Welcome to our webinar. First of all, Future-Proofing Your Cybersecurity, Insights into Evolving NDR Markets. I chose this title for a reason because I recently contacted the research around NDR solutions and I've noticed that there are so many things evolving in the market, changing and we should be aware of them. Before I start, I share my agenda with you guys. So as I said, I recently worked on a leadership compass. I included 14 vendors. I analyzed them, their strengths, their challenges and what to be aware of the capabilities they offer.
And then I will share my overview of the NDR market based on this research. I will highlight the challenges, basically why we need NDR solutions and what should we be aware of an NDR solution, which capabilities we think are required, how does NDR work and why we need it. And then I will also share some insights from the market and then I will share my overall key findings of the entire research. And then in the last section, I will share my methodology and how I conducted this research. If you are familiar with Kupinger call, you know that we produced this leadership compass.
There are very detailed reports on specific technologies and solutions and then you will see how we conduct these papers. But before we begin, we have three poll questions prepared for you. Now I will start with the first one. You will have 15 seconds to answer this one. Does your organization have NDR in place today? So you have three options, actively deployed, evaluation process, proof of concept phase and no. And at the end of the webinar, if you have if time allows, I'm going to share the results with you.
So let's begin with the NDR overview and why we actually need NDR starts with why we have this NDR instead of a certain solution. So I started this with this started this research focusing on the legacy solutions, what they are capable of and what they are not. So in the past, organizations primarily relied on this solution, SIEM, Firewalls, EPDR, IDS and IPS and so on. And now we have NDR and XDR. If you are not if you are familiar with this, basically XDR means EPDR or EDR in another word, EDR plus NDR. So in this in this paper, I only worked on NDR, but I also kind of compared it with XDR.
So solutions to the solutions, the legacy solutions I defined here primarily focus on the perimeter defense and most of the time, again, focus on the signature based detection. To give an example about some of these, like, for example, EPDR solutions require agents on endpoints and some devices like IoT devices, some mobile devices, they they work agentless and then you cannot deploy agents on them. And then this means they are left unprotected. SIEM platforms, for example, they heavily rely on log data and this log data sometimes cannot be accessed or deleted or manipulated by hackers.
And overall, we can say that these tools lack the ability to analyze network traffic effectively and they are vulnerable against emerging threats and they don't really provide the real time network visibility that most of the time organizations look for. The challenges. This is basically why we need NDR in my point of view. And we already starting from the last one, we already explained the legacy solutions, why they're falling behind. But on top of that, we have now complex modern networks and these complex networks include interconnected components like cloud services.
I am sure many of you have already in place. They work with IoT devices, mobile endpoints, and sometimes they even work in the visualized environments. So this creates some complexity and then you might need a specific tool for analyzing your networks. And without a proper network analysis, you will never know if you are having an issue or you will not be able to identify or address the inefficiencies within this network infrastructure you have, the complex network infrastructure. So in other words, you will have performance issues.
And on top of that, we want to be compliant with the regulations and we want to also analyze the network traffic without decrypting it. So these are the challenges we have and the legacy solutions cannot really answer to this needs. I'll explain to you in a nutshell how NDR works and why we need it. So as I said, in the EPDR solutions, you needed an agent, but in an NDR solution, you basically deploy sensors and then they can capture the network traffic and analyze it.
Network metadata analysis help your security teams to understand what's going on in your network and also help understand the metadata and then make some meaningful analysis. The other one is indicator of compromise, IOCs. These are very helpful if you are actually also utilizing some threat intelligence. And then these IOCs can signal you about the potential security breaches or malicious activity that hasn't hit you yet. And playbooks are important for automating your responses and then actions.
And last but not least, of course, we talk about machine learning and artificial intelligence in every aspect of the solutions in our organizations. And what ML does is that they actually help you understand the network metadata, for example, eliminate false positives. And then now, with the help of these technologies, you can automate the analysis of large volumes of network data. And in my analysis, I've seen that every vendor is either employing supervised or unsupervised machine learning models. Why we need NDR is really easy. We want to have a real-time threat detection.
We want to monitor it real-time. And we want to have a solution in time. A place for also incident response and also do some forensic activities. We want to secure our critical infrastructure as well, which means that you want IoT and OT security as well. And either we have a solution, it may be an NDR with threat intelligence capabilities, or we have a threat intelligence feed that we have connectors to. So we want to utilize it. And NDR is also helping with that as well. Let's move on to required capabilities. This is a bit boring, but you want to have a flexible deployment.
So NDR should be providing you that. And it should be complying with CTI standards because you are going to utilize threat intelligence and you have to comply with any sort of regulations. And then those regulations actually now encompasses the cyber threat intelligence as well. One of the unique selling points of NDR is that you are able to do network traffic analysis and encrypted traffic analysis. This you can also do with XDR, but I will get back to that later. And you want to automate your response actions.
