In today's cybersecurity landscape, two essential components stand out: Endpoint Detection and Response (EDR) and Network Detection and Response (NDR). While they might seem similar at a glance, they have distinct functionalities.


NDR focuses on detecting and counteracting threats on the network. Given that most activities today, malicious or otherwise, traverse the network, NDR becomes a pivotal element of a comprehensive defense strategy. Although NDR can predict the applications a device runs by observing its ports and protocols, it remains oblivious to the actual program code within the device. For insights into the latter, an EDR solution is indispensable.


Conversely, EDR zeroes in on threats on individual endpoints – be it laptops, desktops, or smartphones. EDR software agents, compatible with various operating systems, continuously monitor running processes to detect anomalies within the device. However, EDR's visibility is confined to devices it's installed on, excluding a vast range of IoT, OT, Consumer Electronics, Network Infrastructure, and Building Automation that can't support these software agents.


So, in broad terms, EDR is blind to the network and NDR is blind to the installed processes. Both approaches are important for organizations to deploy as part of their defense-in-depth strategy. However, they each require different skill sets and as such, organizations need to be of sufficient security maturity. EDR typically involves a team of specialists who are trained in detecting and responding to endpoint threats. Whereas, NDR is typically handled by a team of specialists who are trained in detecting and responding to network threats.


Gartner refers to the necessity of combining these two as a ‘SOC Triad’. 


"...visibility requires both (NDR and EDR). If you are concerned about super-advanced threats disabling agents, using BIOS/EFI rootkits, you need to compensate with non-endpoint visibility, too.” 
— Gartner (Barros)

The Journey of Organizational Cybersecurity Maturity

In the expansive digital realm of today's organizations, a mature cybersecurity approach is indispensable. This evolution is not just about deploying tools but understanding their place in the broader defense strategy.


EDR serves as the bedrock. Targeting individual devices, it's a starting point for organizations beginning their cybersecurity initiatives. Yet, its limited scope underscores the need for progression. A vast swath of the network remains untouched by EDR, emphasizing the significance of advancing to the next level.


As organizations aim to elevate their defense mechanisms, the role of NDR becomes central. It complements EDR, plugging its visibility gaps and ensuring comprehensive coverage of the network landscape. Further, NDR solutions with behavioral learning stand out, detecting inter-device pattern changes, regardless of whether they fall under EDR's domain.


In sum, it's a journey of understanding and action. Starting with EDR, organizations secure immediate and accessible assets. Integrating NDR ensures a more encompassing defense. It's about gauging where one stands in their organizational maturity and leveraging tools that best serve their evolving needs.

Pete Slade
March 15, 2022