Using modern Endpoint Detection and Response (EDR), you can detect and stop many different cyberattacks. EDR is therefore a logical step for a lot of organizations in improving their cybersecurity. Has your organization installed EDR on all its devices? That is great!
But is it enough? No. In this blog, we will take a look at the attack opportunities that remain after installing EDR, and how you can effectively close the defense with NDR: Network Detection and Response.
To start things off: not a single system is perfect. Not even the best EDR application. Hackers are continuously thinking of ways in which they can surpass or shut down the cyber defense. Is your organization the first to be on the receiving end of a trick, then you are usually just unlucky.
But, more importantly, EDR can not be installed on a lot of devices. Such as a printer, for example. From a software perspective it is a Linux computer, but so closed off that you can not install anything on it. Or, at least if there are no vulnerabilities… Is the printer connected to the Internet, or is a laptop connected that was infected at home or elsewhere, malware can also end up on that printer.
The Internet of Things presents an enormous opportunity for cybercriminals, Those IoT devices are all little doors and windows through which they can enter without facing an EDR agent.
And then there is Operational Technology (OT). Operational Technology is a world of its own, filled with devices in factories, hospitals, and other environments. They are connected to the company’s network, but they each have their own software system. Cyber defenders often do not have and are not allowed access to them to minimize the chances of a standstill or disruption. You can forget about EDR then. Only needing to know about a single vulnerability, they present interesting possibilities for cybercriminals.
Network Detection and Response
It is clear: EDR can do a lot, but it only protects a part of the business environment. And it is all the more defenseless when a criminal has obtained authentic login credentials. How do you discover the attacks that make use of these loopholes?
You can do so by guarding the business network: Network Detection and Response, or, NDR. Because hackers can not just go around that. Sensors in strategic places can register what kind of traffic passes through. First the normal patterns are mapped with the help of machine learning. If the NDR system identifies any anomalies after that, it sends an alert.
This way, you will notice a hacker snooping around on the business network. Or if malware is communicating with suspicious Internet locations. NDR recognizes all kinds of attack techniques, using the well-known Mitre ATT@CK-framework.
The best NDR systems are able to immediately react themselves. By sending the firewall commands to block the suspicious external traffic, for example. When the EDR system is well-integrated, compromised endpoints can also be isolated quickly.
NDR versus EDR
But, NDR too, has its weaknesses. It needs to check large amounts of network traffic, and while doing so needs to know what to look for. Unfortunately there is a lot of variation within the regular network traffic, so both false positives and false negatives are common. Though, by choosing solutions that in addition to machine learning, also use artificial intelligence, the number of false positives can be strongly reduced.
NDR’s greatest strength is recognizing ‘command & control’ traffic from cybercriminals, right before they really start doing damage. But, also in the network reconnaissance phase and the lateral movement phase, they can be of excellent value. Vendors of NDR systems therefore ensure that indicators of compromise (IOC) are included in protecting the network.
EDR on the contrary reacts in the place where an attack begins. Checking what is happening within a single endpoint is much easier than checking an entire network’s traffic, after all.
Security Operations Center
Both EDR and NDR generate alerts and other information that IT professionals should do something with. The assessment requires a high level of expertise. How, for instance, can you tell whether events on different endpoints are connected?
For this reason, reviewing alerts is mostly outsourced to an external Security Operations Center. The few specialists that can tell a false alarm from acute danger are employed at such a SOC.
A security company like Tesorion does not only have such a SOC, but can also install and manage NDR and EDR solutions for its clients. This will ensure well-integrated protection.
Does this complete the picture? For most companies it does. But, there are organizations with digital ‘crown jewels’ that require extra protection. Banks, for example: if criminals with false records are subtly manipulating transaction, you will not uncover that with EDR or NDR.
In such cases you can add a SIEM. A system for Security Information and Event Management collects specific applications’ logs and scans them for suspicious patterns.
EDR, NDR and SIEM cover your entire business environment. There are more and more calls to integrate the capabilities of the three into a single system. Add a load of AI on top, and this could simplify your security by a great deal.
Putting this ‘XDR’ concept into practice has proven difficult, though. Up until now, there have only been partial solutions. For now, we will have to fight with the hand we are dealt.