NDR vs. EDR

22nd June 2021


Cybersecurity professionals tend to prioritize procuring tools that run on endpoints and devices like antivirus (AV) and endpoint detection and response (EDR) solutions over those that defend the network like Network Detection and Response (NDR) solutions.

Why is this?

Former Gartner analyst Augusto Barroscited a few reasons, back in 2018, that included the move to the cloud, encrypted traffic, and the fact that the network is essentially just a collection of endpoints, so you basically get the same coverage.NOTE: In 2018, Gartner was calling the NDR space NTA.

It is certainly true that the move to the cloud has redefined the network perimeter as, all three major IaaS Cloud providers (AWS,Azure/M365, andGCP) offer the ability to capture and send network traffic to be analyzed by third parties such as CyGlass.

It’s also true that network traffic is increasingly encrypted. This is why CyGlass mixes Netflow for traffic analytics with log data from cloud providers as well as Active Directory logs, correlating them and running against a variety of AI models to achieve maximum coverage. Just as Netflow and log data isn’t affected by traffic being encrypted, neither are CyGlass detection capabilities. More importantly, CyGlass can connect a threat to a device and a user account.

Finally, while it is accurate to say that a network is simply a collection of endpoints devices, advanced cyberattacks have shown that antivirus and EDR solutions can be bypassed. One needs to look no further than the SolarWinds attack or the success of the multiple families of ransomware attacks. It can easily be argued that, in the past few years, the endpoint has become a less effective place to make a defensive stand for reasons including:

  • EDR and AV solutions rely heavily on signature and threat intelligence updates to be effective, yet keeping them updated and running properly is fairly difficult.
  • Many endpoint devices do not support security solutions (IoT), and with the massive work from home shift, many devices (unknown to IT) have no defenses at all (shadow IT or BYOD)
  • Script-based attacks, IaaS hosted attacks, legitimate app poisoning, and legitimate process poisoning have all proven successful at defeating endpoint security

CyGlass also addresses this shortcoming of EDR-based approaches by learning the behavior of the EDR on the network. For example, in situations where every node must be updated at least every 24 hours, CyGlass can alert when EDR endpoints aren’t phoning home, or aren’t even installed at all. One would think this is a problem that EDR vendors have solved, but even a simple use case like having an employee on vacation ( therefore, no phone home) raises false positives.

Gartner’s Barros also concedes, “…PERFECT visibility REQUIRES both (NDR and EDR). If you are concerned about super-advanced threats disabling agents, using BIOS/EFI rootkits, you need to compensate with non-endpoint visibility, too.”

“As the latest ransomware families have proven,what were “super-advanced threats” in 2018 are now commonplace in 2021.”

Once a nefarious actor gains access to the corporate network he or she can utilize common pivoting techniques to gain unfettered access to the most critical assets without the security team having any visibility to the activity. The beauty of compromising a network asset as an attacker is how it opens a world of possibilities in terms of discovering more devices and enabling easy movement throughout the environment. EDR and AV solutions depend on malware signatures for detection and containment, but these signatures can be altered by clever threat actors, enabling the exploits to evade the endpoint security toolset. Worse, attackers can install rogue access points and other devices on the network that will not have EDR deployed and, therefore, will remain undetected. Many other attacks can bypass EDR solutions entirely including various Man in the Middle (MiTM) attacks, rootkits, and those which involve living-off-the-land TTPs.The simple fact is that 99% of all cyberattacks rely on and communicate through the network.

CyGlass is a 100% cloud-native NDR solution that provides organizations with protection from each of these attacks, as well as many others. CyGlass can detect rogue assets on the network or those performing MiTM attacks through its asset discovery functionality. Each time an asset or subnet is added to the corporate network, CyGlass sends the team a simple alert accompanied by the network activity information needed to validate whether the activity constitutes a threat and taking immediate action if it is. The user-friendly interface below displays the key information the team needs to know about the asset and offers a role suggestion based on the observed activity from the device.

The asset information shown above is a helpful start but many network defenders want more information about the web traffic leading to the new asset discovery. In just a couple of clicks, staff has access to NetFlow information that can be filtered and parsed to determine what is taking place. Whether you are looking for information as granular as packet specific data or to paint a bigger picture to see which devices are involved in communication, when the asset started communicating, and how much data the device is sending over the wire. The first image depicts a few options from the dozens of choices available in CyGlass, while the second shows behavioral trends.

Rootkits are attacks that compromise the kernel of the device on which they are installed. They are sophisticated, insidious, difficult to detect, and often require reimaging to eradicate which results in costly downtime or data loss. Devices with EDR solutions often fall victim to these attacks because they are designed to evade EDR and oftentimes turn the functionality off entirely, rendering the device invisible to network defenders.

CyGlass monitors the network continuously to create a baseline and notify the team of any deviation from it. Devices with rootkits often demonstrate beaconing behavior to command and control servers and also send other communications over the network, deviating from your typical network traffic. Whenever such behavior is observed CyGlass will provide a Smart Alert to the network defense team explaining the cause for concern in plain language accompanied by a network map visually depicting the abnormal activity and other pertinent network information to support the investigation and incident response process.

The rapid shift to Cloud IaaS has created more threat surfaces and complexity for network defenders. It has fundamentally changed how we define the network as all private and public cloud infrastructures, cloud applications, storage and services, and Azure AD must be considered part of the network. As mentioned above, the IaaS vendors offer their own version of Netflow and additional logs that make network defense effective in this new environment. Identifying high risk cloud authentication, risky application and service access, and risky file activity events are all critical network detection and response capabilities that must be monitored with events tied not only to IP address, but also to user account to ensure fast and accurate threat remediation.

Many businesses, especially small and medium enterprises (SMEs) have opted out of a network detection and response (NDR) not only because they are perceived to be exceedingly expensive and complex, but their ROI has been difficult to prove. With the increased complexity of cyberattacks relying on the network for success, the endpoint security weaknesses and limitations being exploited, and the rapid move of portions of the network to cloud environments, network risk visibility combined with network threat detection and response has never been more important.

CyGlass is an NDR tool which leverages cutting-edge AI/ML technology and a cloud-native architecture to make NDR simple and affordable.CyGlass is a comprehensive network and cloud defensive tool with an intuitive user interface. It is designed to facilitate the seamless integration of NDR into your security strategy so teams can act quickly to mitigate threats EDR cannot detect. In addition to providing threat detection through continuous network monitoring, CyGlass provides critical asset detection which can help thwart MiTM attacks, rogue devices, and prevent unauthorized network access.

A lot has changed since 2018, but the reasons for having an NDR solution are still relevant today. CyGlass works well in environments like IoT, OT/ICS, BYOD, and mobile devices because, in those environments, you can’t install an agent. Organization challenges like post-merger or joining a new organization are great opportunities for deploying CyGlass to understand what is going on quickly. And finally, and perhaps most importantly price – although this may be unique to CyGlass in the NDR space, CyGlass is a very affordable SaaS-based solution that can be up and running quickly requiring no additional on-premise hardware or software.

To learn more about how CyGlass can enable teams to improve their security posture and achieve compliance objectives, please contact us for a demo.