The constantly growing number of acronyms in cyber security makes it difficult to maintain an overview and compare individual technologies. One example is the three closely related technologies for threat detection: network detection and response (NDR), endpoint detection and response (EDR) and extended detection and response (XDR). Each of them offers a comprehensive solution for detecting and responding to different cyberattacks. Although they are based on similar approaches, there are some differences.
EDR identifies noticeable changes at the endpoint
EDR, the oldest of the three detection technologies, monitors endpoints to mitigate attacks on them. Endpoints are network devices such as PCs, file servers, smartphones and IoT devices that connect to the network to communicate. A software agent is used to inventory EDR malware and suspicious activity detected on the endpoint, such as registry changes and key file tampering.
As network environments become more complex over time and threat actors and malware become more sophisticated, EDR faces the following challenges:
-
Required EDR agents cannot be deployed on all devices or in all environments, leaving gaps in visibility and opening the door for attacks.
-
Some common applications can bypass EDR. For example, Microsoft SQL Server has administrative access to the underlying Windows operating system without using any of the EDR-monitored environments mentioned above, allowing an attacker to bypass endpoint detection.
-
Malware and attackers are becoming more sophisticated and are able to detect anti-malware software on the endpoint or hide evidence of endpoint compromise altogether.
While EDR is a necessary component of a modern cybersecurity strategy, it cannot be used alone for comprehensive cybersecurity.
XDR offers holistic protection
Many people mistakenly think of XDR as a product or an evolution of EDR. However, XDR is a strategy that consists of a combination of security-related telemetry data coupled with high-fidelity detection to enable faster and more effective incident response.
There are different types of XDR. There is a proprietary XDR strategy that focuses on a single vendor or an “all-in-one” platform that provides telemetry data from a vendor’s various products, for example, their firewalls, EDR, NDR and so on. There is also an open XDR strategy that consists of multiple vendors or “best-of-breed” technologies or tools. Here, telemetry data is provided by different product types (such as firewall, intrusion detection system [IDS], EDR and NDR) and vendors.
Many organizations believe that an EDR-centric XDR strategy is sufficient, but this leads to a problematic blind spot. If the EDR agent overview is lost, there is no other way to find or investigate a potential critical security breach. With this single-point focused telemetry strategy, attackers only need to bypass one technology or defense to penetrate the network. Cybersecurity managers need to detect changes in network activity and compare it to endpoint and cloud data. This is where NDR solutions can provide the context needed to focus on potential cyber threats.
Reading tip: 6 key trends redefining the XDR market
NDR detects threats at packet level and reacts in real time
Unlike EDR or XDR solutions, NDR focuses on analyzing packet data in network traffic to detect potential cyberthreats, rather than endpoints or other data streams. By combining NDR with other solutions such as log analysis tools via security information and event management (SIEM) and EDR, organizations can mitigate blind spots in their networks. Together, NDR solutions increase security capabilities by providing network context and automating responses to threats, enabling better collaboration between network and IT security teams and faster mitigation.
However, in the context of NDR, it is important to differentiate the capabilities of advanced platforms that provide features that modern cybersecurity stacks should include. For example, when evaluating different NDRs, it is important to ensure that they offer reliable forensics with long-term data retention. It is also crucial that they do not rely on NetFlow-based data. These are not supported in all environments and offer opportunities for sophisticated tunneling-based attacks.
Advanced NDR systems should even provide a retrospective view of network traffic to examine threat behavior before, during and after attacks. So if an indicator of compromise (IOC) is detected, security teams can examine the compromised hosts’ communications, detect lateral movement and determine if a data breach has occurred.
EDR, XDR, NDR: Together they are strong
To summarize, EDRs are designed to monitor and mitigate attacks on endpoints via connected computers and servers. However, only where agents can be deployed. Therefore, EDR does not work in some cloud-based hosting environments, for example. In contrast, XDRs provide a more unified platform approach to monitoring devices and data streams, but often lack the network context that NDRs provide through real-time packet monitoring.
Most large organizations today require a more comprehensive solution that combines network and endpoint data with other security solutions to provide a more robust, real-time view of the ever-changing threat landscape.
Advanced NDR solutions provide a high level of network intelligence and effectively complement the rest of the security stack. In addition to SIEM, an advanced NDR solution can also be integrated into security orchestration, automation and response (SOAR) or firewall platforms to initiate immediate blocking at the network perimeter.
After all, it is impossible to cover your tracks on the network and cyber attacks are becoming increasingly sophisticated. Working together, these systems provide a complete overview of attacker behavior and indicators of compromise.
Advanced NDR makes an important contribution to the overall cyber security strategy and helps to minimize operational risk.
