in the cloud, and really helping you understand threats that have escaped or breached your perimeter defenses and infiltrated infrastructure. And this is where I believe NDR has a bigger role to play, where you can have NDR take ingest the data from the cloud, whether and across multi cloud and really give you that uniform telemetry, uniform visibility across your multi cloud infrastructure and really help you become like drive threat detection and uniform threat detection across your entire footprint.
[04:06]
A
I've also interviewed a few cybersecurity executives this year and based on our conversations it kind of don't admit that the cybersecurity market as a whole has a big problem, especially when it comes to threat intel feeds that are in recent years have grown to unmanageable sizes where it's almost guaranteed to generate more noise than useful detections. Is this something that the NDR space is also dealing with?
[04:32]
B
I mean that's an excellent question. I mean if you look at the SOCs today, they typically subscribe to multiple threat intel feeds that are feeding them IOCs, which is indicators of compromise on a regular cadence and really alerting them about the new threats that they are seeing in the wild. Now what's important is as you said, I mean, you know, this means that there is a lot more noise that can be generated where you are seeing false positives, alert, fatigue. I mean all of those problems becoming kind of front and center for the SOC teams and analysts really kind of getting burnt out because of that. Now the solution to this problem is of course there's multifold, right? You cannot depend on just one single way to detect threats. You can threat intel being one piece of the puzzle. You have to have really good network intelligence and evidence to say that, okay, here is all the context that I need before I can determine that this is a credible threat and have signature based detection, have behavioral based detection, have AI or ML based anomaly detection. I mean all these need to be part of your overall threat detection strategy before and you can make a credible determination that okay, this threat is going to pose a danger to my organization. And so kind of long story short, Is when you look at overall kind of threat intel itself, yes, over reliance on any single way of doing threat detection is going to impact the SOC outcomes. But if you have this multi layered approach to your threat detection strategy, then you are going to reduce your false positives, reduce noise and really improve your signal intelligence and kind of noise to signal ratio.
[06:26]
A
A lot of the NDR marketing materials these days mention something called EDR evasive threat detection. This is including yours. What is this and why are you treating it like an NDR problem and not an EDR one?
[06:42]
C
Yes, if you look at kind of the new generation of attacks that we've seen last year and this year on the critical infrastructure and government facilities across the world, we saw the world typhoons fall typhoon kind of attacks that really targeted your perimeter infrastructure and gain access to your network through exploiting a vulnerability there. And you see even the same thing happening on the commercial side. And large organizations have reported that this has now become a primary vector of attack where really finding something that's vulnerable, that's unpatched, or has an old device connected somewhere at the perimeter and really leveraging that vulnerability there to gain access. And why this is important is now because you are not going to have an EDR agent sitting on these devices which are typically the routers and firewalls that are doing your network provisioning. Once the attacker gains access to these devices, then they kind of leverage tools and blend into the regular traffic and really do lateral movement and do kind of command and control infrastructure deployment and things like that that your EDR tools cannot see. So this is where having that network level intelligence really helps you. And that's why role of NDR is becoming even more prominent. So my take is that as these attacks become more and more sophisticated, yes EDRs probably are going to evolve. But EDRs, if they cannot see these attacks on their own, then the question is how are you going to catch it? How are you going to alert on it? And this is where I believe NDR is the only tool in the stack where you are able to going to see these types of attacks and kind of traffic patterns that would help you really understand and drive threat detection on your infrastructure.
[08:43]
A
Is this why you are referring at the start of the interview that NDRs are becoming now the must have a security component like let's say you have EDRs, NDRs and what else would you recommend that a company must necessarily have.
[08:57]
C
Looking at from threat detection perspective? I mean yes, EDRs, SIMs, NDR are going to be really critical to your infrastructure.
[09:06]
A
So your holy trifecta is siem, NDR and edr.
[09:10]
C
Yeah. And then if you look at possibly adding like application level threat detection response as a possible fourth angle or fourth leg of the stool going forward.
[09:21]
A
People also say the threat landscape moves fast, but from the perspective of a cybersecurity product developer like you, does it truly move that fast? Are you ever flooded with work and are you behind detection capabilities or features?
[09:35]
C
So, you know, typically, yes, you'd find that in a cyber attack landscape is moving fast. And especially with gen tools now you're able to kind of change your existing attacks and morph them and so that they become undetected so that they can evade the signatures that the detection tools used. So, but, but the answer to that is yes, you want to continue to evolve your detection capabilities, but also really understand and really baseline what is your regular traffic pattern within your infrastructure and then figure out how effective is it going to be to really determine the anomalies. So let's say you have a host or group of hosts that typically communicate over HTTP and the users are using a tool like Chrome to kind of do the web browsing. So you see all these traffic coming across as an HTTP traffic that is driven by Chrome. Now suddenly you start seeing it's the same HTTP traffic, but the user agent is a curl. And when you use a curl, that means something is anomalous in this traffic. Now if that pattern is only evident on one of the hosts across this entire peer group, then you can determine that, hey, this is clearly an anomalous traffic. I need to investigate it further. Maybe there's a breach that has happened, maybe this machine is compromised and maybe the attacker is using curl to download and command and control that kind of situation here. But so having, yeah, as much as your threat detection needs to evolve with the attacks that are changing, I would say you have to have really strong baselining and anomaly detection capabilities as well within your product line where you can alert on things that you believe are kind of something that you have not seen before or something that is anomalous based on your understanding of the peer group.
[11:36]
A
Okay, I think that's the perfect way to end it, thank you very much.