That's very important, either through the NDR or through your security orchestration integrations like Siemens. And the other ones, like we already talked about, the Forensic and Playbooks. And then you basically want to be aligned with today's cybersecurity standards. For example, most NDR solutions are aligned with the MITRE ATT&CK mapping. And then this will help you understand the vulnerabilities and the threats in your network. All right. In the last slide, I'm going to share you my market analysis.
This can be a bit confusing for some of you, but let's talk about some of the drivers first. The market drivers are generally not specific to NDR. It's because we have, for example, I have mentioned that we have sophisticated cyber threats targeting networks. Yeah.
I mean, we have lots of sophisticated cyber threats, emerging threats. But if you want to address the ones that are targeting networks, NDR is the solution you should go for.
Again, regulatory compliance, the 5G networks, the enormously increasing ATT&CK surface because of this is another reason. But again, these are not only limited to the NDR market. These are market drivers for most of the proactive detection and response tools. And my highlights is now NDR is offered as a standalone solution or incorporated into XDR platforms. Within this 14 vendors, I have analyzed some of the vendors actually offer XDR solutions with an NDR module integrated to it. North America, not surprising, holds the largest market share, followed by Europe and APAC.
Lots of acquisitions are going on. I think the last time we made the NDR report was in 2021. And I shared this. I've released this NDR report at the end of 2024. And there were already three acquisitions within the 14 vendors I analyzed. Think about the rest of the vendors. So the percentage is very high. And there's some startups trying to penetrate into the markets. They capture some market share, especially in Europe, I've noticed. And there are some challenges, of course, around acquiring an NDR solution as well.
But let me also tell you who is more suited for acquiring an NDR is mostly mature enterprises with with their own SOC teams, because these are not cheap technologies and you might need to invest in it. And for mid-market companies that do not have their own SOC teams, I suggested organizations to consider HTR over NDR.
Yeah, let's jump into my key findings, which are kind of the summary of the whole report. But before that, the second poll question is here for you.
Again, I'll give you 15 seconds. Which cyber attacks are you most concerned about? Ransomware, critical infrastructure attacks, inside attacks, software supply chain attacks. All right. Let's jump into my key findings.
Again, starting with the legacy tools. NDR tools can detect threats and that the threats that might bypass endpoint protections or other legacy tools. You want to have a network analysis tools, analytics tools to understand and manage your high volumes of network data. In comparison to NDR, HTR offers a more unified and comprehensive view of security landscape. This is something to keep in mind. I was trying to be objective, although this report was about NDR, but I think that some of you might consider HTR.
Again, many vendors now include NDR as part of their HTR suites. 5G networks and widespread use of IoT technologies, devices have further expanded the attack surface. NDR solutions incorporate advanced ML and AI for real-time data analysis.
Well, this is also used for efficiency in most cases. And most companies now work with the critical infrastructure components and within the critical infrastructure sectors. And you might want to have a solution understanding the protocols and also a solution that you can actually deploy for those IoT and OT devices, which means sensors in this case. So basically, you don't need to deploy any agents unlike the EPR solutions.
NDR can help you manage your complex network environments again, because now you work with lots of tools and you are exposed to cybersecurity requirements and then you want to have a growth. So NDR can help you with that too.
And again, another final note from the market analysis, despite its growth, the NDR market faces challenges such as deployment complexity. And it's again related to the complex network environments, high costs. This is something to keep in mind. And the privacy concerns. All right. So before I begin with my notes from my leadership compass, how I conducted this research, which vendors were included, I would like to share another poll question. What is the biggest challenge when implementing cybersecurity solutions? Budget? Skill shortage? Wrong tool choice? Stakeholder management? All right.
So for those of you who are familiar with Kupinger Call, you know that we publish leadership compass reports on different technologies, like, for example, myself, I'm working on attack surface management, network detection and response tools, web application firewalls, and in the future, I will work on brand protection tools. So we are a team of around 10 analysts, so we are a team of around 10 analysts, and then each of us has different expertise, and then each of us work on different solutions.
So this methodology applies to all the papers we are, all the leadership compass papers we are publishing. So it starts with the research period, and analysts sit and identify the vendors, and then we send them our understanding of the market, so they have a chance to understand, see if they are eligible to this market, and then if they consent their participation, then they answer the questionnaire we provide them, and then later on, I have one hour long briefings with them, and I take notes, of course, during these briefings.
