Detection and Response Everywhere
In my recent eBook, The SOC Visibility Triad: Three Core Pillars for Network-Centric Threat Detection and Response, I discussed how Network Detection and Response (NDR) together with SIEM and Endpoint Detection and Response (EDR) improves threat detection and response. Gartner refers to this as a SOC Visibility Triad that seeks to “significantly reduce the chances that attackers will operate on your network long enough to accomplish their goals.” Since many organizations are asking me to provide more information on how EDR and NDR work together, I’d like to take this opportunity to further explain these technologies and their synergies.
The Value of Endpoint Detection and Response
In 2013, Gartner coined Endpoint Threat Detection and Response to represent “the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.” Now, these tools are commonly called Endpoint Detection and Response (EDR).
EDR is essential since local activities on machines that may be malicious are not visible on the network. This tool provides detailed and often forensic activity of what an attacker did on each machine. EDR is also useful for protecting air-gapped machines where there is no network connection and makes it easier to inspect encrypted traffic (endpoint agents get access to decrypted traffic).
The Value of Network Detection and Response
Network Detection and Response (NDR) is an emerging category of security solutions that complements (EDR) tools. While EDR protects hosts (endpoints), NDR protects the network so that an organization’s entire IT infrastructure is secured.
NDR adds broader detection across the attack kill chain, including traffic entering the network and moving laterally. This is important because lateral movement allows a threat actor to avoid detection and retain access, even when a threat is discovered on a machine that was initially infected. Attackers move laterally until they reach their final goal such as data exfiltration or a ransom demand.
NDR offers several other key benefits. While you can protect your standard devices such as desktops, laptops, smartphones and tablets reasonably well with EDR, it just doesn’t work as well for your non-standard IoT and BYOD devices. With NDR, detection is based on ground truth, your network data. Full packet visibility makes it possible to detect threats orchestrated by abusing network protocols and provides application-level context for faster remediation. Further, NDR detection models are based on similar data sets (network protocols), which increases detection accuracy.
If you are a student of history you may recall the saying “better technology wins over bigger armies.” We’re in an epic war against cybercrime. We know the asymmetric nature of this war – you will not win by trying to staff your SOC with more analysts. Nor can the battle be won by deploying an individual technology focused on only one part of your IT infrastructure. EDR and NDR along with your SIEM form the winning combination you need to win the war.
Learn About the Benefits of a Triad Strategy
Download our eBook, The SOC Visibility Triad: Three Core Pillars for Network-Centric Threat Detection and Response, to learn how NDR together with SIEM and EDR delivers on several dimensions required in a modern-day SOC.
Latest posts by Mustafa Rassiwala (see all)
- Detection and Response Everywhere - February 20, 2020
- The 3 Core Elements of the SOC Visibility Triad - November 18, 2019
- Built-in Cloud Security Controls Essential to Securing an Expanded Network, Assert CISOs - July 25, 2019