NDR vs. EDR

4th December 2020


Corporate information security strategies tend to prioritize procuring tools that run on every system like antivirus (AV) and endpoint detection and response (EDR) solutions over solutions that defend the network like Network Detection and Response (NDR) solutions. Why is this?  

Back in 2018, Gartner analyst Augusto Barros cited a few reasons including the move to the cloud, encrypted traffic, and the fact that your network is essentially just a collection of endpoints, so you essentially get the same coverage. NOTE:  In 2018, Gartner was calling the NDR space NTA.

It is certainly true that the move to the cloud has distributed the network perimeter but all three major IaaS providers (AWS, Azure, and GCP) offer the ability to capture network traffic and send the traffic to be analyzed by third parties such as CyGlass.

It’s also true that more and more network traffic is encrypted, but that’s why CyGlass uses primarily Netflow for its traffic analytics. Netflow isn’t affected by traffic being encrypted, so neither is CyGlass’s detection capabilities.

Finally, it is true that a network is simply a collection of endpoints, but making sure that every endpoint actually has the agent installed and the agent is running is easier said than done.  CyGlass also addresses this shortcoming of EDR based solutions, by learning the behavior of the EDR on the network like every node needs to get its updates at least every 24 hours, CyGlass can actually alert when EDR endpoints aren’t phoning home, or aren’t even installed at all.  You would think that this is a problem that EDR vendors have solved themselves, but even a simple use case like the employee is on vacation (and therefore no phone home) raise false positives.  

Barros also concedes, “…PERFECT visibility REQUIRES both (NDR and EDR). If you are concerned about super-advanced threats disabling agents, using BIOS/EFI rootkits, you need to compensate with non-endpoint visibility too.”

The reality is that what was “super-advanced threats” in 2018 are now commonplace as we enter 2021.

Once a nefarious actor gains access to your corporate network he or she can utilize common pivoting techniques to gain unfettered access to your most critical assets without your security team having any visibility to the activity. The beauty of compromising a network asset as an attacker is how it opens a world of possibilities in terms of discovering more devices and enabling easy movement throughout the environment.  EDR and AV solutions depend on malware signatures for detection and containment but these signatures can be altered by clever threat actors, enabling the exploits to evade the endpoint security toolset. Better yet, attackers can install rogue access points and other devices on the network that will not have EDR deployed and therefore will remain undetected. Many other attacks can bypass EDR solutions entirely including various Man in the Middle (MiTM) attacks, rootkits, and those which involve living-off-the-land TTP’s. 

CyGlass is an NDR that can provide your organization protection from each of these attacks and many others. CyGlass can detect rogue assets on your network or those performing MiTM attacks through its asset discovery functionality. Each time an asset or subnet is added to your corporate network CyGlass sends your team a simple alert accompanied by the network activity information you need to validate whether the activity constitutes a threat and take immediate action if it is. The user-friendly interface below displays the key information your team needs to know about the asset and offers a role suggestion based on the observed activity from the device.

The asset information shown above is a helpful start but many network defenders want more information about the web traffic leading to the new asset discovery. In just a couple of clicks, your staff has access to NetFlow information that can be filtered and parsed to determine what is taking place whether you are looking for information as granular as packet specific data or to paint a bigger picture to see which devices are involved in communication, when the asset started communicating, and how much data the device is sending over the wire. The first image depicts a few options from the dozens of choices available in CyGlass while the second shows behavioral trends. 

Rootkits are attacks that compromise the kernel of the device on which they are installed. They are sophisticated, insidious, difficult to detect, and often require reimaging to eradicate which results in costly downtime or data loss. Devices with EDR solutions often fall victim to these attacks because they are designed to evade EDR and oftentimes to turn the functionality off entirely which renders the device invisible to network defenders.  

CyGlass monitors your network continuously to create a baseline and notify your team of any deviation from it. Devices with rootkits often demonstrate beaconing behavior to command and control servers and send other communications over the network deviating from your typical network traffic. Whenever such behavior is observed CyGlass will provide a Smart Alert to your network defense team explaining the cause for concern in plain language accompanied by a network map visually depict the abnormal activity and other pertinent network information to support your investigation and incident response processes.

Many businesses, especially small and medium enterprises (SMEs) have opted out of a network detection and response (NDR) not only because they appear to be extraneous but also because they are difficult to configure and understand.  CyGlass is an NDR tool which leverages cutting edge AI/ML technology to make NDR simple. 

CyGlass is a comprehensive tool with an intuitive user interface. It is designed to facilitate the seamless integration of NDR into your security strategy so you can act quickly to mitigate threats EDR cannot detect. In addition to providing threat detection through continuous network monitoring, CyGlass provides critical asset detection which can help thwart MiTM attacks, rogue devices, and prevent unauthorized network access. 

A lot has changed since 2018, but the three reasons for buying an NDR solution are still relevant today.  CyGlass works very well in environments like IoT, OT/ICS, BYOD, and mobile devices because, in those environments, you can’t install an agent.  Organization challenges like post-merger or joining a new organization are great opportunities for deploying CyGlass to understand what is going on quickly.  And finally, and perhaps most importantly price – although this may be unique to CyGlass in the NDR space.  CyGlass is a very affordable SaaS-based solution that gets up and running quickly and requires no additional on-premise hardware or software.

To learn more about how CyGlass can enable your teams to improve your security posture and achieve compliance objectives, please contact us for a demo.