So together with the answer to questionnaires and my briefing notes, I start writing my vendor analysis for every vendor, and meanwhile, I also do, I conduct my research on the specific markets, in this case, NDR, and I try to see what is changing in the market, free from the, independent from the vendors I'm analyzing, what is innovative as of today, and so on.
And then, as I said, I do the analysis of the information I have, and then I finish up the writing, and then the first edition of the, first version of the, not edition, first version of the report goes to fact check period, because I have contact points from every vendor participating, so we basically send them the initial version, they have, they have the opportunity to go review and check if everything needs to be corrected.
You might think what can be corrected, because this process is around like three to four months, so sometimes we preliminarily determine a challenge around the vendor, which is normal, but then they patch it, or they solve the problem in this three, four months, or they actually publish a new functionality, so they eliminate one of their challenges, so they tell me that, oh Osman, this is no longer a challenge for us, and this is our proof, this is our press release, or they're our release notes, etc.
As long as they provide me the proof, then I go and update it, and I change my verdict on that. And finally, we come to a consensus, we say that, okay, this is now ready from our end, do you agree to participate, and then when they say yes, we publish the whole report, after getting consents from every vendor that we are working together. So I forgot the number for this research, but I think I initially started with 15 vendors, so during the fact-check period, one of the vendors dropped from the leadership contest, so we did not include them, so this can also happen.
Here in this chart, you will see the spider charts we use in every research, but these spider charts, by the looks, they're always standards, but the eight criteria around it always changes. So for example, for this NDR market, I have determined eight evaluation criteria, the platform support, like deployment, delivery models, architecture, and so on, network traffic analysis capabilities, encrypted traffic analysis capabilities, detection capabilities, threat hunting capabilities, playbooks and responses, integration capabilities, and network insights and reporting.
This part was mostly related to how they report and how they utilize, for example, machine learning and AI. And I'm not going to share you which vendor has this spider chart, but this is actually from the actual report, so you actually see one of the vendors' results here. So for example, but just by looking at it, you can say that they might have a better playbook, playbooks, and responses capabilities. And we also have just, I will give you a quick glance of the next slide so that you understand what I'm talking about.
So we have this nine other dimensions which are standard for every paper, which is security. It's not the security, cybersecurity, or like this, how secure the platform is.
No, this is about how secure the platform is, not the solution. Like for example, if there are any authentication methods or access controls or if they have anything, if any encryption capabilities or so on. Functionality is the core section that we evaluate.
Here, actually, I take into account NDR capabilities, for example, and deployment, interoperability, usability, they're all kind of standard to every solution we conduct a leadership compass on. So they're not something specific to NDR. And this last four dimensions are mainly around the corporate financial strengths they have and their ecosystem and where they're located in the market. For example, you have a Mediacorp solution sometimes, but it's from a big vendor, so they have a big market capture. So this can also happen.
And for example, so the innovation, you have a set of capabilities, but it doesn't guarantee that you have innovation. And in the beginning, actually, we provide vendors what we see innovative in this market. So we evaluate their capabilities based on the innovative capabilities we have preliminarily.
Yes, in this slide, you see the vendors participated in this research, Arista Networks, ExtraHop, IBM, QRadar, Stellar Cyber, Cisco, Fortinet, NetWitness, WatchGuard, DarkTrace, GateWatcher, OpenTax, Sophos, Exxon, and Google. So you will notice that we have vendors from North America, Europe, India, and also big vendors and then also some strong startups. And this is the list of vendors that has not got back to us when we try to reach them if they want to participate in our research or not, or the ones that dropped from the research during the fact check period.
So you see that we have Broadcom, Checkpoint, Coralight, and so on. These are also, for example, Trend Micro is a big player in this market, but they didn't want to participate in this research.
But again, in our report, we have given brief information about them as well. So what are their strengths in a nutshell? You can think like that. And in every report, we have four kinds of leadership. Three of them are separate. And the last one, overall leadership, is the combination of all these three. So the product leadership corresponds to functionality and completeness of product vision. Market leadership is how they capture the markets geographically and how strong their ecosystem is, partner ecosystem is.
Innovation is, again, as I discussed, if they have any leadership, innovative skill set or capability. And overall leadership is the combination of all these three. And in my last slide, I'm going to share with you the overall leadership, which I am sure that you are most curious about. Roberto de Paul is why there is not direct dark trace. I think that, Roberto, you will see dark trace is recognized as one of the overall leader in the market here. You see that we have followers, challengers, and leaders. So in this report, we did not evaluate any vendors as a follower, but we had challengers.
