EDR and SIEM provide essential visibility into endpoints and logs, but both tools leave coverage gaps. EDR requires agents to be deployed on each endpoint, but not every endpoint can support an agent. IoT and personal devices are two examples. Sophisticated attackers can also bypass EDR by taking advantage of unmanaged devices — including the 37% of critical devices that are unmanaged. SIEM tools rely on logs, which are useful sources of data, but they lack the context of network packets and attackers can delete logs, wiping away any trace of their activities. Attackers can also avoid firewalls and legacy standalone intrusion detection systems (IDS), but because certain key activities in a successful attack occur on the network, NDR can detect those threats.
NDR complements EDR, SIEM, and IDS tools by filling coverage gaps and continuously monitoring and analyzing network traffic to provide actionable insight. NDR solutions don’t require agents to understand the ways endpoints, workloads, and services communicate with each other. NDR solutions also provide packet-level context, enabling security teams to dive deeper into the activities of assets and investigate down to ground truth.
NDR supports Zero Trust initiatives
Zero trust requires cybersecurity to evolve from static defenses based on network-based perimeters and instead focus on users, assets, and resources. In short, never trust, and always verify. NDR solutions support zero trust initiatives by providing visibility and analytics for all users, devices, applications, and workloads and analytics communicating on the network. With NDR data, security teams can make informed decisions. Best-in-class NDR products also have the ability to securely decrypt traffic, automatically discover and classify assets, and identify vulnerabilities so organizations can make policy-driven access decisions.