The alert arrives Tuesday morning. Your NDR platform flagged 847 anomalies overnight. The security team begins triage. A developer accessed GitHub at 3 AM (legitimate deadline work). A marketing system sent 10,000 emails (scheduled campaign launch). Database traffic spiked 300% (quarterly report generation). By noon, analysts have investigated 127 alerts. All false positives. The real breach, lateral movement using legitimate RDP protocols at normal volumes to appropriate servers, generated no alert because it looked exactly like operations. This scenario reflects the fundamental gap between network visibility and threat detection.
What NDR accomplishes and why it matters
The NDR market reached $2.61 billion in 2024, growing at 23.1% annually as organizations recognized that traditional firewalls and perimeter defenses no longer sufficed. It captures network flow data continuously by analyzing raw packets and metadata across on-premise, cloud, and hybrid environments. This visibility matters. Organizations face average attack dwell times of five to seven months. Without analyzing network data for attack indicators, security teams struggle to find attackers during the early stages when detection could prevent damage.
NDR evolved from network traffic analysis in the early 2010s to identify evasive threats that couldn't be blocked using known attack patterns. The technology monitors traffic continuously using machine learning and behavioral analytics to develop baselines. Modern solutions inspect both north-south traffic (external) and east-west traffic (internal), providing visibility into command and control, reconnaissance, lateral movement, and exfiltration. Over 90% of network traffic is now encrypted, making encrypted traffic analysis essential.
This network layer visibility fills critical blind spots. Endpoint detection cannot see lateral movement between systems. SIEMs analyze logs attackers deliberately avoid generating. Firewalls inspect perimeter traffic but miss internal reconnaissance. NDR captures every network event an attacker performs, including early-stage scans, discovery activities, and command and control beacons that rarely produce log events. Organizations use NDR to satisfy compliance requirements like PCI DSS that mandate automated log review and provide continuous monitoring for investigations and regulatory evidence.
NDR delivers visibility into east-west and north-south traffic that security operations require. It monitors connections, identifies unusual transfers, detects covert communications, and provides forensic evidence. As encrypted traffic dominates networks and attackers exploit internal blind spots, NDR has become critical infrastructure.
Where traditional NDR detection methods fail
The problem emerges not in data collection but in detection logic. Traditional NDR platforms rely on three primary detection approaches: signature matching, rule-based thresholds, and anomaly-based behavioral modeling. Each approach confronts fundamental limitations when attackers operate within normal parameters.
Signature-based detection compares network traffic against databases of known malicious patterns. This method cannot identify attacks that don't match existing signatures, including zero-day exploits and custom malware. Attackers using unique tools render signature libraries ineffective. The approach catches commodity threats but fails against targeted operations.
Rule-based detection uses static conditional logic. If traffic matches specific criteria (port scanning patterns, connection thresholds, data volume limits), generate an alert. The limitations are structural. Rules require constant maintenance. False positives overwhelm analysts when legitimate activity triggers conditions. Attackers who understand the rules operate within boundaries, slowing scanning or using expected ports. Malicious activity becomes indistinguishable from operations.
Anomaly detection uses machine learning to establish baselines of normal network behavior and flag deviations. Most anomaly-based solutions require two to eight weeks to establish baselines, providing limited security during training. After baselining, anomaly systems struggle with dynamic environments. Traffic variations, reconfigurations, application deployments, and cloud migrations generate false positives because they deviate without indicating threats.
The 2025 SANS Detection and Response Survey documented that false positives escalated to crisis levels. Security teams receive thousands of daily alerts, most false, creating alert fatigue where analysts become desensitized and miss actual threats. The fundamental issue is that anomaly detection measures deviation, not intent. Normal operations frequently deviate from baseline. Sophisticated attacks deliberately stay within baseline parameters.
What attackers accomplish within NDR visibility
Modern attackers don't trigger signatures, violate rules, or deviate from baselines. They use legitimate protocols, approved services, normal transfer rates, and established behavioral patterns. Living off the land techniques leverage built-in tools and authorized applications, generating traffic that looks operationally normal.
Consider lateral movement using RDP. The protocol is legitimate. The credentials are valid (stolen but valid). Connection volumes are normal (one administrator connecting to one server). Timing is within operational hours. Destinations are appropriate (servers administrators routinely access). Every element appears normal. NDR sees RDP traffic between authorized systems with valid credentials. Signature matching finds no malicious pattern. Rules see no violations. Anomaly detection identifies no deviation. Yet the sequence reveals reconnaissance, permission testing, resource enumeration, and systematic environment progression.