Exelon, OpenText, GateWatcher, WatchGuard, Sophos, NetBitness were the challengers in this market. And Stellar Cyber, Gurukul, ExtraHope, Fortinet, IBM, DarkTrace were the leaders. And Cisco and Arista Networks were the leading companies. And then you see that Cisco has quite an edge, have an edge in the market. So I would say that Cisco and Arista are doing a good job and the other vendors are following up. So this should be the end of my presentation. Thank you for watching. And then I'm going to go and check which questions you have. Before that, maybe I can share the poll results with you.
One second. So our first question was, what is the biggest challenge when implementing cybersecurity? 60% of people said budget, 40% of people said stakeholder management, and no one voted for wrong tool choice and skill shortage. The second question was about which cyber attacks are you most concerned about? 75% of the votes were for insider attacks, 25% of the answers were votes for software supply chain attacks. And interestingly, no one voted for ransomware or critical infrastructure attacks. But I think Wilfred was mentioning critical infrastructure. So another person we have to consider.
So keep in mind. The last question was, does your organization have NDR in place today? It's interesting. 67% of the voters said no. This is an interesting statistic for me. And no one has it actively deployed. And the 33% of the participants said we are in the evaluation phase, which is actually surprising, but also makes me think that this webinar is useful for those people participating in our webinar, simply because you haven't deployed it yet. So you might want to consider my insights. I hope they are helpful to you. And you can always ask me further questions.
So Robert, if you can actually elaborate on what about Weed Secure? I can go back to my slides and see. We did not include Weed Secure in this report, but maybe hopefully in the next one. Sometimes we are not able to reach to every vendor in this market. So it's kind of difficult to actually capture every player in the market. All right. So a couple of more questions. Maybe I can answer one more question and then we can end the webinar. What are the must-have capabilities an NDR solution should offer?
Actually, this spider chart should be a good answer to this. It's basically saying that you need to have a network traffic analysis capability, encrypted traffic analysis. You should be able to do a threat hunting. And you should have playbooks and then automated responses. And of course, detection and response, as the names suggest. And you need to have some solid integrations. So these are the must-have capabilities you can think of in a nutshell. But other than that, I can also share more information.
If you're curious, you can just drop me an email and I can just send you the list of capabilities we have determined. We have key capabilities, additional capabilities, and innovative capabilities. And I can share with you if you're interested. So you can double check if you're in the process of acquiring or implementing an NDR solution. How do I choose the right NDR solution for my organization? What factors should be taken into consideration during the selection process? This is a good question. Thank you. You can ask questions like around the deployment models.
If they have a support service, for example. Well, these are all on top of the required capabilities that I was just mentioning. But you might want to ask them if they are complying with some regional or global regulations. Do they have any specialization in a certain industry? If you're operating in that specific industry, especially. If they offer any plans that can actually also help you with your own SOC teams. Because in case if you don't have it, then you might want to consider XDR. But maybe they might have some managed services as well. So you can ask this.
And I can wrap it up like this because these solutions are still... NDR market is kind of mature, but solutions are still evolving. So you might want to ask them what do they have in their roadmap in 3 to 6 to 12 months period. So you will end up knowing what to expect from this certain solution that you want to acquire in the long run. All right. I think that we are three minutes over than the planned time. I was trying to answer all the questions.
Robert, another one. Which of the vendors would you consider XDR? It's a good question. I may not answer to them by heart, but if you just give me one second because this is a good question. Let me tell you. Arista has a standalone NDR. Cisco has an XDR solution with an integrated NDR. What else I remember? Stellar Cyber has an open XDR platform. What else? I think the rest had... Sorry. Yeah. I think the rest had the specific NDR models either standalone or as part of their XDR model.
But Cisco and Stellar Cyber, as far as I remember, they have only XDR solutions with strong NDR capabilities, but they are not separately available. All right. Peter. Yeah. People are waiting the last minutes to ask their questions. Peter asks if XDR will be covered in another report since major XDR vendor Palo Alto Networks is not covered in this NDR report. You're right, but my colleague, John Tolbert, has actually worked on the XDR market as well, and we published that report one month after my NDR report.
If you go to our website and check our research papers, you will see that we have a leadership compass around XDR solutions as well. So I hope this answers. And let me quickly check if Palo Alto is actually included there. One second.
Actually, I can tell all the vendors participated in that report. CrowdStrike, DarkTrace, eSentire, Fortinet, Group IB, Google, Microsoft, Sentinel-1, Sophos, Stellar Cyber, and Trellix. As you have noticed, we have DarkTrace, Fortinet, Google, Sophos, and Stellar Cyber in common between these two reports. So in my report, I have analyzed the NDR module, but my colleague analyzed from XDR point of view. So EDR plus NDR. And we have only four common vendors. The rest are different, actually. All right.
If there is no other question, then I would like to thank you for your participation and for the question and your interest for this webinar. And I see you in the next webinar. Thank you so much.
