Why Endpoint Detection and Response Is Not Enough

The growing importance of advanced network detection and response to a robust cybersecurity strategy.

Hands typing on laptop in dark room

A number of factors continue to expand the attack surface for enterprise networks. For instance, 94% of all enterprises today use a cloud service, and more than 60% of all corporate data is stored in the cloud.

The reality is IT environments are becoming increasingly sophisticated, forcing organizations to adopt more complex cybersecurity solutions to combat attackers. As such, enterprise security teams often implement multiple cybersecurity solutions that enable greater visibility and protection.

To help organizations gain visibility into cyberthreats, experts suggest they use three main data sources for visibility: security information and event manager (SIEM); endpoint detection and response (EDR); and network detection and response (NDR).

This approach was developed because organizations were being forced to make use of multiple data sources for threat detection and response as threat sophistication continued to increase. As such, all three tools are needed since they each provide different perspectives on threat detection and remediation.

Understanding SIEM, SOAR, EDR and NDR

SIEM provides organizations with real-time monitoring and analysis of events from many different devices, including tracking and logging of security data for compliance or auditing purposes.

Security Orchestration, Automation and Response (SOAR), a relatively newer technology, tries to orchestrate and automate responses to further investigate or remediate threats using data and visibility from SIEM, EDR and NDR.

EDR is a security solution that monitors endpoints to mitigate endpoint attacks. Endpoints are network devices such as personal computers, file servers, smartphones and Internet of Things (IoT) devices that connect to the network to communicate. Using a software agent that’s deployed on an endpoint, EDR inventories malware and suspicious activity detected on the endpoint, such as registry changes and key-file manipulation.

Over time, as network environments become more complex and threat actors and malware become more sophisticated, EDR faces challenges such as:

  • Required EDR agents cannot be deployed on all devices or in all environments, leaving gaps in visibility and opening the door to exploitation.
  • Some common applications can bypass EDR. For example, Microsoft SQL Server has administrative access to the underlying Windows operating system without using any aforementioned EDR-monitored environments, enabling an attacker to bypass endpoint detection.
  • Malware and attackers are getting more sophisticated and can detect the presence of anti-malware software running on the endpoint or hide evidence of endpoint compromise altogether.

So while EDR is a necessary part of the modern cybersecurity strategy, it cannot be solely relied upon for comprehensive cybersecurity. Network detection and response (NDR) solutions complement EDR because while EDR relies on data from the endpoints, NDR tools monitor the data on the network itself, between the various endpoints. Using only one of the solutions leaves you with blind spots.

NDR plays a crucial, yet often underappreciated role in the SOC Visibility Triad, because the network is the only place bad actors can’t hide.

NDR plays a crucial, yet often underappreciated, role in the SOC Visibility Triad, because the network is the only place bad actors can’t hide. With proper visibility into network data, even sophisticated attackers can be tracked down and stymied.

Here are some of the advantages NDR offers when deployed as part of the Visibility Triad:

  • NDR can be deployed in any network environment, even public cloud environments like AWS, Azure and Google which enterprises increasingly rely on. So, not only can NDR see into an organization’s internal network, but it can also see into public cloud networks that aren’t owned or controlled by the company.
  • NDR can be deployed more strategically in the network to maximize visibility into north-south and east-west network traffic. As such, NDR sees into the entire network that exists between endpoints and can track hackers as they move around within the network—regardless of whether they touch an endpoint.
  • Because NDR continuously gathers network data, it provides the ability to look back in time once an attack is detected to see how it happened, as well as to track the progress of an attack after it’s started. It does this by cataloging all the packet data, the minute groups of data that move through a network as information passes from one machine to the next.

The bottom line is NDR provides the network context missing from EDR.

As such, it’s important to understand the features and capabilities that are vital to choosing an NDR solution.

Comprehensive Network Visibility

Enterprise networks can't be protected against threats that aren't seen. And while that might seem like a simple concept, it’s hard to accomplish since today’s enterprise networks are a complex mix of legacy networks, branch offices and resources in home and remote environments, as well as public, private and hybrid clouds. NDR solutions should give enterprises comprehensive network visibility that is both broad (e.g., visibility across the entire digital infrastructure) and deep (e.g., down to a packet level).

And with 95% of all network traffic encrypted today, NDR solutions must have the ability to analyze encrypted traffic in order to detect threats that attempt to cloak themselves in encrypted traffic.

Sophisticated Threat Detection

NDR solutions should have multiple ways to detect threats such as through statistical and behavioral analysis techniques, curated threat intelligence feeds, open-source rules and signature engines, as well as other advanced threat analytics potentially backed by machine learning or artificial intelligence.

Interoperability

Since every organization has numerous products in its cybersecurity stack, NDR solutions must be tightly integrated with the following:

  • To SIEM or Security Orchestration, Automation and Response (SOAR): When an NDR solution detects a threat, it should send alerts (using SYSLOG or other standard formats) to SIEM/SOAR.
  • From SIEM or SOAR: To investigate threats detected by non-NDR products, and to expose the network context, there must be a way to enable drill down from the SIEM/SOAR into the NDR’s rich source of metadata and packets.
  • Export of Network Data: NDR solutions should allow the export of their raw or curated data for combination, enrichment and correlation with other datasets for custom analysis.

Without question, networks will be breached. And security teams will rely upon many different cybersecurity tools to protect their organizations from a successful cyberattack. Maximizing the integrated use of and collecting data from these different tools will be crucial for their success. As networks become more complicated and threat actors and their malware become more sophisticated, the network remains a strategic vantage point from which to protect a business from cyberattacks. Highly scalable and packet-based NDR solutions provide network intelligence and data that fill the gaps in the SOC Visibility Triad, making the existing cybersecurity stack, staff and overall cybersecurity simply better.

Learn more about NETSCOUT's Omnis Security, a solution that provides unmatched network visibility, threat detection and response.