Risky Bulletin – Sponsored: Corelight on Where Will NDRs Go Next
Host: Katalin Campano (Risky Business News)
Guest: Ashish Malpani (Head of Product Marketing, Corelight)
Date: October 5, 2025
Overview
In this sponsor interview episode, Katalin Campano speaks with Ashish Malpani of Corelight about the evolution and future of Network Detection and Response (NDR) technologies. They address the maturity of the NDR market, its pivotal role in modern security architectures, differentiation between NDR and other controls like EDR and WAF, challenges in threat intelligence, and emerging needs driven by cloud adoption and evasive threats. Ashish shares insights on market trends, effective threat detection strategies, and the importance of baselining and anomaly detection.
Key Discussion Points & Insights
1. Maturity of the NDR Market
- Misconception about Newness:
Katalin notes Wikipedia suggests the NDR market is less than six years old with few vendors, questioning its maturity. - Ashish’s Clarification:
- The concept of network-centric detection is not new—it’s evolved from older Network Security Monitoring (NSM).
- The term “NDR” is recent, but network-based threat detection has long existed.
- Recent years have seen a surge in vendors and innovation, reflecting the growing need for this category.
- Quote:
“The network detection and response as a term is a few years old. But network security...for threat detection and response has been around for a long time.” – Ashish (00:29)
2. Future Evolution: Cloud, Multi-cloud, and Beyond
- Expanding NDR’s Role:
Ashish expects NDR to move deeper into cloud detection, OT/ICS (industrial), and manage multi-cloud footprints.- NDR will become indispensable as attacks increasingly bypass EDR and target less-monitored assets.
- Quote:
“NDR...would take a much bigger role...and really solve the cloud detection response.” – Ashish (01:51)
- Integration with Protective Controls?
- Katalin asks about the convergence of NDRs and firewalls/WAFs, especially in the cloud.
- Ashish differentiates:
- WAFs are preventive, NDR is for detection/response—especially for threats that have breached perimeters.
- NDR aims for uniform visibility and telemetry across environments.
- Quote:
“WAF does mostly what we call is a protective or preventive control...NDR has a bigger role to play...” – Ashish (03:00)
3. Threat Intelligence and Alert Fatigue
- The Problem:
Flood of threat feeds creates noise, false positives, and alert fatigue for SOC teams. - Ashish’s Multi-layered Solution:
- Relying solely on threat intel is insufficient.
- SOCs need network intelligence, behavioral analysis, AI/ML anomaly detection, and signature detection to validate threats with context.
- A layered strategy reduces false positives.
- Quote:
“Over reliance on any single way of doing threat detection is going to impact the SOC outcomes...multi layered approach...reduce your false positives, reduce noise...” – Ashish (05:42)
4. EDR-Evasive Threats: The NDR Advantage
- Nature of Modern Attacks:
Recent attacks (e.g., on critical infrastructure) exploit network devices without EDR agents, move laterally, and blend in with normal traffic. - Why NDR?
- NDR visibility fills gaps EDR can’t cover, especially for unmanaged devices.
- Only NDR can observe subtle network-based malicious behavior at scale.
- Quotes:
“You are not going to have an EDR agent sitting on these devices...” (06:53)
“This is where I believe NDR is the only tool in the stack where you are able to...see these types of attacks...” – Ashish (08:08)
5. Modern Security Stack Essentials
- The Holy Trifecta:
According to Ashish, must-have security detection components are:- EDR
- SIEM/SIM
- NDR
- Application-level threat detection will become an important “fourth leg.”
- Quote:
“EDRs, SIMs, NDR are going to be really critical to your infrastructure ...possibly adding...application level threat detection...” – Ashish (09:10)
6. Evolving Threats and Need for Anomaly Detection
- Do threats really move that fast?
Yes. Generative tools aid attackers in morphing attacks to evade detection. - Response:
- Products must emphasize strong traffic baselining and anomaly detection.
- Detecting anomalies in standard behavior (e.g., unexpected user agents like curl) can expose breaches.
- Memorable Explanation:
“As much as your threat detection needs to evolve...you have to have really strong baselining and anomaly detection capabilities...” – Ashish (10:49)
Notable Quotes & Memorable Moments
-
On NDR Market Perception:
“The market was there, but...the term itself as NDR has been recent.” – Ashish (00:35)
-
On NDR Filling Security Gaps:
“Traditional SOC architectures have a SIEM and an EDR...what they were missing was the network level intelligence.” – Ashish (01:26)
-
On Threat Intel Noise:
“SOC teams and analysts really kind of getting burnt out because of that.” – Ashish (04:45)
-
Short, Firm Answer on WAF Convergence:
“No.” – Ashish (02:59)
-
On “Trifecta” Approach:
“So your holy trifecta is SIEM, NDR and EDR.” – Katalin (09:05)
“Yeah.” – Ashish (09:10) -
On Anomaly Detection:
“If that pattern is only evident on one of the hosts across this entire peer group, then you can determine that, hey, this is clearly an anomalous traffic.” – Ashish (10:26)
Timestamps for Key Segments
- NDR Market Status & Evolution: 00:14 – 01:19
- Future of NDR (Cloud, ICS, Multi-cloud): 01:19 – 02:46
- NDR vs WAF Role in Cloud: 02:46 – 04:06
- Threat Intel Noise and Multi-layered Detection: 04:06 – 06:26
- EDR-Evasive Threats and NDR’s Role: 06:26 – 08:42
- Essential Security Stack: 08:42 – 09:21
- Adapting to Fast-Moving Threats (Anomaly Detection): 09:21 – 11:35
Conclusion
Ashish’s central message: NDR has matured beyond its “new” label and is now an essential security component, crucial for addressing evasive threats and supplementing other detection tools. The future of NDR is cloud-centric, with a growing need for multi-layer detection strategies and advanced anomaly detection powered by robust network visibility.
Final tone: Practical, insightful, and realistic about both challenges and ways forward in the evolving cybersecurity landscape.