The increasing number of endpoints is becoming more evident within organizations, extending beyond the conventional landscape of end-user computing devices like laptops and workstations. The rise in remote work culture has significantly amplified the demand to safeguard and supervise an array of endpoints, as well as the interactions among them across our broad digital ecosystems. Given that these endpoints persist as prominent gateways for cyberthreats, establishing robust endpoint security strategies has become an indispensable business requirement. However, it prompts an important question: Is Endpoint Detection the sole reliable tool within our cybersecurity tool kit?
Gartner stresses the effectiveness of integrating different detection types, like Network Detection and Response (NDR) and Endpoint Detection and Response (EDR), establishing a more comprehensive concept of network security. With the continuous expansion of the attack surface and the evolution of today’s attack tactics and techniques, it's almost essential for organizations to allocate resources towards the right network security tools. These tools should complement your EDR solution and prevent, detect and respond to threats thatcannot be detected by EDR and at the information system level. An NDR solution is able to communicate detected Indicators of Compromise (IoCs) and Indicators of Attack (IoAs) in real-time and by doing so enabling blocking and remediation of threats at the endpoint level, hardening your overall network security.
Endpoint Detection and Response (EDR), also known as Endpoint Detection and Threat Response (EDTR), is a security measure designed for end-user devices. This solution persistently scans these devicesto identify and counteract cyberthreats such as ransomware and malware.
The term EDR was first introduced by Gartner’s Anton Chuvakin and it describes a solution that "records and stores endpoint-system-level behaviors, uses various data analytics techniques to detect suspicious system behavior, provides contextual information, blocks malicious activity, and provides remediation suggestions to restore affected systems."
Network Detection and Response (NDR) is a cybersecurity approach that collects network traffic data (north-south, east-west) and employs machine learning to identify malicious activities, comprehending security threats and vulnerabilities. It combines the detection of familiar attack patterns with the ability to establish a normal behavior pattern for an individual network, thereby highlighting abnormal behaviors indicating a potential attack.
Similar to Endpoint Detection and Response (EDR), the objective of NDRsecurity solutions is not to avert malicious activities outright, but rather tointerrupt an ongoing attack operations before they inflict damage. Thedistinguishing feature of NDR compared to EDR lies in its method of gatheringinsight into malicious activities; NDR does not deploy an agent, but insteadrelies on a network or virtual sensor to analyze traffic across bothon-premises and cloud workloads.
Main Differences Between NDR and EDR
Once an agent is installed, the EDR system enables the tracking of various activities, including executed processes, changes to the file system, management of permissions, and the persistence of processes to withstand system restarts. On the other hand, the NDR, which requires the deployment of software or hardware probes at key strategic locations, is designed to identify unusual network activities. These could include Shellcode, which exploits vulnerabilities, or lateral movements within the network. In addition to detecting potential threats, NDR also enhances visibility, thereby deepening the understanding of one's own network environment - a critical step before implementing any cybersecurity measures.
NDR solutions use advanced machine learning and artificial intelligence technologies to accurately model potential cyberthreats. They utilize the MITREATT&CK framework, a globally accessible knowledge base of hacker tactics and techniques, to detect malicious behaviors with high precision. These solutions extract high-quality data, provide relevant security context, and correlate events across time, users, and applications, significantly reducing the time and effort required for investigations.
But NDR solutions don't stop at detection. They also respond to threats in real-time, either through built-in controls or by supporting a broad spectrum of integrations.
Today's enterprise networks are complex mazes of users, endpoints, applications, and data flows, spread across both on-premises and multi-cloud environments. Given that EDR solutions focus solely on endpoint visibility, they leave several security gaps and challenges unaddressed. This lack of comprehensive coverage significantly heightens the risk of cyberattacks slipping through unnoticed:
Embracing Remote Work: In recent years, the shift towards remote work models has led many organizations to allow employees and third-party users to access enterprise resources through remote networks and personal mobile devices. These devices, often outside the purview of security teams and their EDR tools, present a unique challenge. As a result, security solutions struggle to monitor all these endpoints effectively, let alone safeguard them and the broader enterprise network from potential malicious attacks.
Device Compatibility Challenges: Not all connected endpoints are capable of supporting EDR agents. This is particularly true for legacy endpoints such as routers and switches, as well as emerging IoT devices. Additionally, in environments with connected Supervisory Control and Data Acquisition (SCADA)and Industrial Control Systems (ICS), some endpoints may be beyond the organization's control, and hence, outside the protective reach of EDR. As a result, these endpoints and systems remain exposed to various threats, including malware, DDoS attacks, and crypto mining.
Malware Exploiting EDR Agents: In a notable incident in late 2021/early 2022, the Lapsus$ group managed to breach several large corporations by compromising remote endpoints and disabling their EDR tools. This allowed them to conceal their malicious activities on the infected endpoints and successfully steal sensitive company data. Another issue arises from the "hooking" technique used by EDRs to monitor active processes. Ironically, this very process can be exploited by threat actors to gain access to a remote endpoint and import malware.
Managing EDR Deployment: Lastly, with agent-based EDR solutions, the task of installing and maintaining agents on every endpoint throughout the enterprise network can pose a significant challenge for security teams.
By adding Network Detection and Response you can effectively close securitygaps your enterprise might have:
Full Network Transparency: An NDR solution like Muninn AI Detect, whichdoesn't require any agents, offers comprehensive visibility into all networkconnections and data flows. This results in an enhanced view across the entireenterprise network, enabling the detection of any potential threats that may bepresent.
Secure Data Collection: Network-based data collection, as opposed toagent-based data collection, is more resistant to tampering, making it an idealchoice for digital forensics required by regulatory bodies.
Immunity to Disabling: NDR solution like Muninn gathers data fromvarious sources within the network and doesn't rely on specific devices, makingits detection algorithms impervious to circumvention. Consequently, even if anEDR system is disabled by malware, the NDR will still be able to detect the threat.
Uncovering Shadow IT: An NDR solution does more than just monitornetwork traffic between known devices. It also identifies and monitorspreviously unknown devices within the network. Importantly, this includesendpoints that may not have EDR agents installed, ensuring comprehensivenetwork analytics.
The range of malware on the internet, coupled with the ever-evolvingstrategies of cybercriminals, means that relying on a single solution isinsufficient for robust protection. However, the choice isn't a binary onebetween EDR and NDR, as these solutions can seamlessly work together andcomplement each other. While each solution independently offers substantialvalue to your organization's security, a truly comprehensive cybersecurity strategyrequires the integration of both.
Subscribe to our newsletter to receive new posts straight to your inbox