Rethinking EDR: Why It Isn’t A Comprehensive Cybersecurity Solution

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Tom Bienkowski of NETSCOUT breaks down why EDR isn’t the “end-all-be-all” solution, and why you should consider pairing it with an NDR.

As a contemporary way to detect and thwart malicious activity, Endpoint Detection and Response (EDR) systems are a critical component for many companies’ overall cybersecurity strategy. However, the threat landscape continues to evolve, and so too must the means of protecting against a range of cyber-attacks, many of which have learned to sidestep the protection that EDR systems offer. With the increasing complexity of network environments and the sophistication of adversaries, the question then becomes whether reliance on EDR is a risky strategy, and if so, how to complement EDR with additional solutions to fill these security gaps.

This article will explore alternative solutions that IT managers must consider investing in at the top of their security stack to complement their existing EDR solutions. That includes advanced, deep packet inspection-based network detection and response (NDR) solutions, as well as Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solutions. When taken together, these solutions offer pervasive network visibility, especially in environments where EDR is challenging to deploy due to an increasing attack surface (i.e., BYOD, IoT, and SaaS applications, among others).

Rethinking EDR

Attacks are Getting More Sophisticated by the Day

EDR systems still present clear benefits for security managers for mitigating certain threats at the endpoint level, but the sheer number of endpoints is growing and adding complexity to using it as a stand-alone security solution. Agents cannot be deployed on all connected devices or in environments such as public clouds, leaving gaps in visibility and potential for exploitation. For example, attackers are getting more sophisticated and can hide evidence of compromise. Even when EDR provides on-host visibility, finding the threat or determining the extent of a security breach of this magnitude is still challenging.

To illustrate, the aforementioned EDR agents will not work on IoT devices. Therefore, there’s no visibility into malicious activity occurring on them. IoT devices can be easily compromised with malware (e.g., Mirai), incorporated into botnets, and used by malicious actors to wreak havoc, such as launching DDoS attacks. Even when there’s visibility using EDR, it’s still hard to find threats or determine the extent of a breach because of a lack of network context. Because of this challenge, IT managers need to invest in a more complete solution at the network level to increase the efficiency and effectiveness of the overall cybersecurity stack and team.

Bridging the Security Gap: Look to Packet-Based NDR Solutions

Currently, IT managers can invest in solutions, such as NDR systems, to fill the gaps in the security stack with network packet-derived data. This network data makes the existing security stack, staff, and overall cybersecurity work more effectively. NDR monitors an enterprise’s network traffic to gain visibility into potential cyber threats. It then relies on advanced capabilities, such as behavioral analytics and machine learning to uncover threats and suspicious activities on the attack surface, including IoT devices, SaaS applications, and other connected devices that do not support an EDR agent.

Once detected, the solution acts against threats using its own capabilities, or through coordinated actions in conjunction with other cybersecurity tools such as SIEM or EDR. NDR can also cut the time spent conducting investigations by leveraging high-fidelity network metadata and packets and comparing it to a timeline of events to reveal attack behaviors. This network metadata can also be shared with SIEM solutions to create broader security assessments.

In addition, NDR solutions automatically detect and block threats, reconnaissance attacks, and indicators of compromise (IoCs), making them ideal companions to EDR systems. Further, when NDR is combined with other solutions, such as SIEM or security orchestration tools via SOAR, it is easier to mitigate blind spots within the network. Simply put, prioritizing NDR solutions in the security stack, alongside other threat mitigation tools, effectively fills critical visibility and data gaps, creating a complete solution to make the security stack operate more effectively.

Today, most large organizations need a more comprehensive solution that combines network and endpoint data for a more robust, real-time view of the evolving threat landscape. Network data provided by advanced, packet-based NDRs can act as the glue that connects and contextualizes inputs from other security systems, making them more effective for more rapid threat detection and response. After all, the only place an attacker can’t hide is on the network.