NEWS: Logpoint Acquires Muninn
The increasing number of endpoints is becoming more evident within organizations, extending beyond the conventional landscape of end-user computing devices like laptops and workstations. The rise in remote work culture has significantly amplified the demand to safeguard and supervise an array of endpoints, as well as the interactions among them across our broad digital ecosystems. Given that these endpoints persist as prominent gateways for cyberthreats, establishing robust endpoint security strategies has become an indispensable business requirement. However, it prompts an important question: Is Endpoint Detection the sole reliable tool within our cybersecurity tool kit?
Gartner stresses the effectiveness of integrating different detection types, like Network Detection and Response (NDR) and Endpoint Detection and Response (EDR), establishing a more comprehensive concept of network security. With the continuous expansion of the attack surface and the evolution of today’s attack tactics and techniques, it's almost essential for organizations to allocate resources towards the right network security tools. These tools should complement your EDR solution and prevent, detect and respond to threats that cannot be detected by EDR and at the information system level. An NDR solution is able to communicate detected Indicators of Compromise (IoCs) and Indicators of Attack (IoAs) in real-time and by doing so enabling blocking and remediation of threats at the endpoint level, hardening your overall network security.
Endpoint Detection and Response (EDR), also known as Endpoint Detection and Threat Response (EDTR), is a security measure designed for end-user devices. This solution persistently scans these devices to identify and counteract cyberthreats such as ransomware and malware.
The term EDR was first introduced by Gartner’s Anton Chuvakin and it describes a solution that "records and stores endpoint-system-level behaviors, uses various data analytics techniques to detect suspicious system behavior, provides contextual information, blocks malicious activity, and provides remediation suggestions to restore affected systems."
Network Detection and Response (NDR) is a cybersecurity approach that collects network traffic data (north-south, east-west) and employs machine learning to identify malicious activities, comprehending security threats and vulnerabilities. It combines the detection of familiar attack patterns with the ability to establish a normal behavior pattern for an individual network, thereby highlighting abnormal behaviors indicating a potential attack.
Similar to Endpoint Detection and Response (EDR), the objective of NDR security solutions is not to avert malicious activities outright, but rather to interrupt an ongoing attack operations before they inflict damage. The distinguishing feature of NDR compared to EDR lies in its method of gathering insight into malicious activities; NDR does not deploy an agent, but instead relies on a network or virtual sensor to analyze traffic across both on-premises and cloud workloads.
Read our in depth article on what NDR is here.
Main Differences Between NDR and EDR
Once an agent is installed, the EDR system enables the tracking of various activities, including executed processes, changes to the file system, management of permissions, and the persistence of processes to withstand system restarts. On the other hand, the NDR, which requires the deployment of software or hardware probes at key strategic locations, is designed to identify unusual network activities. These could include Shellcode, which exploits vulnerabilities, or lateral movements within the network. In addition to detecting potential threats, NDR also enhances visibility, thereby deepening the understanding of one's own network environment - a critical step before implementing any cybersecurity measures.
NDR solutions use advanced machine learning and artificial intelligence technologies to accurately model potential cyberthreats. They utilize the MITRE ATT&CK framework, a globally accessible knowledge base of hacker tactics and techniques, to detect malicious behaviors with high precision. These solutions extract high-quality data, provide relevant security context, and correlate events across time, users, and applications, significantly reducing the time and effort required for investigations.
But NDR solutions don't stop at detection. They also respond to threats in real-time, either through built-in controls or by supporting a broad spectrum of integrations.
Today's enterprise networks are complex mazes of users, endpoints, applications, and data flows, spread across both on-premises and multi-cloud environments. Given that EDR solutions focus solely on endpoint visibility, they leave several security gaps and challenges unaddressed. This lack of comprehensive coverage significantly heightens the risk of cyberattacks slipping through unnoticed:
Embracing Remote Work: In recent years, the shift towards remote work models has led many organizations to allow employees and third-party users to access enterprise resources through remote networks and personal mobile devices. These devices, often outside the purview of security teams and their EDR tools, present a unique challenge. As a result, security solutions struggle to monitor all these endpoints effectively, let alone safeguard them and the broader enterprise network from potential malicious attacks.
Device Compatibility Challenges: Not all connected endpoints are capable of supporting EDR agents. This is particularly true for legacy endpoints such as routers and switches, as well as emerging IoT devices. Additionally, in environments with connected Supervisory Control and Data Acquisition (SCADA)and Industrial Control Systems (ICS), some endpoints may be beyond the organization's control, and hence, outside the protective reach of EDR. As a result, these endpoints and systems remain exposed to various threats, including malware, DDoS attacks, and crypto mining.
Malware Exploiting EDR Agents: In a notable incident in late 2021/early 2022, the Lapsus$ group managed to breach several large corporations by compromising remote endpoints and disabling their EDR tools. This allowed them to conceal their malicious activities on the infected endpoints and successfully steal sensitive company data. Another issue arises from the "hooking" technique used by EDRs to monitor active processes. Ironically, this very process can be exploited by threat actors to gain access to a remote endpoint and import malware.
Managing EDR Deployment: Lastly, with agent-based EDR solutions, the task of installing and maintaining agents on every endpoint throughout the enterprise network can pose a significant challenge for security teams.
By adding Network Detection and Response you can effectively close security gaps your enterprise might have:
Full Network Transparency: An NDR solution like Muninn AI Detect, which doesn't require any agents, offers comprehensive visibility into all network connections and data flows. This results in an enhanced view across the entire enterprise network, enabling the detection of any potential threats that may be present.
Secure Data Collection: Network-based data collection, as opposed to agent-based data collection, is more resistant to tampering, making it an ideal choice for digital forensics required by regulatory bodies.
Immunity to Disabling: NDR solution like Muninn gathers data from various sources within the network and doesn't rely on specific devices, making its detection algorithms impervious to circumvention. Consequently, even if an EDR system is disabled by malware, the NDR will still be able to detect the threat.
Uncovering Shadow IT: An NDR solution does more than just monitor network traffic between known devices. It also identifies and monitors previously unknown devices within the network. Importantly, this includes endpoints that may not have EDR agents installed, ensuring comprehensive network analytics.
The range of malware on the internet, coupled with the ever-evolving strategies of cybercriminals, means that relying on a single solution is insufficient for robust protection. However, the choice isn't a binary one between EDR and NDR, as these solutions can seamlessly work together and complement each other. While each solution independently offers substantial value to your organization's security, a truly comprehensive cybersecurity strategy requires the integration of both.
If you are interested in exploring EDR vendors and reading EDR reviews, here are a few resources to check out:
G2 - Best Endpoint Detection & Response (EDR) Software.
Capterra - Endpoint Detection and Response Software.
