Two of the most important aspects of cybersecurity are network detection and response (NDR) and endpoint detection and response (EDR). While on the surface, there may appear to be similarities between the two, there are some key differences.
NDR is the process of detecting and responding to threats or attacks that occur on a network. This includes detecting malicious or unauthorized activity, identifying the source of the attack, and taking steps to stop it. In this day and age, performing anything, whether malicious or benign ends up traversing the network. Therefore, NDR is an important part of any defense-in-depth strategy. While NDR can make predictions of what applications are running on a device by monitoring the ports and protocols in use, it can’t observe the program code executing within the device. For that, you need an EDR solution.
EDR is the process of detecting and responding to threats or attacks that occur on individual devices, or “endpoints”, such as laptops, desktops, and smartphones. Operating systems, such as Windows, macOS, and Linux can run vendor’s EDR software agents, which continuously observe the running processes and detect issues occurring within the device itself. While EDR can observe the running processes within the device, it is limited to only the devices that it is installed upon. This leaves out a significant amount of IoT, OT, Consumer Electronics, Network infrastructure, Building Automation, etc that isn’t capable of having a software agent installed.
So, in broad terms, EDR is blind to the network and NDR is blind to the installed processes. Both approaches are important for organizations to deploy as part of their defense-in-depth strategy. However, they each require different skills sets and as such, organizations need to be of sufficient security maturity. EDR typically involves a team of specialists who are trained in detecting and responding to endpoint threats. Whereas, NDR is typically handled by a team of specialists who are trained in detecting and responding to network threats.
Gartner refers to the necessity of combining these two as a ‘SOC Triad’
“…visibility requires both (NDR and EDR). If you are concerned about super-advanced threats disabling agents, using BIOS/EFI rootkits, you need to compensate with non-endpoint visibility, too.” — Gartner (Barros)