Finding Security Gaps: Why EDR Needs NDR

We’re all familiar with those ubiquitous “-DR” acronyms by now, even if we can’t tell them apart sometimes.  These days, it seems like every other product is a version of “Detection and Response.” But which “-DR” products are the best bang for the buck, and which work best together? If we strip an internal network down to its bare bones, we’re effectively left with two things: Endpoints, and the space between them. It would follow, then, that both need to be protected.

EDR is a necessary and common solution for endpoints … what about the space between, then?

EDR: What It Is & What It Isn’t

Endpoint Detection and Response (EDR) is deployed as an agent running on desktops, laptops, servers, etc. and has the advantage of reacting and responding directly to threats on the endpoint itself. While this type of mitigation is critical to effective incident response, if the threat has reached an endpoint, it might be too little, too late. 

Today’s companies want to catch the threats before they’ve gone that far. However, in many cases, snatching an attack at the endpoint is still sufficient to keep it from becoming a breach – at least, that’s the hope anyway. In recent years, Forrester has stopped evaluating EDR as a category and instead lumped it in with XDR, as has much of the industry. Why? Because threats that end up at the endpoint don’t start there, and effective security requires visibility of the entire network. And that requires additional tools.

NDR: Plugging the Gaps

While EDR is one of the most effective tools out there, it leaves some obvious security gaps when working alone. First, there are simply some corners of the network that EDR can’t touch … These include any unmanaged devices, like IoT, BYOD, printers, and smart devices. And many new, legacy, or third-party devices are simply unable to install an EDR agent. Even more evade EDR protection because they have yet to be discovered on the network (Shadow IT).

And we haven’t even talked about the network itself yet. As we’ve stated before, EDR platforms cover what is at the endpoint but miss the spaces in between. If an attacker reached an endpoint, they had to traverse the network to get there. And if they want to expand their foothold and move laterally, they need to traverse the network again. Packets don’t lie. And that’s where Network Detection and Response (NDR) comes into play.

NDR is the perfect complement to Endpoint Detection and Response. The ability to view network flows, North/South and East/West, independent of EDR, gives a clear view of what’s on your network, lurking and hiding and obfuscating. Insight’s Network Flows show you not only the basic metadata surrounding your network traffic …

• Source and Destination IP
• Source and Destination Port
• Protocol
• Timestamps
• Flow Size

… But also provide enriched data such as:

• Geolocation | The country of origin for external traffic.
• Autonomous System Number (ASN) | This identifies the owner of the IP block, combining with geolocation to further define the “Who”.
• Threat Intelligence | Our global CINS feed pulls threat data from Nomic devices around the world, feeding it back into each of our devices for near real-time threat identification and mitigation.
• … And much more

Built on top of Flows, Nomic Signals are there to alert you when anomalous traffic occurs, and something is out of the ordinary. (And of course our Support team is there to make sense of it all.)

Perhaps the Most Underrated “DR”

When it comes to truly knowing what’s on your network, the job can be as complicated and daunting as the network itself. Leveling up your existing EDR with a team of experts standing behind our NDR solutions, Nomic provides Managed Network Detection and Response (MNDR). We run a suite of SIEM-less solutions designed to:

• Hide your public network from scans, exploits, and reconnaissance
• Identify outbound beaconing malware and ransomware
• Spot emerging threats as they happen
• Quickly locate problem devices

… And more. From offering round-the-clock (“24/7/365”) coverage to being that extra pair of eyes to help you with security and troubleshooting, Nomic’s MNDR has been used as a huge force multiplier for SMBs who need to respond to the onslaught of modern threats at scale.

‍