For a long time we had a debate about “stateful or stateless firewall”, then we replaced this question with a new topic “SIEM or XDR”, and today it seems that a question is very frequently asked at Cybersecurity fairs or in meetings with our customers: “EDR or NDR”.
As a reminder, there are two types of solutions for detecting attacks and other malicious behavior, one (EDR: Endpoint Detection & Response) is based on a software agent required on each of the monitored systems and the other (NDR: Network Detection & Response) analyses a copy of the monitored network traffic. Despite a common objective, it is obvious that we have here two very different approaches both conceptually and technically; each with its own advantages.
What are the main differences between NDR and EDR?
As we have said, after installing an agent, the EDR will allow monitoring of the processes executed, modifications to the file system, rights management, persistence of a process to resist a restart etc… The NDR (a software or hardware probe should be deployed at various strategic points) will detect suspicious behavior on the network, such as Shellcode (exploitation of vulnerabilities), or lateral movements; while providing visibility reinforcing the knowledge of one’s own environment, which is a prerequisite to any deployment of cybersecurity type measures.
To continue with the metaphor used by Charles Blanc Rolin, CISO of the Moulins-Yzeure hospital, why choose between two senses (sight and hearing)! Our brain is constantly constructing a “situation” thanks to information from the various sensors that are our senses, and every day we make thousands of decisions, often good ones, thanks to this information and its context. Moreover, in cybersecurity, we very often try to imitate what our brain does thanks to the centralization of information and the implementation of solutions such as correlation rules, learning (too often summarized by the words “Artificial Intelligence”).
Whether it is with our brain or in the context of attack detection, the quality of decisions will depend directly on the information sent by the sensors. Firstly, we have to trust, we have to understand this information and we have to build this situation through contextual data.
To return to the NDR, this solution meets these requirements by being resilient to attacks, thus reinforcing confidence in the events or alerts generated, by providing all the data (metadata) to build the context necessary for decisions and investigations. Detection is mandatory, but we must not forget investigation and the search for signs of compromise (“Hunting”), because malicious actors put a foot in the target infrastructure (with webshell or similar technics) to come back later.
Why wait for detection at the Endpoint?
Without going into detail about the Kill Chain or Mitre ATT&CK Framework concepts, advanced or complex attacks are characterized by so-called “reconnaissance” or lateral displacement stages, which by their very nature will be detected by an NDR solution, based on the behavioral and contextual analysis of network flows. It would certainly be risky to wait for an EDR to detect the compromise of one or more systems before reacting; while admitting that this compromise is detected (there are a large number of cases where the detection on a workstation has failed or has been bypassed in the case of attacks by east-west flows).
The network does not cheat, and network detection will identify these malicious actions at different stages of the attack, but as early as possible (to the left on the Kill Chain).
Gartner is right: efficiency will come from integration
Gartner emphasizes the effectiveness of integrating the different detection types of NDR and EDR, introducing the concept of XDR (eXtended Detection and Response). As the attack surface expands and modern adversary tactics/techniques evolve, organizations are increasingly investing in an XDR platform to provide a more unified and effective approach to preventing, detecting and responding to threats that cannot be detected by EDR at the information system level. The NDR solution will be able to communicate detected IoCs and IoAs in real time to the EDR, via a SIEM or SOAR, so that the threat can be blocked and remediated at the endpoint level.
But where to start?
Considering the relative difficulties in deploying an agent for EDR, and sometimes even the impossibility of installing this agent (obsolete operating systems, medical equipment, factories), supplementing it with the implementation of an advanced network solution of the NDR type makes perfect sense. As soon as it is deployed, the latter will be able to detect, analyze and react without waiting for the implementation of an XDR, which will of course be recommended once the EDR is deployed.
Author : Luis Delabarre Solution architect director at Gatewatcher