Data exfiltration follows similar patterns. Attackers use approved cloud storage (Dropbox, Google Drive, OneDrive). They compress and encrypt data with standard tools (7Zip, WinRAR). They transfer files below alert thresholds during business hours. Traditional NDR sees normal HTTPS to legitimate SaaS platforms at typical rates. The behavioral timeline structure shows systematic collection, staging, and exfiltration revealing malicious intent. Security research documents that APT groups and ransomware operators increasingly use legitimate cloud services to blend with normal traffic.
NDR captured the flows in both examples. No alerts generated because no signatures triggered, no rules violated, no anomalies detected. The attacker strategy stays within normalcy boundaries. Traffic looks normal in format and timing even as action sequences are malicious. Organizations discover too late that attackers moved laterally, discovered data, and exfiltrated it under NDR observation that recorded every packet but sounded no alarm.
What detection requires beyond visibility
The challenge is distinguishing malicious behavioral timelines from operational ones when both use identical protocols, services, and traffic patterns. This requires analyzing what sequences of network activity attempt to accomplish rather than whether individual events violate rules, match signatures, or deviate from baseline.
When network flows between endpoints exhibit reconnaissance patterns (systematic connection attempts to multiple services, enumeration of accessible resources following predictable sequences, permission testing across different systems), that behavioral timeline structure indicates malicious intent. When flows follow exfiltration patterns (sustained transfers to unfamiliar destinations, data movement organized by file type or sensitivity, bulk operations during off-peak hours), that structure indicates data theft. When flows show lateral movement patterns (authentication attempts to multiple systems, privilege escalation sequences, progressive access to increasingly sensitive resources), that structure reveals attacker activity.
DeepTempo analyzes the same network flow data (NetFlow, VPC Flow Logs, packet metadata) that NDR platforms monitor. The foundation model learns what reconnaissance behavioral timelines structurally look like at the network level, what data exfiltration behavioral timelines look like, what lateral movement behavioral timelines look like, and what normal operational activity looks like. Classifiers interpret these flow patterns to determine what each behavioral timeline attempts to accomplish. The approach works because attackers cannot make behavioral timeline structures look operationally normal while accomplishing malicious objectives.
This addresses the limitations that plague traditional NDR detection. Signature-based methods miss novel attacks. Rule-based systems generate false positives on legitimate activity. Anomaly detection requires training periods and flags deviations that aren't threats. Behavioral timeline analysis identifies malicious intent based on structural patterns that exist regardless of whether attackers use known tools, violate thresholds, or deviate from baselines. The network flows reveal intent through the relationships between events across time.
Why network flow visibility remains essential
NDR provides critical capabilities security operations require. Organizations need comprehensive network visibility across cloud, on-premise, and hybrid environments. They need continuous monitoring of encrypted traffic. They need forensic data for investigations and compliance evidence. NDR delivers these capabilities and remains important infrastructure.
The limitation is in detection methods, not data. Traditional NDR detection (signatures, rules, anomalies) cannot identify sophisticated attacks operating within normal parameters. Organizations analyzing network flows using only traditional methods will continue missing threats using legitimate protocols, valid credentials, and operational behavior patterns.
The solution is applying different analysis methods to the same network flow data. Network flow data from NDR platforms, cloud providers, network infrastructure, or data lakes contains the information detection requires. Traditional NDR analyzes this data using signatures, rules, and anomaly detection. Behavioral timeline analysis examines the same data to determine what flow sequences attempt to accomplish based on structural patterns. Signatures and rules catch commodity threats. Behavioral timeline analysis addresses sophisticated attacks those methods miss. Organizations can deploy both approaches against the same sources.
Closing note
NDR transformed network security by providing visibility into encrypted traffic, east-west communications, and attack activity that perimeter defenses miss. Organizations that deploy NDR gain critical infrastructure for monitoring, compliance, and forensics. Network flow visibility is necessary but insufficient. Traditional detection methods analyzing flows using signatures, rules, or anomalies miss sophisticated attacks operating within normal patterns.
The difference is whether detection analyzes individual events for violations and deviations, or analyzes behavioral timelines for structural patterns revealing intent. Attackers make individual flows look normal. They cannot make behavioral timeline structures normal while accomplishing reconnaissance, lateral movement, or exfiltration. Network flow data provides the raw material. Different detection methods applied to that data provide different results. Traditional methods catch known threats. Behavioral timeline analysis catches threats operating within normal parameters.
MITRE: Discovery, Lateral Movement, Collection, Exfiltration
Related reading:
- Living off the land: Why your network sees attacks as normal traffic
- Attackers don't use indicators and detection shouldn't either
- From packets to patterns: How foundation models detect network threats
- Ransomware evolved from encryption to data extortion. Now what?
Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!
