How are EDR and NDR
complementary?
Introduction
For a while, the question was “stateful or stateless firewall?” then the debate was between “SIEM” and “XDR”. Today, the general thought is to choose between “EDR” and “NDR”. But is there really a need to select one over the other?
To recap, these are two types of solutions for detecting attacks and other malicious behaviors. Despite a common goal, it’s clear that we have two very different approaches here, both conceptually and technically. Both aim for precise detection but seek to achieve it through two distinct methods, each with its own advantages and disadvantages.
What are the major differences between NDR and EDR?
EDR (Endpoint Detection & Response) is based on a software agent, necessarily installed on each system to be monitored. Originally intended to address the limitations of available antivirus solutions, EDR has gradually established itself within companies due to its dynamic detection capabilities. NDR (Network Detection & Response) analyzes a copy of the monitored network traffic. What fundamentally distinguishes them is the method of monitoring and analysis. EDR focuses on endpoints (mainly client devices and servers, whether physical or virtualized), allowing monitoring of executed processes, file system modifications, rights management, process persistence to withstand a reboot, etc., after deploying an agent. NDR operates exclusively at the network level via a software or hardware probe deployed at various strategic points, allowing analysis of all communication flows. It identifies suspicious activities, from the use of Shellcode to other exploitations of vulnerabilities and/or lateral movements, thus offering a more comprehensive approach to threat detection. At the same time, it improves visibility and strengthens the knowledge of the environment, essential and valuable elements for implementing cybersecurity measures.
Why choose when you can have both?
As Charles Blanc Rolin[1], CISO of the Moulins-Yzeure Hospital Center, used a metaphor, choosing between an NDR and EDR solution would be like choosing between hearing and sight. Our brain constantly builds a representation of reality by integrating information from various sensors, such as our senses, and in everyday life, we make thousands of decisions, often guided by this data and its context.
Transposed to cybersecurity, the approach is similar, and current detection technologies, aided by AI, strive to mimic brain function through information centralization and solution implementation.
Whether it’s for brain function or detecting cyberattacks, the accuracy of decisions directly depends on the quality of information collected by the sensors. It is crucial to trust this data, understand it, and build a contextual vision for relevant choices.
NDR precisely addresses these challenges. Operating passively, it is undetectable and highly resilient to attacks, thus enhancing trust in the events or alerts generated. Moreover, it provides all the necessary data (metadata) to build the essential context for decisions and investigations. While detection remains imperative, it is crucial not to overlook investigation and threat hunting, as malicious actors may initiate their intrusion into the target infrastructure with a view to returning later or selling access (risk of exfiltration, encryption, ransom, etc.). For example, as the Olympics approach, like athletes, adversaries are already training, including infiltrating devices prone to cyberattacks. They skillfully exploit the fact that security teams are not yet fully prepared.
Why wait for detection on workstations?
Without delving into the concepts of Kill Chain or the MITRE ATT&CK® Framework, advanced or complex attacks are characterized by reconnaissance or lateral movement phases. These phases are inherently identified by an NDR solution, based on behavioral and contextual analysis of network flows. Waiting for an EDR to detect a compromise before reacting is risky, as it indicates that adversaries have already bypassed the IT security perimeter, including the firewall, proxy, web application firewall (WAF), intrusion detection system (IDS), etc. Moreover, there are many cases where detection on a workstation has failed or been circumvented, especially in the case of east-west traffic attacks. The network doesn’t lie, and early detection will identify these malicious actions at different stages of the attack.
Marry the effectiveness: EDR and NDR, a powerful alliance for protection beyond the sum of its parts!
Here are some examples of how EDR and NDR can complement each other:
- NDR adds network context to an EDR incident.
- EDR adds system context to an NDR incident.
- EDR and NDR share IoCs discovered by either.
Gartner is right: effectiveness will come from integration
Gartner emphasizes the effectiveness of integrating different types of detection, such as NDR and EDR, by introducing the concept of XDR (eXtended Detection and Response). With the expansion of their attack surface and the evolution of tactics employed by cybercriminals, companies are increasingly investing in so-called XDR platforms to adopt a more unified and effective approach to preventing, detecting, and responding to threats that cannot be detected by EDR alone at the information system level. The NDR solution communicates in real-time the detected IoCs and IoAs to a SIEM, a SOAR, or directly to the EDR, allowing the latter to operate blocking, isolation, and remediation at the terminal level.
Imagine cybersecurity as a city you need to protect. EDR would be like having security guards closely monitoring each designated building for any suspicious activity. On the other hand, NDR would be like having security cameras installed at various strategic points in the city, capturing and analyzing the overall traffic flow to spot unusual patterns or behaviors.
But where to start?
Considering the relative difficulties in deploying an agent for EDR, especially when there is only partial knowledge of its hardware and software inventory (BYOD, Shadow IT), and sometimes even in cases where installing this agent is simply impossible (obsolete operating systems, IoT, medical equipment, industrial controllers, business applications that turn on and off dynamically, etc.), its reinforcement by an advanced network solution like NDR becomes particularly relevant. Even its implementation as a first approach can simplify and accelerate EDR deployment projects by providing visibility. Although EDR can stop an attack, it relies on the terminal on which it is installed and an agent to analyze it. However, once NDR is deployed, it can detect, analyze, and react.
Returning to the previous example, together, these two approaches complement each other: EDR agents closely monitor each building as a specific point and can intervene but only at designated locations, while NDR cameras provide an overall view of the context, allowing for the detection of threats that might go unnoticed at individual points and preventing them. It’s a winning combination of surveillance and intervention to ensure the overall security of your IT infrastructure.